SlideShare une entreprise Scribd logo

Software Security for Project Managers: What Do You Need To Know?

Denim Group
Denim Group

This document summarizes a presentation by Dan Cornell on software security for project managers. It discusses Denim Group's background in secure software development and services. It defines application security and contrasts it with quality assurance. Common causes of vulnerabilities like flaws in design and implementation are described. The document demonstrates vulnerability scanning and outlines goals of application security like confidentiality, integrity and availability. It concludes with questions.

Technologie
1  sur  31
Télécharger pour lire hors ligne
Software Security for Project Managers:! What Do You Need to Know?! ! Dan Cornell! CTO, Denim Group! @danielcornell © Copyright 2012 Denim Group - All Rights Reserved
My Background •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio, Global Membership Committee © Copyright 2012 Denim Group - All Rights Reserved 2
Denim Group Background •  Secure software services and products company –  Builds secure software –  Helps organizations assess and mitigate risk of in-house developed and third party software –  Provides classroom training and e-Learning so clients can build software securely •  Software-centric view of application security –  Application security experts are practicing developers –  Development pedigree translates to rapport with development managers –  Business impact: shorter time-to-fix application vulnerabilities •  Culture of application security innovation and contribution –  Develops open source tools to help clients mature their software security programs •  Remediation Resource Center, ThreadFix –  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI –  World class alliance partners accelerate innovation to solve client problems © Copyright 2012 Denim Group - All Rights Reserved 3
Application Security in the News •  Heartland Payment Systems – Financial Data Compromise –  http://voices.washingtonpost.com/securityfix/2009/01/ payment_processor_breach_may_b.html •  PayPal – Cross Site Scripting –  http://news.netcraft.com/archives/2006/07/20/ paypal_xss_exploit_available_for_two_years.html •  T-Mobile – SQL Injection –  http://www.pcworld.com/article/119851/ paris_hilton_victim_of_tmobiles_web_flaws.html •  IKEA – Database Downloaded –  http://news.cnet.com/2100-1017-245372.html © Copyright 2012 Denim Group - All Rights Reserved 4
Demonstration •  How do attackers view your web applications? •  RiskE Utility site © Copyright 2012 Denim Group - All Rights Reserved 5
Application Security Defined © Copyright 2012 Denim Group - All Rights Reserved 6
Application Security Defined •  A common definition – "Ensuring that an attacker cannot compromise an application's resources or data". –  Too narrow –  Not very actionable •  A better definition – "Ensuring that custom application code performs as expected under the entire range of possible inputs" © Copyright 2012 Denim Group - All Rights Reserved 7
Software Implementation – Perfect World Actual Functionality Intended Functionality © Copyright 2012 Denim Group - All Rights Reserved 8
Software Implementation – Real World Actual Intended Functionality Functionality Built Bugs Features Unintended And Undocumented Functionality © Copyright 2012 Denim Group - All Rights Reserved 9
Application Security is Different •  Quality Assurance? –  The processes are similar –  The goals are not •  Traditional Information Security? Network Security? –  The goals are similar –  The processes are not © Copyright 2012 Denim Group - All Rights Reserved 10
Quality Assurance vs. Security Assurance •  Both are evolving practices –  Tools and techniques are continually improving •  Quality and Security Assurance both require continual effort –  You cannot declare software 100% bug-free –  You similarly cannot declare an application 100% secure •  Both are often managed by dedicated teams in addition to the development team © Copyright 2012 Denim Group - All Rights Reserved 11
Quality Assurance vs. Security Assurance •  QA, even excellent QA, does not account for security •  QA essentially compares an application to its "intent", its requirements –  Is the functionality there? –  Is it reliable in corner cases? –  Is the performance acceptable? •  Attackers are interested in what the application DOES that it is NOT SUPPOSED to do –  I can access my transaction data. Can I access someone else's as well? –  I can enter a data query string. Can I twist it into a data tampering command? –  I can upload documents. Can I also upload server pages? Overwrite their content? © Copyright 2012 Denim Group - All Rights Reserved 12
Traditional Security vs. Application Security •  Traditional Information Security shares the same goals –  Confidentiality –  Integrity –  Availability •  Network and application security experts must continually keep up with the latest threats © Copyright 2012 Denim Group - All Rights Reserved 13
Traditional Security vs. Application Security •  Traditional Information Security has a "measure and maintain" culture –  Track servers, workstations, devices –  Manage advisories, patches, configurations –  Monitor the systems in operation •  Application development has a "build" culture –  Create something that did not exist before –  Get it working on time and within budget •  Application threats are as unique as the applications themselves © Copyright 2012 Denim Group - All Rights Reserved 14
