SlideShare une entreprise Scribd logo

Manoj Purandare - Application Security - Secure Code Assessment Program - Prevention is better than Cure

Manoj Purandare ☁
Manoj Purandare ☁

Manoj Purandare - Application Security - Secure Code Assessment Program - Prevention is better than Cure

Internet
1  sur  41
CyberFrat Manoj Purandare Secure Code Assessments [ SCA ] Prevention is better than Cure Part – 1 of 3 Manoj Purandare General Manager – Application Security, ACPL Systems Ltd., India. CISSP, PmP, PgMP, Cyber Crime Analyst, ITIL, PCI-DSS Security Implementer 25 yrs of IT and Information Security expertise and experience Application Security
CyberFrat Secure Code Assessments [ SCA ] Prevention is better than Cure Part – 1 of 3 Manoj Purandare General Manager – Application Security, ACPL Systems Ltd., India. CISSP, PmP, PgMP, Cyber Crime Analyst, ITIL, PCI-DSS Security Implementer 25 yrs of IT and Information Security expertise and experience Application Security Manoj Purandare
CyberFrat • Current Scenario – SAST (Static Application Security Test) • Equifax and other stories to learn from • Application Security - must have SAST Planning • What is SAST and secure code assessment [ SCA ] • The Secure Programming Techniques -Abstract • Your vulnerable application may have multiple risks • Understand an Attack Surface to your applications • The Secure Code Review Metrics • Must have application security in annual risk assessments • Tools and resources to assess and audit application security with secure code assessments [SCA] maturity • Your future – Prevention is better than Cure, start S-C-A Application Security –Source Code Assessment topics Manoj Purandare
CyberFrat Application or Software & its Security ? Manoj Purandare Compare it to avoiding your daily junk food, and eating good food. Do regular exercise or Yoga, to help generate good ideas & positive actions in your body. But this food may be impure, or mixed with unwanted ingredients, to make your body ill. So we need to have control on our food habits and keep the impurities out of our body. How? Stay Current – latest security tools Stay Updated- latest patch & fixes Stay Secure- Always Monitor & Control
CyberFrat Before starting with Application Security • This past June, just half-way into 2017, over 790 U.S. data breaches had already been reported, according to the Identity Theft Resource Center (ITRC). This was a half-year record high and a 29% jump from the same time period in 2016. And the 63% of those breaches were caused by cyber attacks. • Since more than 80% of cyber attacks target applications, having a strong application security solution in place is vital. An application security tool will help your development team identify security vulnerabilities before a hacker can, and fixes them. • The Equifax story and many such happened in past 3 years risen a doubt on our own applications or 3rd party application which we use currently. Lack of visibility in usage of Apache Struts. Refer these --CVE-2017-9805, CVE-2017-5638, CVE-2017-5638 Manoj Purandare
CyberFrat Current Example of Security Breach (in short) Manoj Purandare • In this case, Equifax, like many companies, has a large portfolio of applications. As revealed in the OSSRA report, most companies aren't doing a good job at tracking open source, so unless Equifax had deployed a solution like Black Duck Hub, they probably did not have a complete and reliable inventory of the open source components in use in their applications. • In March, when the vulnerability was disclosed, it would be highly likely that they would not even know they were at risk, even if their security team was aware of the vulnerability. Put simply, they were flying blind. • Since the exploits for CVE-2017-5638 were widely available and being used almost immediately after the vulnerability was disclosed. • Equifax entered this period of very high risk without knowing it, at the same time that hackers were actively scanning and probing to find websites and applications that were vulnerable. • If this is the case, the door was "unlocked" until they discovered the breach over four months later.
CyberFrat So What Can Companies Learn From This? Manoj Purandare • Visibility is critical. You can't protect yourself if you don't know what's in your code. If you don't have a complete inventory of the open source your teams are using then you are leaving your applications at risk. • Open Source Vulnerability Management needs to be automated and tightly integrated into development and DevOps tools and processes. You are only as secure as your weakest link. Only by ensuring that all code is scanned before going into production can you be confident that you have addressed the weak links. • Lessen the GAP between : a) when vulnerabilities are reported and b) when you patch or mitigate them. More than 10 new open source vulnerabilities are reported every day. Unfortunately, you can't rely on the National Vulnerabilities Database (NVD) to give you early warning of them. Exploits are already available for the latest Struts vuln (CVE-2017-9805), yet NVD still has no data for it. Research has shown that it takes an average of three weeks for vulnerabilities to be documented in NVD. To solve this problem, Some independent organizations like Black Duck & others independently monitors and researches vulnerabilities using hundreds of sources so they can provide same day alerts for vulnerabilities like the CVE-2017-9805.
CyberFrat • Application security includes measures taken by monitoring and control of the flaws in the design, development, deployment, upgrade, or maintenance of the application. • The primary focus is on layer 7 of the OSI model • Secure Code Assessments [SCA] should be part of an organization’s or vendor’s software (or system) development life-cycle (SDLC), and even in case of CICDs (Continuous Integration Continuous Deployments) • Monitor & try to control- GitHUB, Bitbucket and other type of software code repositories, from where developers may get in-secure code, malware, etc. Application Security - must have Manoj Purandare
CyberFrat Application Security - must have • A key component of application security should be for developers and their managers to be aware of 1. SCA (Secure Code Assessments) requirements, 2. common threats and quarterly/frequent SAST assessments on existing in-house & 3rd party apps. 3. effective countermeasures • The application security knowledge and maturity is significantly lower today than traditional network security, which is emphasized in my presentation. Manoj Purandare The Reason: We all know
