Security as a part of quality assurance

•

0 j'aime•915 vues

Boy Baukema

Technologie

In custom software,  
if you haven’t properly tested it, it probably
doesn’t work.

This goes for both functional and nonfunctional
requirements.

!
Worse yet if you  
don’t even know what ‘it’ is supposed to be.

Boy Baukema
Security Specialist @ Ibuildings.nl

Security what?
Senior Engineer
+ interest in WebAppSec
+ 4 hours a week R&D
+ internal training & consultancy
+ internal & external auditing

The plan
1. The journey
2. The holy grail
3. Riding off into the sunset

– My CTO
“Make security something I can sell,
give managers a knob to turn.”

LEVEL 1 LEVEL 2 LEVEL 3
CHAPTER 1 
1.1 
1.2 
1.3
!
X
!
!
X
!
X
!
X
X
X
CHAPTER 2 
2.1 
2.2 
2.3
X 
X
 
X
X 
X
!
X
X 
X

ASVS (2013) Levels
Level 0 - Bullshit compliance level (0)
Level 1 - Opportunistic (47)
Level 2 - Standard (136)
Level 3 - Advanced (164)

ASVS Chapters
V1. Authentication
V2. Session Management
V3. Access Control
V4. Input Validation
V5. Cryptography (at Rest)
V6. Error Handling and
Logging
V7. Data Protection
!
V8. Communication Security
V9. HTTP Security
V10. Malicious Controls
V11. Business Logic
V12. Files and Resources
V13. Mobile

V1.4. Verify that credentials and all other
identity information handled by the application
does not traverse unencrypted or weakly
encrypted links.
(level 1, 2 & 3)
!

–OWASP ASVS 2009 Level 2
V2.7 Verify that the strength of any
authentication credentials are suﬃcient to
withstand attacks that are typical of the threats
in the deployed environment.

AASVS 2009, Scanners &  
Report Generator

–OWASP ASVS 2013 Beta,  
Application Security
Veriﬁcation Levels
“… scope of the veriﬁcation may go beyond the
application’s custom-built code and include
external components. Achieving a veriﬁcation
level under such scrutiny can be represented
by annotating a “+” symbol to the veriﬁcation
level”

Security Testing
One aspect of a Secure Development LifeCycle

Contenu connexe

En vedette

Session 1: ICT & Meaningful LearningAshley Tan

ICT Quality AssuranceAshley Tan

Test Life CycleNilesh Patange

Quality Assurance in Software Ind.Heritage Institute Of Tech,India

2 quality assuranceJyothi Chinnasamy

Quality Assurance Vs Quality ControlYogita patil

Introduction To Software Quality Assuranceruth_reategui

Quality Assurance and Software Testingpingkapil

QUALITY ASSURANCEPharmaceutical

En vedette (9)

Session 1: ICT & Meaningful Learning

ICT Quality Assurance

Test Life Cycle

Quality Assurance in Software Ind.

2 quality assurance

Quality Assurance Vs Quality Control

Introduction To Software Quality Assurance

Quality Assurance and Software Testing

QUALITY ASSURANCE

Similaire à Security as a part of quality assurance

Dpc14 security as part of Quality AssuranceBoy Baukema

Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena

Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.

Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.

Building an AppSec Team Extended CutMike Spaulding

Mike Spaulding - Building an Application Security Programcentralohioissa

개발자가 알아야 할 보안Johnny Cho

Security Services and Approach by Nazar TymoshykSoftServe

Agnitio: its static analysis, but not as we know itSecurity BSides London

SecurityZuko Lopez

What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen

Certified Ethical Hacking (CEH V9) Course Details | EC-CouncilCRAW CYBER SECURITY PVT LTD

Application Security Risk AssessmentThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²

Software risk managementJose Javier M

wannabe Cyberpunk; “I don’t know what I’m supposed to do.”Moshiul Islam, CISSP, CISA, CFE

Owasp tdssnyff

Horusec - Security & VulnerabilityKnoldus Inc.

The Principles of Secure Development - BSides Las Vegas 2009Security Ninja

Keynote Session : NIST - Cyber Security Framework Measuring SecurityPriyanka Aash

12 Crucial Windows Security Skills for 2018Paula Januszkiewicz

Similaire à Security as a part of quality assurance (20)

Dpc14 security as part of Quality Assurance

Security as a New Metric for Your Business, Product and Development Lifecycle...

Security as a new metric for Business, Product and Development Lifecycle

Agile and Secure Development

Building an AppSec Team Extended Cut

Mike Spaulding - Building an Application Security Program

개발자가 알아야 할 보안

Security Services and Approach by Nazar Tymoshyk

Agnitio: its static analysis, but not as we know it

Security

What Every Developer And Tester Should Know About Software Security

Certified Ethical Hacking (CEH V9) Course Details | EC-Council

Application Security Risk Assessment

Software risk management

wannabe Cyberpunk; “I don’t know what I’m supposed to do.”

