web appsec and it’s 10 best sdlc practices
TRANSCRIPT
WebAppSec and it’s 10 Best SDLC PracticesBy: John Patrick Lita – C)SS
Philippine Institute of Cyber SecurityProfessionals (OWASP Academic Supporter)
with the Partnership of
The Open Web Application Security Project (OWASP)(OWASP Philippines)Open InfoSec Education Project
FOCUS ON COMMON SECURITY CHALLENGES
Most Developers already think there web application isSecure.Majority of web applcations have serious security vulnerabilitiesMost of the the developers not aware of the issue.And we are thinking that all the application are secure?
EMAIL Social Networking Online Shopping
Research Online Banking Multimedia
NOT SECURE
MOST SITES NOT SECURE•Attacker can access unauthorized data
•Attacker can use the application to attack other users
THE WEB WASN’T DESIGN TO BE SECURE!
• The website is design for static, read only pages to be share internally
• Almost no intrinsic security• A few security features was develope
WHAT DOES THAT MEAN?•COOKIE-BASED SESSIONS CAN HIJACKED•NO SEPARATION OF LOGIC DATA•ALL CLIENT SUPPLIED DATA CANNOT BE TRUSTED
The Attacker MindSet
Browser WebServe
r
WebServer
DatabasesAccess Control
Authentication
FireWall
Click-Jacking
XSS CSRF
Tampering Sniffing
DirectoryTraversal
XMLInjection
SQLInjection
DirectObject
ReferenceForged Token
- AJAX- FLASH / FLEX- SILVERLIGHT- APPLETS
THE ATTACK SURFACE AREA IS GROWING!
APPLICATION SECURITY!THREAT
MODELING CODECHANGES
SECURE ARCHITECTUR
E
DEVELOPER &
ARCHITECT AWARENES
S
COMMON SECURITY CONTROLS
SOFTWAREDEVELOPMEN
TLIFECYCLE
The Ten Best Practices for Secure Software Development
SOFTWAREDEVELOPMENTSTAKEHOLDERS
TOP MANAGEMENT
CLIENTS
MANAGERS, ETC...
TEN BEST PRACTICESProtect the brand your customers trust
Base in ISC(2) : The Ten Best Practices for Secure Software Development
TEN BEST PRACTICESKnow your business and support it with secure solutions
Base in ISC(2) : The Ten Best Practices for Secure Software Development
TEN BEST PRACTICESUndestand the technology of the software
Base in ISC(2) : The Ten Best Practices for Secure Software Development
TEN BEST PRACTICESEnsure compliance to governance, regulations and privacy
Base in ISC(2) : The Ten Best Practices for Secure Software Development
TEN BEST PRACTICESKnow the basic components of software securityProtection from Disclosure (Confidentiality)
Protection from Alteration (Integrity)Protection from Destruction (Availability)Who is making the request (Authentication)What rights/privileges they have (Authorization)The ability to build historical evidence (Auditing)And the Management of configuration, sessions exceptions
Base in ISC(2) : The Ten Best Practices for Secure Software Development
TEN BEST PRACTICESEnsure the protection of sensitive information
Base in ISC(2) : The Ten Best Practices for Secure Software Development
TEN BEST PRACTICESDesign software with secure features
Base in ISC(2) : The Ten Best Practices for Secure Software Development
TEN BEST PRACTICESDevelop software with secure features
Base in ISC(2) : The Ten Best Practices for Secure Software Development
TEN BEST PRACTICEsDeploy software withSecure features
Base in ISC(2) : The Ten Best Practices for Secure Software Development
TEN BEST PRACTICEs
Educate yourself& others on how to build securesoftware
Base in ISC(2) : The Ten Best Practices for Secure Software Development