CyberFrat What is SAST (Static Application Security Testing) Manoj Purandare SAST is a set of technologies designed to analyze application source code, byte code and binaries for code + design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a non-running state. SAST has been emerging in India,and now has become the reality. Secure Code Assessment [SCA] is the solution, by which the organizations are now going ahead, to Save Time and Money
CyberFrat SAST (Static Application Security Testing) Manoj Purandare Static Application Security Testing (SAST) – SAST solutions such as Source Code Analysis (SCA) have the flexibility needed to perform in all types of SDLC methodologies. SAST solutions can be integrated directly into the development environment. This enables the developers to monitor their code constantly. Scrum Masters and Product Owners can also regulate security standards within their development teams and organizations. This leads to quick mitigation of vulnerabilities and enhanced code integrity. Thus an Organization can save lot of TIME, Efforts and MONEY. Here’s a basic understanding in case of difference of SAST and DAST usage
CyberFrat Approach of the common SCA tools A tool goes for a thorough security test (dynamic, static or mobile) of an application or a website A Customer provides code, binary portion of application or gives URL Customer can study the results and remediate found vulnerability , as per the provided reports and analysis Manoj Purandare For SAST - Secure Code Assessment(SCA) is nowadays widely used using open source technologies and licensed SAST /DAST software, since organization have understood its importance at early stage (Development and QA) and how to save Time and Money, instead being liable for losses in millions ahead.
CyberFrat Secure Programming Techniques: An Abstract View of Program • Avoid buffer overflow • Secure software design • Language-specific problems • Application-specific issues Program Component Validate input Respond judiciously Call other code carefully Just remember these very basic things : 1. Validate all your inputs • Command line inputs, environment variables, CGI inputs, … • Don't just reject “bad” input, define “good” and reject all else 2. Avoid buffer overflow 3. Carefully call out to other resources • Check all system calls and return values
CyberFrat Secure Programming Techniques: An Abstract View of Program Compartmentalization : 1. Divide system into modules a) Each module serves a specific purpose b) Assign different access rights to different modules • Read/write access to files • Read user or network input • Execute privileged instructions (e.g., Unix root) 2. Principle of least privilege • Give each module only the rights it needs Defense in Depth • Failure is unavoidable – plan for it • Have a series of defenses • If an error or attack is not caught by one mechanism, it should be caught by another • Examples • Firewall + network intrusion detection • Fail securely • Many, many vulnerabilities are related to error handling, debugging or testing features, error messages Keep it Simple • Use standard, tested components. Don’t implement your own cryptography • Don’t add unnecessary features. Extra functionality  more ways to attack • Use simple algorithms that are easy to verify
CyberFrat • Unauthorized access to your company data or sensitive customer. • Theft of sensitive data to conduct identity theft, credit card fraud or other crimes • Potential damage of your brand • Defacement of your websites • Manipulation of data impacting data integrity, quality and organization’s reputation RISKS - Your Application may have multiple risks Manoj Purandare
CyberFrat • Denial of service; availability of data • Redirection of users to malicious web sites; phishing and malware distribution • Attackers can assume valid user identities • Access to hidden web pages using forged URLs • Attacker’s hostile data can trick the interpreter to execute unintended commands • Development teams’ negligence in handling application security while secure coding. RISKS - Your Application may have multiple risks Manoj Purandare
CyberFrat Your existing known Software Common Considerations • Lots of monetary or brand value flows through them • Compliance requirements (e.g. PCI, HIPAA, FFIEC, etc.) • Formal SLAs with customers • You’ve had one or more previous security incidents (or near misses) This includes :- • Critical legacy systems • Notable web applications To assess application security, many organizations focus on obvious software resources, but overlook their overall inventory of applications and code from less obvious sources when they analyze their assets. Understand Attack surface to your Application Manoj Purandare
CyberFrat Consider the rest of Web Applications Your Organization Actually Develops and Maintains ( Internal and 3rd party both) You may miss some of these Analysis points :- • Lack of knowledge, overlooked or forgot they were there • Line of business procured through non- standard channels • Added through a merger or acquisition • Believed to be retired but still active This includes :- • Line of business applications • Event-specific applications, e.g. holiday apps, sales support, open enrollments Understand Attack surface to your Application Manoj Purandare
CyberFrat Add In your new Software You Bought from Somewhere You may miss some of these Analysis points :- • Automated scanners are good at finding web applications. Non-web, not so much. • Contract language or un-validated assumptions that the application vendor has security “covered” This includes – • Less known or utilized line of business applications • Support applications • Infrastructure applications Understand Attack surface to your Application Manoj Purandare
CyberFrat Mobile / Cloud based You may miss some of these Analysis points :- • Decentralized procurement • Ineffective security policies • Use of prohibited software • Lack of awareness This includes :- • Support for line of business functions • General marketing and promotion • Financial analysis applications • Software as a Service (SaaS) • Mobile applications • User procured software Understand Attack surface to your Application Manoj Purandare