Owasp tds

Horusec - Security & Vulnerability

The Principles of Secure Development - BSides Las Vegas 2009

Keynote Session : NIST - Cyber Security Framework Measuring Security

12 Crucial Windows Security Skills for 2018

Plus de Boy Baukema

Security horrorsBoy Baukema

Tampering with JavaScriptBoy Baukema

Code by the sea: Web Application SecurityBoy Baukema

Ibuildings ISO 27001 lunchboxBoy Baukema

OWASP ASVS 3 - What's new for level 1?Boy Baukema

Verifying Drupal modules with OWASP ASVS 2014Boy Baukema

Secure Drupal, from start to finishBoy Baukema

Recursive descent parsingBoy Baukema

SURFconext and MobileBoy Baukema

WebAppSec @ Ibuildings in 2014Boy Baukema

Let's build a parser!Boy Baukema

Javascript: 8 Reasons Every PHP Developer Should Love ItBoy Baukema

Plus de Boy Baukema (12)

Security horrors

Tampering with JavaScript

Code by the sea: Web Application Security

Ibuildings ISO 27001 lunchbox

OWASP ASVS 3 - What's new for level 1?

Verifying Drupal modules with OWASP ASVS 2014

Secure Drupal, from start to finish

Recursive descent parsing

SURFconext and Mobile

WebAppSec @ Ibuildings in 2014

Let's build a parser!

Javascript: 8 Reasons Every PHP Developer Should Love It

Dernier

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra

FWD Group - Insurer Innovation Award 2024The Digital Insurer

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz

Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea

Why Teams call analytics are critical to your entire businesspanagenda

Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2

[BuildWithAI] Introduction to Gemini.pdfSandro Moreira

ICT role in 21st century education and its challengesrafiqahmad00786416

Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer

2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong

AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer

Ransomware_Q4_2023. The report. [EN].pdfOverkill Security

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93

Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez

Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services

Manulife - Insurer Transformation Award 2024The Digital Insurer

Exploring Multimodal Embeddings with MilvusZilliz

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays

MS Copilot expands with MS Graph connectorsNanddeep Nachan

Dernier (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

FWD Group - Insurer Innovation Award 2024

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Why Teams call analytics are critical to your entire business

Exploring the Future Potential of AI-Enabled Smartphone Processors

[BuildWithAI] Introduction to Gemini.pdf

ICT role in 21st century education and its challenges

Axa Assurance Maroc - Insurer Innovation Award 2024

2024: Domino Containers - The Next Step. News from the Domino Container commu...

AXA XL - Insurer Innovation Award Americas 2024

Ransomware_Q4_2023. The report. [EN].pdf

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Strategies for Landing an Oracle DBA Job as a Fresher

Manulife - Insurer Transformation Award 2024

Exploring Multimodal Embeddings with Milvus

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

MS Copilot expands with MS Graph connectors

Security as a part of quality assurance

1. Security A part of Quality Assurance

2. In custom software,   if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and nonfunctional requirements. ! Worse yet if you   don’t even know what ‘it’ is supposed to be.

3. Boy Baukema Security Specialist @ Ibuildings.nl

4. Security what? Senior Engineer + interest in WebAppSec + 4 hours a week R&D + internal training & consultancy + internal & external auditing

5. Wait, where?

6. You

7. The plan 1. The journey 2. The holy grail 3. Riding off into the sunset

10. – My CTO “Make security something I can sell, give managers a knob to turn.”

11.

12. LEVEL 1 LEVEL 2 LEVEL 3 CHAPTER 1  1.1  1.2  1.3 ! X ! ! X ! X ! X X X CHAPTER 2  2.1  2.2  2.3 X  X   X X  X ! X X  X

13. ASVS (2013) Levels Level 0 - Bullshit compliance level (0) Level 1 - Opportunistic (47) Level 2 - Standard (136) Level 3 - Advanced (164)

14. ASVS Chapters V1. Authentication V2. Session Management V3. Access Control V4. Input Validation V5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection ! V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business Logic V12. Files and Resources V13. Mobile

15. V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links. (level 1, 2 & 3) !

16.

17. –OWASP ASVS 2009 Level 2 V2.7 Verify that the strength of any authentication credentials are suﬃcient to withstand attacks that are typical of the threats in the deployed environment.

18. AASVS 2009, Scanners &   Report Generator

19. –Sahba Kazerooni “Done any day now!”

20. –OWASP ASVS 2013 Beta,   Application Security Verification Levels “… scope of the verification may go beyond the application’s custom-built code and include external components. Achieving a verification level under such scrutiny can be represented by annotating a “+” symbol to the verification level”

21. OWASP AASVS 2013

22. Security Assurance Maturity Model

23. Security Testing One aspect of a Secure Development LifeCycle

24. To be continued...