Why Does Application Security Matter? •  Critical Systems are Internet-facing •  Most applications have serious design or coding flaws •  Laws and Regulations © Copyright 2012 Denim Group - All Rights Reserved 15
Critical Systems are Internet Facing •  More and more business have moved to online commerce –  Hard goods, soft goods –  Flight check-in –  Personals –  Pizza Delivery •  This has tremendous advantages –  Cost of doing business goes down –  Market barriers are lower © Copyright 2012 Denim Group - All Rights Reserved 16
Critical Systems are Internet Facing •  What are the drawbacks? –  Systems no longer have an "air" gap, personal interaction –  Physical security and personal scrutiny matter less •  Imagine an ATM machine in the desert… © Copyright 2012 Denim Group - All Rights Reserved 17
Most applications have serious flaws •  70%+ according to studies performed by @Stake and Foundstone •  Too many development teams treat application security as a "check box" –  "This site is certified secure" labels on web pages •  Too few development teams regard security as fundamental as design or QA © Copyright 2012 Denim Group - All Rights Reserved 18
Laws and Regulations •  New laws and regulations govern how data is stored and made available –  HIPAA –  Sarbanes Oxley –  California SB-1386 –  PCI •  Failing to comply can have legal repercussions and damage trust from partners © Copyright 2012 Denim Group - All Rights Reserved 19
Application Security Goals •  Confidentiality •  Integrity •  Availability •  A flaw can be considered a security vulnerability when one of the goals is compromised © Copyright 2012 Denim Group - All Rights Reserved 20
Confidentiality •  Ensuring that information is accessible only to those authorized to have access •  Compromises –  Spoofing Identity –  Direct Object Reference –  Forced Browsing –  Database compromise –  Packet Sniffing •  This is not limited to information the application directly manages –  What about phishing? –  An attacker can use an application to manipulate users © Copyright 2012 Denim Group - All Rights Reserved 21
Integrity •  Information should only be modified by those users authorized to modify it •  Compromises –  Injection –  Direct Object Reference –  Malicious File Execution –  Cross Site Request Forgery •  There is a lot of crossover with Confidentiality, but many threats to Integrity are unique © Copyright 2012 Denim Group - All Rights Reserved 22
Availability •  The system is online and responding to user requests for valid users at all times it is supposed to •  Compromises –  Malicious File Execution –  Buffer Overflow –  Lockout Exploits •  Threats are not limited to "bringing down" an application server –  What about forcing an exception? –  What about saturating sockets between web and application servers? © Copyright 2012 Denim Group - All Rights Reserved 23
What Goes Wrong? •  Failure in Design •  Failure in Implementation © Copyright 2012 Denim Group - All Rights Reserved 24
Causes of Application Security Vulnerabilities •  Failure in Design –  Poor decisions about trust –  Unspoken assumptions –  Not accounting for failure •  Failure in Implementation –  Insecure coding techniques –  Insecure configuration –  Poor deployment practices © Copyright 2012 Denim Group - All Rights Reserved 25
Types of Vulnerabilities •  Logical Vulnerabilities –  Surface due to insecure program logic –  Typically due to poor decisions about trust –  Most "scanner" tools are powerless to find logical vulnerabilities –  Remediation: architecture and design changes •  Technical Vulnerabilities –  Surface due to insecure programming techniques –  Typically due to poor input handling and input validation –  Most "scanner" tools primarily find technical vulnerabilities –  Remediation: coding changes © Copyright 2012 Denim Group - All Rights Reserved 26
Common Application Vulnerabilities •  Logical –  Poor Authentication –  Direct Object References –  Unchecked Input •  Technical –  Cross Site Scripting –  Injection Flaws –  Insecure Communications •  Logical or Technical –  Information Leakage –  Poor Cryptographic Storage –  Poor Configuration Management © Copyright 2012 Denim Group - All Rights Reserved 27
Software Assurance Maturity Model (OpenSAMM) •  Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks racing the organization •  Useful for: –  Evaluating an organization’s existing software security practices –  Building a balanced software security program in well-defined iterations –  Demonstrating concrete improvements to a security assurance program –  Defining and measuring security-related activities within an organization •  Main website: –  http://www.opensamm.org/ © Copyright 2012 Denim Group - All Rights Reserved 28
SAMM Business Functions •  Start with the core activities tied to any organization performing software development •  Named generically, but should resonate with any developer or manager [This slide content © Pravir Chandra] © Copyright 2012 Denim Group - All Rights Reserved
SAMM Security Practices •  From each of the Business Functions, 3 Security Practices are defined •  The Security Practices cover all areas relevant to software security assurance •  Each one is a silo for improvement [This slide content © Pravir Chandra] © Copyright 2012 Denim Group - All Rights Reserved
Conclusions / Questions Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com www.denimgroup.com/threadfix code.google.com/p/threadfix (210) 572-4400 © Copyright 2012 Denim Group - All Rights Reserved 31