CyberFrat As perception of the problem of attack surface grows, the scope of the problem increases – or, the more you know, the more you need to assess. This may also included public facing, intranet and both. Attack Surface: The Security Officer’s and Auditor’s Perspective Perception Insight Web Applications Mobile Applications Cloud Applications and Services Client-Server Applications Desktop Applications Manoj Purandare
CyberFrat Value and Risks are not equally distributed • Some applications matter more than others – Value and character of data being managed – Value of the transactions being processed – Cost of downtime and breaches • Thus, all applications should not be treated the same – Allocate different levels of resources for assurance – Select different assurance activities ( Application wise) – Also must often address compliance and regulatory requirements – Also Check, verify and document the Quarterly, Half- yearly, Yearly & external audits done on threats and mitigations done on all the applications Manoj Purandare
CyberFrat Application Security and Network Security issues are to be handled differently Technical Rationale A Non-Technical Rationale Manoj Purandare
CyberFrat Mean Time to Fix (MTTF) • A 2013 industry study from White Hat Security revealed that the “Mean Time to Fix” for web application flaws categorized as “serious” averaged 193 days across all industries. • In a similar study from Veracode, 70% of 22,430 applications submitted to their testing platform in 2012 contained exploitable security vulnerabilities • Take Strict action on your internal and 3rd party applications as well. • Try to follow-up and maintain the Critical & High vulnerabilities to be resolved within 1st quarter or 2 (90 to 180 days) only. • Initially we can assume to target Medium and Low, and the Info & Best practices type of suggested vulnerabilities to be resolved within 1st quarter to 3 (90 to 270 days). Manoj Purandare
CyberFrat Mean Time to Fix (MTTF) • How would you report to your management that a “serious” and likely exploitable vulnerability was present on your primary public facing web site or a 3rd party hosted portal for more than six months? • Verizon’s 2013 Breach Report says 90% of attacks last year were perpetrated by outsiders and 52% used some form of hacking. How does this help you explain application risk? • Check whether the Application Security Analyst, Information Security Analyst, Software testers, Quality Analyst be armed & prepared /utilized with knowledge of FISMA, SANS, PCI-DSS Security implementation knowledge and practice as per compliance and world standards. • As a proactive measure - Go for the right tools for Secure Code Assessment / Review for quarterly, half-yearly, yearly assessments without depending and waiting for external assessments/audits. Manoj Purandare
CyberFrat No Automated Scanner can find all Vulnerabilities- You have to use your brain • There is no “silver bullet” for identifying application security vulnerabilities. There are different classes of tools ranging from static code scanners that assess the code to dynamic scanners that analyze logic and data flow. Generally, 30% to 40% of vulnerabilities can be identified by scanners; the remainder are uncovered by other means. • Manual testing allows an informed and experienced tester to attempt to manipulate the application, escalate privileges or get the application to operate in a way it was not designed to do. • But wait, there’s more………… Manoj Purandare
CyberFrat Unauthenticated Automated Scan Common Application Test methods Automated Source Code Scanning Blind Penetration Testing Manual Source Code Review Authenticated Automated Scan Informed Manual Testing Automated Binary Analysis Manual Binary Analysis Application security goes well beyond simply running a scanning tool. For critical or high value applications, or those that process sensitive data, thorough testing may actually include a combination of several methods. Manoj Purandare
CyberFrat The Secure Code Review Metrics • Decide what to measure • Set the minimum benchmark • Define reporting requirements to Management, and customers. • Use a hybrid approach to integrating standards into your SDLC model of choice. • Map metrics to a certain level of completion and security testing and monitoring programs. • Communicate, Co-ordinate, Document all the components related to your Secure SDLC before initiating a Secure Code Assessment Program. • Have a definite approach with Management and team consensus to successfully achieve your goals in this Secure Code Review.
CyberFrat Metrics by SDLC Phase (General Model) SDLC Phase Secure Code Metric Requirements •Percentage of security requirements given in project specifications. •Percentage of security requirements subject to cost/benefit, and risk analysis. •Percentage of security requirements which are considered in threat models. Design •Percentage of design components subjected to attack surface analysis. •Percentage of security controls that are covered by security design patterns. •Percentage of security controls which pose an architectural risk. Implementation (Coding) •Percentage of application components subject to manual and/or automated source code review. •Percentage of code deficiencies detected during peer reviews. •Percentage of application components subject to code integrity/signing procedures. Verification (Testing) •Percentage of common weaknesses and exposures detected per requirement specification. •Percentage of security controls within the application that met the required specification for software assurance.
CyberFrat But then, where is the problem ?  You cannot bring all the code & developers to centralized area to resolve all at once.  Good things needs time, strategy and resources to implement, in a structured manner  Consensus building across multiple business areas is not easy  Training & updating all developers every time  Centralizing source code analysis is problematic  Finding the right reporting metrics for Senior Management is critical to project success For this, I have a solution
