SlideShare a Scribd company logo

Secure SDLC for Software

Shreeraj Shah
Shreeraj Shah

The document discusses secure software development lifecycles and application security. It notes that security is often not considered during traditional SDLC processes. It advocates doing threat modeling and source code analysis to integrate security. It also discusses differences between blackbox and whitebox testing approaches, and analyzing applications at the source code level versus object code level.

1 of 86
[object Object],[object Object],[object Object],[object Object],[object Object]
Who Am I? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],http://shreeraj.blogspot.com [email_address] http://www.blueinfy.com
SOFTWARE/APPLICATION SECURITY (STATE)
Data Breaches & Security
Hacks & Attacks
Security with Banks
Security with Banks
Security with Banks
Root cause of Vulnerabilities CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors
Source Code Issues ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
AppSec dynamics
Vulnerable State Expected State Exception Handler Decision Integer/ Number Special Characters A-Z Characters Input Potential Exploitation Enterprise level bugs
Top 10 & Bugs
Threats and Controls Source – Web Application Security Consortium
CVE/CWE - Errors ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
CVE/CWE - Errors ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
CVE/CWE - Errors ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Source – CWE/CVE - http://cwe.mitre.org/top25/index.html
Mapping
SDLC – WHERE IS SECURITY?
Enterprise SDLC 1. Analysis and Assessment 2. Design Specification 3. Software Development 4. Implementation 5. Support 6. Performance Monitoring
Missing in SDLC ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Application Security Cycle Architecture Blackbox Whitebox Defense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlation Secure coding Configuration lockdown Content filtering Threat mitigation
SAMM ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SAMM in nutshell ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Different models
Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning
Black vs. White Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Black White
White vs. Black ,[object Object],[object Object],[object Object],[object Object]
White vs. Black ,[object Object],[object Object],[object Object],[object Object],[object Object]
White vs. Black ,[object Object],[object Object],[object Object],[object Object]
White vs. Black ,[object Object],[object Object],[object Object],[object Object]
Limitations ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
MISSING PARTS
Domain centric approach - MUSTs ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Two components ,[object Object],[object Object],[object Object]
Black-White-TM
Architecture review
QueryString POST name and value pairs XML/JSON etc. HTTP variables Cookie etc. File attachments uploads etc. Feeds and other party information Open APIs and integrated streams HTTP Response variables JSON/XML streams API - steams Entry Point Review
Use cases ,[object Object]
Mapping Key Parameters Steps Input Output Identify Application objectives Business Requirements List of Key Objectives Overview of the Application Architecture ,[object Object],[object Object],[object Object],[object Object],In - depth Application Analysis: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Identify threats & vulnerabilities ,[object Object],[object Object],Threat & Vulnerabilities list
Static Code Analysis ,[object Object],[object Object],[object Object],[object Object],[object Object]
Traditional checks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Application challenges ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Simple presentation ASP.NET ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Code behind calls ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Running on Object Code ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Vulnerable and Exploit
Running on reverse engineering ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Building code from object…
Object vs. Source ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Techniques ,[object Object],[object Object],[object Object],[object Object]
Attack Surface ,[object Object],[object Object],[object Object],[object Object],[object Object]
Attack & Entry
GET/POST ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XML-RPC ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SOAP ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
REST ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
JSON ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
File calls ,[object Object],[object Object],[object Object]
RSS - Feed ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Entry Points – Client Side ,[object Object],[object Object],[object Object],[object Object],[object Object]
HTTP to Source ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Interesting… ,[object Object],[object Object],[object Object],[object Object]
In compiled code ,[object Object],[object Object]
Simple scan… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
AppCodeScan way…
Rules… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Java ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
PHP/Coldfusion ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Web 2.0 ,[object Object]
Making POST ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Code for Web Services ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
JSON-RPC ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Java based ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
PHP ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Tainted variables ,[object Object],[object Object],[object Object],[object Object]
Impact Analysis
Types - Impact ,[object Object],[object Object],[object Object],[object Object]
Impact
Impact
Tracing
Simple tracing… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Running… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Information Leaks ,[object Object],[object Object],[object Object]
SQL Injection ,[object Object],[object Object]
CONCLUSION – QUESTIONS! [email_address] http://www.blueinfy.com

Recommended

Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 

Recommended

Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 

More Related Content

What's hot

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 

What's hot (20)

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Application Security
Application SecurityApplication Security
Application Security
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 

Similar to Secure SDLC for Software

OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com
 
Security Operations
Security OperationsSecurity Operations
Security Operationsankitmehta21
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 

Similar to Secure SDLC for Software (20)

OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Security engineering
Security engineeringSecurity engineering
Security engineering
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
 
Security Operations
Security OperationsSecurity Operations
Security Operations
 
A Closer Look on C&C Panels
A Closer Look on C&C PanelsA Closer Look on C&C Panels
A Closer Look on C&C Panels
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 

More from Shreeraj Shah

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Shreeraj Shah
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Shreeraj Shah
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Shreeraj Shah
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Shreeraj Shah
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Shreeraj Shah
 

More from Shreeraj Shah (19)

Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
 

Secure SDLC for Software

  • 1.
  • 2.
  • 4. Data Breaches & Security
  • 9. Root cause of Vulnerabilities CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors
  • 10.
  • 12. Vulnerable State Expected State Exception Handler Decision Integer/ Number Special Characters A-Z Characters Input Potential Exploitation Enterprise level bugs
  • 13. Top 10 & Bugs
  • 14. Threats and Controls Source – Web Application Security Consortium
  • 15.
  • 16.
  • 17.
  • 19. SDLC – WHERE IS SECURITY?
  • 20. Enterprise SDLC 1. Analysis and Assessment 2. Design Specification 3. Software Development 4. Implementation 5. Support 6. Performance Monitoring
  • 21.
  • 22. Application Security Cycle Architecture Blackbox Whitebox Defense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlation Secure coding Configuration lockdown Content filtering Threat mitigation
  • 23.
  • 24.
  • 26. Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning
  • 27. Black vs. White Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Black White
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 34.
  • 35.
  • 38. QueryString POST name and value pairs XML/JSON etc. HTTP variables Cookie etc. File attachments uploads etc. Feeds and other party information Open APIs and integrated streams HTTP Response variables JSON/XML streams API - steams Entry Point Review
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 48.
  • 49. Building code from object…
  • 50.
  • 51.
  • 52.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65.
  • 67.
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.
  • 74.
  • 75.
  • 76.
  • 78.
  • 82.
  • 83.
  • 84.
  • 85.
  • 86. CONCLUSION – QUESTIONS! [email_address] http://www.blueinfy.com