Recommandé

What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 

Recommandé

What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalRobin Lutchansky
 

Contenu connexe

Tendances

The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 

Tendances (20)

The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 

Similaire à Software Security for Project Managers: What Do You Need To Know?

Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalRobin Lutchansky
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile AppsDenim Group
 
BLUG 2013 - Mobile Application Delivery - Choices, choices, choices
BLUG 2013 - Mobile Application Delivery - Choices, choices, choicesBLUG 2013 - Mobile Application Delivery - Choices, choices, choices
BLUG 2013 - Mobile Application Delivery - Choices, choices, choicesRené Winkelmeyer
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseDenim Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyDevelop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyOracleIDM
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace RisksParag Deodhar
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content HandlingDenim Group
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldiMIS
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldiMIS
 

Similaire à Software Security for Project Managers: What Do You Need To Know? (20)

Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 
BLUG 2013 - Mobile Application Delivery - Choices, choices, choices
BLUG 2013 - Mobile Application Delivery - Choices, choices, choicesBLUG 2013 - Mobile Application Delivery - Choices, choices, choices
BLUG 2013 - Mobile Application Delivery - Choices, choices, choices
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyDevelop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace Risks
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content Handling
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 

Plus de Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 

Plus de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 

Dernier

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Dernier (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Software Security for Project Managers: What Do You Need To Know?