CyberFrat Application Security – Define your and your Auditors basic role Information Security Professionals • Promote SCA awareness in your organization . • Confirm that application security testing is part of your overall security program – • Demand that all applications developed by 3rd parties be tested and remediated in Dev & QA stage, prior to being placed in production • Get all developers and their managers trained on SCA IT Auditors • Be an FPG- Friend, Philosopher & Guide with the Organization to meet the standards & compliances. • Influence your Chief Audit Executive to include SCA in the organization’s annual risk assessment • Increase your relevance and value to your organization by identifying risks associated with poorly coded applications • Conduct a simple initial audit to assess what controls are in place • Conduct a subsequent audit to determine the effectiveness of those controls; measure MTTF • Consider the standards and compliances such as FISMA/SANS/PCI-DSS etc. Manoj Purandare as Prevention is better than cure thus saving TIME and MONEY of your organization at the initial stage itself Obtain and review the SDLC from a security perspective as Secure SDLC even in case of CICD (Continuous Integration Continuous Deployment environments)
CyberFrat Tools and Resources • Open Software Assurance Maturity Model (OpenSAMM) – A freely available open source framework that organizations can use to build and assess their software security programs www.opensamm.org • The Open Web Application Security Project (OWASP) – Worldwide not-for-profit organization focused on improving the security of software. Source of valuable free resources www.owasp.org • Open Source or Low Cost Application Security Scanners – OWASP Zed Attack Proxy (ZAP), w3af, Mavituna Netsparker, Websecurify, Wapiti, N- Stalker, SkipFish, Scrawlr, Acunetix, and many more to do basic discovery work • Also consider survey in case of Licensed tools like Fortify, Checkmarx, Veracode, and many such tools & resources, comparing the best features as your needs. • Your study towards right tools depends on your requirements.
CyberFrat The OWASP Top 10 For 2013 • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Manoj Purandare Now you can also check of OWASP Top ten 2017. Also it is recommended to be prepared to concentrate 2013 top 30 since the categories may get changed as per more vulnerabilities, which you may need to concentrate.
CyberFrat Example SCA Audit Work Program Software Assurance Maturity Model (SAMM) Scorecard Level 1 Maturity Level Activity Business Functions # Security Practices/Phase A B Governance 1 Strategy & Metrics 0.5 0 1 2 Policy & Compliance 0.5 0 1 3 Education & Guidance 0 0 0 Construction 4 Threat Assessment 0 0 0 5 Security Requirements 0.5 0 1 6 Secure Architecture 0 0 0 Verification 7 Design Review 0.5 0 1 8 Code Review 0 0 0 9 Security Testing 0 0 0 Deployment 10 Vulnerability Management 1 1 1 11 Environment Hardening 1 1 1 12 Operational Enablement 0 0 0 SAMM Valid Maturity Levels 0 Implicit starting point representing the activities in the Practice being unfulfilled 1 Initial understanding and ad hoc provision of Security Practice 2 Increase efficiency and/or effectiveness of the Security Practice 3 Comprehensive mastery of the Security Practice at scale Legend Objective Activity was met. Objective Activity was not met. Manoj Purandare
CyberFrat Example SCA Audit Work Program-Test Plan Manoj Purandare
CyberFrat Example SCA Audit Work Program-Questionnaire Manoj Purandare
CyberFrat Example SCA Audit Work Program-Score Card Manoj Purandare
CyberFrat Basic requirements to understand in case of Open Source Software or Licensed VM tools – Support report, customization, usage as per FISMA, SANS, OWASP, PC_DSS, etc. – Support consolidation and de-duplication of imported results from scanner tools, manual testing and threat modeling – Provide extensive reports on application security status and trending over time – Translate application vulnerabilities into software defects and pushes tasks to developers in the tools and systems they are already using – Create virtual Web Application Firewall (WAF) rules to help block malicious traffic while vulnerabilities are being resolved. While your organization takes on remediation of your applications, virtual patching helps guard against common vulnerabilities such as Cross- Site Scripting (XSS) and SQL Injections. – Compatible with a number of commercial and freely available dynamic and static scanning technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers – Recommended to have – Virtual Application Scanner – Will allow audit and security professionals to identify, track and report on application security vulnerabilities and remediation activities/effectiveness. – Should be Quarterly updating their Scan Engine, Vulnerability Databases, & Support, facilities and services – This may match to fulfill our quarterly / half-yearly internal compliance, Information Security Policies, Security standards, frameworks and compliance – FISMA, SANS, PCI-DSS, OWASP etc. as per organization’s convenience. Manoj Purandare
CyberFrat Queries / Suggestions welcome Manoj Purandare You can reach me for any further assistance and consulting in : - SAST and DAST based vulnerabilities assessments and guidance. - How to save yourself from Hacks - Safeguarding your IT Assets - Secure Code Assessments / Static Code Review - Security testing for Information Assets, Network and applications. - Security Audits for your Applications / Websites and Infosec too. - Forensics and Investigation and Consulting - Information Security Consulting. - A query /suggestion in case of - Application Security / Information Security
CyberFrat Manoj Purandare My sincere acknowledgements and Special Thanks to all 1. My friend - Gaurav Batra, APAC, CISO, Mondelez International & CYBERFRAT 2. All the members of Vidyalankar Institute of Technology. 3. All the members of CYBERFRAT Team 4. All my friends in our Cyber FRAT Groups, re-knowned members of Infosec, Security, Investigations field worldwide. 5. Websites: Owasp.org, blackducksoftware.com, Itcentralisation.com, and many other important sites. 6. Joe Krull, Director, Denim Group 7. My colleagues, seniors, and all the members of Information Security Industry.
CyberFrat Thank you Manoj Purandare Manoj Purandare General Manager – Application Security – ACPL Systems Ltd. manojypurandare@gmail.com, technicalmanoj@gmail.com www.linkedin.com/in/manojypurandare Mobile: 9820841115 / 1111

Recommandé

The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
Marco Morana
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
Bill Ross
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Cigital
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
Arvind Bhardwaj [AB]
 

Recommandé

The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
Marco Morana
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
Bill Ross
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Cigital
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
Arvind Bhardwaj [AB]
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
Priyanka Aash
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
Thomas Malmberg
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Minded Security
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Gloriolesoft Consulting Security and Privacy Offering
Gloriolesoft Consulting Security and Privacy Offering Gloriolesoft Consulting Security and Privacy Offering
Gloriolesoft Consulting Security and Privacy Offering
Debasis Chakraborty
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
Priyanka Aash
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 

Contenu connexe

Tendances

Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 

Tendances (19)

Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
 
Application security
Application securityApplication security
Application security
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Gloriolesoft Consulting Security and Privacy Offering
Gloriolesoft Consulting Security and Privacy Offering Gloriolesoft Consulting Security and Privacy Offering
Gloriolesoft Consulting Security and Privacy Offering
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 

Similaire à Manoj Purandare - Application Security - Secure Code Assessment Program - Prevention is better than Cure

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 

Similaire à Manoj Purandare - Application Security - Secure Code Assessment Program - Prevention is better than Cure (20)

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
smpef
smpefsmpef
smpef
 
Research Paper
Research PaperResearch Paper
Research Paper
 

Plus de Manoj Purandare ☁

Plus de Manoj Purandare ☁ (10)

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
 
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
 
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
 
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
 
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare- Stratergy towards an Effective Security Operations Centre -...
 
Manoj purandare - Strategy towards an Effective Security Operations Centre - SOC
Manoj purandare - Strategy towards an Effective Security Operations Centre - SOCManoj purandare - Strategy towards an Effective Security Operations Centre - SOC
Manoj purandare - Strategy towards an Effective Security Operations Centre - SOC
 
Manoj purandare Stratergy towards an effective soc
Manoj purandare Stratergy towards an effective socManoj purandare Stratergy towards an effective soc
Manoj purandare Stratergy towards an effective soc
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
 

Dernier

Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
Escorts Call Girls
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
nirzagarg
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
soniya singh
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Chandigarh Call girls 9053900678 Call girls in Chandigarh
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Delhi Call girls
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
nirzagarg
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
nilamkumrai
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
@Chandigarh #call #Girls 9053900678 @Call #Girls in @Punjab 9053900678
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
SUHANI PANDEY
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
 

Dernier (20)

Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 

Manoj Purandare - Application Security - Secure Code Assessment Program - Prevention is better than Cure