  • 1. Software Security for Project Managers:! What Do You Need to Know?! ! Dan Cornell! CTO, Denim Group! @danielcornell © Copyright 2012 Denim Group - All Rights Reserved
  • 2. My Background •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio, Global Membership Committee © Copyright 2012 Denim Group - All Rights Reserved 2
  • 3. Denim Group Background •  Secure software services and products company –  Builds secure software –  Helps organizations assess and mitigate risk of in-house developed and third party software –  Provides classroom training and e-Learning so clients can build software securely •  Software-centric view of application security –  Application security experts are practicing developers –  Development pedigree translates to rapport with development managers –  Business impact: shorter time-to-fix application vulnerabilities •  Culture of application security innovation and contribution –  Develops open source tools to help clients mature their software security programs •  Remediation Resource Center, ThreadFix –  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI –  World class alliance partners accelerate innovation to solve client problems © Copyright 2012 Denim Group - All Rights Reserved 3
  • 4. Application Security in the News •  Heartland Payment Systems – Financial Data Compromise –  http://voices.washingtonpost.com/securityfix/2009/01/ payment_processor_breach_may_b.html •  PayPal – Cross Site Scripting –  http://news.netcraft.com/archives/2006/07/20/ paypal_xss_exploit_available_for_two_years.html •  T-Mobile – SQL Injection –  http://www.pcworld.com/article/119851/ paris_hilton_victim_of_tmobiles_web_flaws.html •  IKEA – Database Downloaded –  http://news.cnet.com/2100-1017-245372.html © Copyright 2012 Denim Group - All Rights Reserved 4
  • 5. Demonstration •  How do attackers view your web applications? •  RiskE Utility site © Copyright 2012 Denim Group - All Rights Reserved 5
  • 6. Application Security Defined © Copyright 2012 Denim Group - All Rights Reserved 6
  • 7. Application Security Defined •  A common definition – "Ensuring that an attacker cannot compromise an application's resources or data". –  Too narrow –  Not very actionable •  A better definition – "Ensuring that custom application code performs as expected under the entire range of possible inputs" © Copyright 2012 Denim Group - All Rights Reserved 7
  • 8. Software Implementation – Perfect World Actual Functionality Intended Functionality © Copyright 2012 Denim Group - All Rights Reserved 8
  • 9. Software Implementation – Real World Actual Intended Functionality Functionality Built Bugs Features Unintended And Undocumented Functionality © Copyright 2012 Denim Group - All Rights Reserved 9
  • 10. Application Security is Different •  Quality Assurance? –  The processes are similar –  The goals are not •  Traditional Information Security? Network Security? –  The goals are similar –  The processes are not © Copyright 2012 Denim Group - All Rights Reserved 10
  • 11. Quality Assurance vs. Security Assurance •  Both are evolving practices –  Tools and techniques are continually improving •  Quality and Security Assurance both require continual effort –  You cannot declare software 100% bug-free –  You similarly cannot declare an application 100% secure •  Both are often managed by dedicated teams in addition to the development team © Copyright 2012 Denim Group - All Rights Reserved 11
  • 12. Quality Assurance vs. Security Assurance •  QA, even excellent QA, does not account for security •  QA essentially compares an application to its "intent", its requirements –  Is the functionality there? –  Is it reliable in corner cases? –  Is the performance acceptable? •  Attackers are interested in what the application DOES that it is NOT SUPPOSED to do –  I can access my transaction data. Can I access someone else's as well? –  I can enter a data query string. Can I twist it into a data tampering command? –  I can upload documents. Can I also upload server pages? Overwrite their content? © Copyright 2012 Denim Group - All Rights Reserved 12
  • 13. Traditional Security vs. Application Security •  Traditional Information Security shares the same goals –  Confidentiality –  Integrity –  Availability •  Network and application security experts must continually keep up with the latest threats © Copyright 2012 Denim Group - All Rights Reserved 13
  • 14. Traditional Security vs. Application Security •  Traditional Information Security has a "measure and maintain" culture –  Track servers, workstations, devices –  Manage advisories, patches, configurations –  Monitor the systems in operation •  Application development has a "build" culture –  Create something that did not exist before –  Get it working on time and within budget •  Application threats are as unique as the applications themselves © Copyright 2012 Denim Group - All Rights Reserved 14
  • 15. Why Does Application Security Matter? •  Critical Systems are Internet-facing •  Most applications have serious design or coding flaws •  Laws and Regulations © Copyright 2012 Denim Group - All Rights Reserved 15