  • 1. CyberFrat Manoj Purandare Secure Code Assessments [ SCA ] Prevention is better than Cure Part – 1 of 3 Manoj Purandare General Manager – Application Security, ACPL Systems Ltd., India. CISSP, PmP, PgMP, Cyber Crime Analyst, ITIL, PCI-DSS Security Implementer 25 yrs of IT and Information Security expertise and experience Application Security
  • 2. CyberFrat Secure Code Assessments [ SCA ] Prevention is better than Cure Part – 1 of 3 Manoj Purandare General Manager – Application Security, ACPL Systems Ltd., India. CISSP, PmP, PgMP, Cyber Crime Analyst, ITIL, PCI-DSS Security Implementer 25 yrs of IT and Information Security expertise and experience Application Security Manoj Purandare
  • 3. CyberFrat • Current Scenario – SAST (Static Application Security Test) • Equifax and other stories to learn from • Application Security - must have SAST Planning • What is SAST and secure code assessment [ SCA ] • The Secure Programming Techniques -Abstract • Your vulnerable application may have multiple risks • Understand an Attack Surface to your applications • The Secure Code Review Metrics • Must have application security in annual risk assessments • Tools and resources to assess and audit application security with secure code assessments [SCA] maturity • Your future – Prevention is better than Cure, start S-C-A Application Security –Source Code Assessment topics Manoj Purandare
  • 4. CyberFrat Application or Software & its Security ? Manoj Purandare Compare it to avoiding your daily junk food, and eating good food. Do regular exercise or Yoga, to help generate good ideas & positive actions in your body. But this food may be impure, or mixed with unwanted ingredients, to make your body ill. So we need to have control on our food habits and keep the impurities out of our body. How? Stay Current – latest security tools Stay Updated- latest patch & fixes Stay Secure- Always Monitor & Control
  • 5. CyberFrat Before starting with Application Security • This past June, just half-way into 2017, over 790 U.S. data breaches had already been reported, according to the Identity Theft Resource Center (ITRC). This was a half-year record high and a 29% jump from the same time period in 2016. And the 63% of those breaches were caused by cyber attacks. • Since more than 80% of cyber attacks target applications, having a strong application security solution in place is vital. An application security tool will help your development team identify security vulnerabilities before a hacker can, and fixes them. • The Equifax story and many such happened in past 3 years risen a doubt on our own applications or 3rd party application which we use currently. Lack of visibility in usage of Apache Struts. Refer these --CVE-2017-9805, CVE-2017-5638, CVE-2017-5638 Manoj Purandare
  • 6. CyberFrat Current Example of Security Breach (in short) Manoj Purandare • In this case, Equifax, like many companies, has a large portfolio of applications. As revealed in the OSSRA report, most companies aren't doing a good job at tracking open source, so unless Equifax had deployed a solution like Black Duck Hub, they probably did not have a complete and reliable inventory of the open source components in use in their applications. • In March, when the vulnerability was disclosed, it would be highly likely that they would not even know they were at risk, even if their security team was aware of the vulnerability. Put simply, they were flying blind. • Since the exploits for CVE-2017-5638 were widely available and being used almost immediately after the vulnerability was disclosed. • Equifax entered this period of very high risk without knowing it, at the same time that hackers were actively scanning and probing to find websites and applications that were vulnerable. • If this is the case, the door was "unlocked" until they discovered the breach over four months later.
  • 7. CyberFrat So What Can Companies Learn From This? Manoj Purandare • Visibility is critical. You can't protect yourself if you don't know what's in your code. If you don't have a complete inventory of the open source your teams are using then you are leaving your applications at risk. • Open Source Vulnerability Management needs to be automated and tightly integrated into development and DevOps tools and processes. You are only as secure as your weakest link. Only by ensuring that all code is scanned before going into production can you be confident that you have addressed the weak links. • Lessen the GAP between : a) when vulnerabilities are reported and b) when you patch or mitigate them. More than 10 new open source vulnerabilities are reported every day. Unfortunately, you can't rely on the National Vulnerabilities Database (NVD) to give you early warning of them. Exploits are already available for the latest Struts vuln (CVE-2017-9805), yet NVD still has no data for it. Research has shown that it takes an average of three weeks for vulnerabilities to be documented in NVD. To solve this problem, Some independent organizations like Black Duck & others independently monitors and researches vulnerabilities using hundreds of sources so they can provide same day alerts for vulnerabilities like the CVE-2017-9805.
  • 8. CyberFrat • Application security includes measures taken by monitoring and control of the flaws in the design, development, deployment, upgrade, or maintenance of the application. • The primary focus is on layer 7 of the OSI model • Secure Code Assessments [SCA] should be part of an organization’s or vendor’s software (or system) development life-cycle (SDLC), and even in case of CICDs (Continuous Integration Continuous Deployments) • Monitor & try to control- GitHUB, Bitbucket and other type of software code repositories, from where developers may get in-secure code, malware, etc. Application Security - must have Manoj Purandare
  • 9. CyberFrat Application Security - must have • A key component of application security should be for developers and their managers to be aware of 1. SCA (Secure Code Assessments) requirements, 2. common threats and quarterly/frequent SAST assessments on existing in-house & 3rd party apps. 3. effective countermeasures • The application security knowledge and maturity is significantly lower today than traditional network security, which is emphasized in my presentation. Manoj Purandare The Reason: We all know
  • 10. CyberFrat What is SAST (Static Application Security Testing) Manoj Purandare SAST is a set of technologies designed to analyze application source code, byte code and binaries for code + design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a non-running state. SAST has been emerging in India,and now has become the reality. Secure Code Assessment [SCA] is the solution, by which the organizations are now going ahead, to Save Time and Money
  • 11. CyberFrat SAST (Static Application Security Testing) Manoj Purandare Static Application Security Testing (SAST) – SAST solutions such as Source Code Analysis (SCA) have the flexibility needed to perform in all types of SDLC methodologies. SAST solutions can be integrated directly into the development environment. This enables the developers to monitor their code constantly. Scrum Masters and Product Owners can also regulate security standards within their development teams and organizations. This leads to quick mitigation of vulnerabilities and enhanced code integrity. Thus an Organization can save lot of TIME, Efforts and MONEY. Here’s a basic understanding in case of difference of SAST and DAST usage
  • 12. CyberFrat Approach of the common SCA tools A tool goes for a thorough security test (dynamic, static or mobile) of an application or a website A Customer provides code, binary portion of application or gives URL Customer can study the results and remediate found vulnerability , as per the provided reports and analysis Manoj Purandare For SAST - Secure Code Assessment(SCA) is nowadays widely used using open source technologies and licensed SAST /DAST software, since organization have understood its importance at early stage (Development and QA) and how to save Time and Money, instead being liable for losses in millions ahead.
  • 13. CyberFrat Secure Programming Techniques: An Abstract View of Program • Avoid buffer overflow • Secure software design • Language-specific problems • Application-specific issues Program Component Validate input Respond judiciously Call other code carefully Just remember these very basic things : 1. Validate all your inputs • Command line inputs, environment variables, CGI inputs, … • Don't just reject “bad” input, define “good” and reject all else 2. Avoid buffer overflow 3. Carefully call out to other resources • Check all system calls and return values
  • 14. CyberFrat Secure Programming Techniques: An Abstract View of Program Compartmentalization : 1. Divide system into modules a) Each module serves a specific purpose b) Assign different access rights to different modules • Read/write access to files • Read user or network input • Execute privileged instructions (e.g., Unix root) 2. Principle of least privilege • Give each module only the rights it needs Defense in Depth • Failure is unavoidable – plan for it • Have a series of defenses • If an error or attack is not caught by one mechanism, it should be caught by another • Examples • Firewall + network intrusion detection • Fail securely • Many, many vulnerabilities are related to error handling, debugging or testing features, error messages Keep it Simple • Use standard, tested components. Don’t implement your own cryptography • Don’t add unnecessary features. Extra functionality  more ways to attack • Use simple algorithms that are easy to verify
  • 15. CyberFrat • Unauthorized access to your company data or sensitive customer. • Theft of sensitive data to conduct identity theft, credit card fraud or other crimes • Potential damage of your brand • Defacement of your websites • Manipulation of data impacting data integrity, quality and organization’s reputation RISKS - Your Application may have multiple risks Manoj Purandare
  • 16. CyberFrat • Denial of service; availability of data • Redirection of users to malicious web sites; phishing and malware distribution • Attackers can assume valid user identities • Access to hidden web pages using forged URLs • Attacker’s hostile data can trick the interpreter to execute unintended commands • Development teams’ negligence in handling application security while secure coding. RISKS - Your Application may have multiple risks Manoj Purandare
  • 17. CyberFrat Your existing known Software Common Considerations • Lots of monetary or brand value flows through them • Compliance requirements (e.g. PCI, HIPAA, FFIEC, etc.) • Formal SLAs with customers • You’ve had one or more previous security incidents (or near misses) This includes :- • Critical legacy systems • Notable web applications To assess application security, many organizations focus on obvious software resources, but overlook their overall inventory of applications and code from less obvious sources when they analyze their assets. Understand Attack surface to your Application Manoj Purandare
  • 18. CyberFrat Consider the rest of Web Applications Your Organization Actually Develops and Maintains ( Internal and 3rd party both) You may miss some of these Analysis points :- • Lack of knowledge, overlooked or forgot they were there • Line of business procured through non- standard channels • Added through a merger or acquisition • Believed to be retired but still active This includes :- • Line of business applications • Event-specific applications, e.g. holiday apps, sales support, open enrollments Understand Attack surface to your Application Manoj Purandare
  • 19. CyberFrat Add In your new Software You Bought from Somewhere You may miss some of these Analysis points :- • Automated scanners are good at finding web applications. Non-web, not so much. • Contract language or un-validated assumptions that the application vendor has security “covered” This includes – • Less known or utilized line of business applications • Support applications • Infrastructure applications Understand Attack surface to your Application Manoj Purandare
  • 20. CyberFrat Mobile / Cloud based You may miss some of these Analysis points :- • Decentralized procurement • Ineffective security policies • Use of prohibited software • Lack of awareness This includes :- • Support for line of business functions • General marketing and promotion • Financial analysis applications • Software as a Service (SaaS) • Mobile applications • User procured software Understand Attack surface to your Application Manoj Purandare
  • 21. CyberFrat As perception of the problem of attack surface grows, the scope of the problem increases – or, the more you know, the more you need to assess. This may also included public facing, intranet and both. Attack Surface: The Security Officer’s and Auditor’s Perspective Perception Insight Web Applications Mobile Applications Cloud Applications and Services Client-Server Applications Desktop Applications Manoj Purandare
  • 22. CyberFrat Value and Risks are not equally distributed • Some applications matter more than others – Value and character of data being managed – Value of the transactions being processed – Cost of downtime and breaches • Thus, all applications should not be treated the same – Allocate different levels of resources for assurance – Select different assurance activities ( Application wise) – Also must often address compliance and regulatory requirements – Also Check, verify and document the Quarterly, Half- yearly, Yearly & external audits done on threats and mitigations done on all the applications Manoj Purandare
  • 23. CyberFrat Application Security and Network Security issues are to be handled differently Technical Rationale A Non-Technical Rationale Manoj Purandare
  • 24. CyberFrat Mean Time to Fix (MTTF) • A 2013 industry study from White Hat Security revealed that the “Mean Time to Fix” for web application flaws categorized as “serious” averaged 193 days across all industries. • In a similar study from Veracode, 70% of 22,430 applications submitted to their testing platform in 2012 contained exploitable security vulnerabilities • Take Strict action on your internal and 3rd party applications as well. • Try to follow-up and maintain the Critical & High vulnerabilities to be resolved within 1st quarter or 2 (90 to 180 days) only. • Initially we can assume to target Medium and Low, and the Info & Best practices type of suggested vulnerabilities to be resolved within 1st quarter to 3 (90 to 270 days). Manoj Purandare
  • 25. CyberFrat Mean Time to Fix (MTTF) • How would you report to your management that a “serious” and likely exploitable vulnerability was present on your primary public facing web site or a 3rd party hosted portal for more than six months? • Verizon’s 2013 Breach Report says 90% of attacks last year were perpetrated by outsiders and 52% used some form of hacking. How does this help you explain application risk? • Check whether the Application Security Analyst, Information Security Analyst, Software testers, Quality Analyst be armed & prepared /utilized with knowledge of FISMA, SANS, PCI-DSS Security implementation knowledge and practice as per compliance and world standards. • As a proactive measure - Go for the right tools for Secure Code Assessment / Review for quarterly, half-yearly, yearly assessments without depending and waiting for external assessments/audits. Manoj Purandare