  • 16. Critical Systems are Internet Facing •  More and more business have moved to online commerce –  Hard goods, soft goods –  Flight check-in –  Personals –  Pizza Delivery •  This has tremendous advantages –  Cost of doing business goes down –  Market barriers are lower © Copyright 2012 Denim Group - All Rights Reserved 16
  • 17. Critical Systems are Internet Facing •  What are the drawbacks? –  Systems no longer have an "air" gap, personal interaction –  Physical security and personal scrutiny matter less •  Imagine an ATM machine in the desert… © Copyright 2012 Denim Group - All Rights Reserved 17
  • 18. Most applications have serious flaws •  70%+ according to studies performed by @Stake and Foundstone •  Too many development teams treat application security as a "check box" –  "This site is certified secure" labels on web pages •  Too few development teams regard security as fundamental as design or QA © Copyright 2012 Denim Group - All Rights Reserved 18
  • 19. Laws and Regulations •  New laws and regulations govern how data is stored and made available –  HIPAA –  Sarbanes Oxley –  California SB-1386 –  PCI •  Failing to comply can have legal repercussions and damage trust from partners © Copyright 2012 Denim Group - All Rights Reserved 19
  • 20. Application Security Goals •  Confidentiality •  Integrity •  Availability •  A flaw can be considered a security vulnerability when one of the goals is compromised © Copyright 2012 Denim Group - All Rights Reserved 20
  • 21. Confidentiality •  Ensuring that information is accessible only to those authorized to have access •  Compromises –  Spoofing Identity –  Direct Object Reference –  Forced Browsing –  Database compromise –  Packet Sniffing •  This is not limited to information the application directly manages –  What about phishing? –  An attacker can use an application to manipulate users © Copyright 2012 Denim Group - All Rights Reserved 21
  • 22. Integrity •  Information should only be modified by those users authorized to modify it •  Compromises –  Injection –  Direct Object Reference –  Malicious File Execution –  Cross Site Request Forgery •  There is a lot of crossover with Confidentiality, but many threats to Integrity are unique © Copyright 2012 Denim Group - All Rights Reserved 22
  • 23. Availability •  The system is online and responding to user requests for valid users at all times it is supposed to •  Compromises –  Malicious File Execution –  Buffer Overflow –  Lockout Exploits •  Threats are not limited to "bringing down" an application server –  What about forcing an exception? –  What about saturating sockets between web and application servers? © Copyright 2012 Denim Group - All Rights Reserved 23
  • 24. What Goes Wrong? •  Failure in Design •  Failure in Implementation © Copyright 2012 Denim Group - All Rights Reserved 24
  • 25. Causes of Application Security Vulnerabilities •  Failure in Design –  Poor decisions about trust –  Unspoken assumptions –  Not accounting for failure •  Failure in Implementation –  Insecure coding techniques –  Insecure configuration –  Poor deployment practices © Copyright 2012 Denim Group - All Rights Reserved 25
  • 26. Types of Vulnerabilities •  Logical Vulnerabilities –  Surface due to insecure program logic –  Typically due to poor decisions about trust –  Most "scanner" tools are powerless to find logical vulnerabilities –  Remediation: architecture and design changes •  Technical Vulnerabilities –  Surface due to insecure programming techniques –  Typically due to poor input handling and input validation –  Most "scanner" tools primarily find technical vulnerabilities –  Remediation: coding changes © Copyright 2012 Denim Group - All Rights Reserved 26
  • 27. Common Application Vulnerabilities •  Logical –  Poor Authentication –  Direct Object References –  Unchecked Input •  Technical –  Cross Site Scripting –  Injection Flaws –  Insecure Communications •  Logical or Technical –  Information Leakage –  Poor Cryptographic Storage –  Poor Configuration Management © Copyright 2012 Denim Group - All Rights Reserved 27
  • 28. Software Assurance Maturity Model (OpenSAMM) •  Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks racing the organization •  Useful for: –  Evaluating an organization’s existing software security practices –  Building a balanced software security program in well-defined iterations –  Demonstrating concrete improvements to a security assurance program –  Defining and measuring security-related activities within an organization •  Main website: –  http://www.opensamm.org/ © Copyright 2012 Denim Group - All Rights Reserved 28
  • 29. SAMM Business Functions •  Start with the core activities tied to any organization performing software development •  Named generically, but should resonate with any developer or manager [This slide content © Pravir Chandra] © Copyright 2012 Denim Group - All Rights Reserved
  • 30. SAMM Security Practices •  From each of the Business Functions, 3 Security Practices are defined •  The Security Practices cover all areas relevant to software security assurance •  Each one is a silo for improvement [This slide content © Pravir Chandra] © Copyright 2012 Denim Group - All Rights Reserved
  • 31. Conclusions / Questions Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com www.denimgroup.com/threadfix code.google.com/p/threadfix (210) 572-4400 © Copyright 2012 Denim Group - All Rights Reserved 31