  • 26. CyberFrat No Automated Scanner can find all Vulnerabilities- You have to use your brain • There is no “silver bullet” for identifying application security vulnerabilities. There are different classes of tools ranging from static code scanners that assess the code to dynamic scanners that analyze logic and data flow. Generally, 30% to 40% of vulnerabilities can be identified by scanners; the remainder are uncovered by other means. • Manual testing allows an informed and experienced tester to attempt to manipulate the application, escalate privileges or get the application to operate in a way it was not designed to do. • But wait, there’s more………… Manoj Purandare
  • 27. CyberFrat Unauthenticated Automated Scan Common Application Test methods Automated Source Code Scanning Blind Penetration Testing Manual Source Code Review Authenticated Automated Scan Informed Manual Testing Automated Binary Analysis Manual Binary Analysis Application security goes well beyond simply running a scanning tool. For critical or high value applications, or those that process sensitive data, thorough testing may actually include a combination of several methods. Manoj Purandare
  • 28. CyberFrat The Secure Code Review Metrics • Decide what to measure • Set the minimum benchmark • Define reporting requirements to Management, and customers. • Use a hybrid approach to integrating standards into your SDLC model of choice. • Map metrics to a certain level of completion and security testing and monitoring programs. • Communicate, Co-ordinate, Document all the components related to your Secure SDLC before initiating a Secure Code Assessment Program. • Have a definite approach with Management and team consensus to successfully achieve your goals in this Secure Code Review.
  • 29. CyberFrat Metrics by SDLC Phase (General Model) SDLC Phase Secure Code Metric Requirements •Percentage of security requirements given in project specifications. •Percentage of security requirements subject to cost/benefit, and risk analysis. •Percentage of security requirements which are considered in threat models. Design •Percentage of design components subjected to attack surface analysis. •Percentage of security controls that are covered by security design patterns. •Percentage of security controls which pose an architectural risk. Implementation (Coding) •Percentage of application components subject to manual and/or automated source code review. •Percentage of code deficiencies detected during peer reviews. •Percentage of application components subject to code integrity/signing procedures. Verification (Testing) •Percentage of common weaknesses and exposures detected per requirement specification. •Percentage of security controls within the application that met the required specification for software assurance.
  • 30. CyberFrat But then, where is the problem ?  You cannot bring all the code & developers to centralized area to resolve all at once.  Good things needs time, strategy and resources to implement, in a structured manner  Consensus building across multiple business areas is not easy  Training & updating all developers every time  Centralizing source code analysis is problematic  Finding the right reporting metrics for Senior Management is critical to project success For this, I have a solution
  • 31. CyberFrat Application Security – Define your and your Auditors basic role Information Security Professionals • Promote SCA awareness in your organization . • Confirm that application security testing is part of your overall security program – • Demand that all applications developed by 3rd parties be tested and remediated in Dev & QA stage, prior to being placed in production • Get all developers and their managers trained on SCA IT Auditors • Be an FPG- Friend, Philosopher & Guide with the Organization to meet the standards & compliances. • Influence your Chief Audit Executive to include SCA in the organization’s annual risk assessment • Increase your relevance and value to your organization by identifying risks associated with poorly coded applications • Conduct a simple initial audit to assess what controls are in place • Conduct a subsequent audit to determine the effectiveness of those controls; measure MTTF • Consider the standards and compliances such as FISMA/SANS/PCI-DSS etc. Manoj Purandare as Prevention is better than cure thus saving TIME and MONEY of your organization at the initial stage itself Obtain and review the SDLC from a security perspective as Secure SDLC even in case of CICD (Continuous Integration Continuous Deployment environments)
  • 32. CyberFrat Tools and Resources • Open Software Assurance Maturity Model (OpenSAMM) – A freely available open source framework that organizations can use to build and assess their software security programs www.opensamm.org • The Open Web Application Security Project (OWASP) – Worldwide not-for-profit organization focused on improving the security of software. Source of valuable free resources www.owasp.org • Open Source or Low Cost Application Security Scanners – OWASP Zed Attack Proxy (ZAP), w3af, Mavituna Netsparker, Websecurify, Wapiti, N- Stalker, SkipFish, Scrawlr, Acunetix, and many more to do basic discovery work • Also consider survey in case of Licensed tools like Fortify, Checkmarx, Veracode, and many such tools & resources, comparing the best features as your needs. • Your study towards right tools depends on your requirements.
  • 33. CyberFrat The OWASP Top 10 For 2013 • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Manoj Purandare Now you can also check of OWASP Top ten 2017. Also it is recommended to be prepared to concentrate 2013 top 30 since the categories may get changed as per more vulnerabilities, which you may need to concentrate.
  • 34. CyberFrat Example SCA Audit Work Program Software Assurance Maturity Model (SAMM) Scorecard Level 1 Maturity Level Activity Business Functions # Security Practices/Phase A B Governance 1 Strategy & Metrics 0.5 0 1 2 Policy & Compliance 0.5 0 1 3 Education & Guidance 0 0 0 Construction 4 Threat Assessment 0 0 0 5 Security Requirements 0.5 0 1 6 Secure Architecture 0 0 0 Verification 7 Design Review 0.5 0 1 8 Code Review 0 0 0 9 Security Testing 0 0 0 Deployment 10 Vulnerability Management 1 1 1 11 Environment Hardening 1 1 1 12 Operational Enablement 0 0 0 SAMM Valid Maturity Levels 0 Implicit starting point representing the activities in the Practice being unfulfilled 1 Initial understanding and ad hoc provision of Security Practice 2 Increase efficiency and/or effectiveness of the Security Practice 3 Comprehensive mastery of the Security Practice at scale Legend Objective Activity was met. Objective Activity was not met. Manoj Purandare
  • 35. CyberFrat Example SCA Audit Work Program-Test Plan Manoj Purandare
  • 36. CyberFrat Example SCA Audit Work Program-Questionnaire Manoj Purandare
  • 37. CyberFrat Example SCA Audit Work Program-Score Card Manoj Purandare
  • 38. CyberFrat Basic requirements to understand in case of Open Source Software or Licensed VM tools – Support report, customization, usage as per FISMA, SANS, OWASP, PC_DSS, etc. – Support consolidation and de-duplication of imported results from scanner tools, manual testing and threat modeling – Provide extensive reports on application security status and trending over time – Translate application vulnerabilities into software defects and pushes tasks to developers in the tools and systems they are already using – Create virtual Web Application Firewall (WAF) rules to help block malicious traffic while vulnerabilities are being resolved. While your organization takes on remediation of your applications, virtual patching helps guard against common vulnerabilities such as Cross- Site Scripting (XSS) and SQL Injections. – Compatible with a number of commercial and freely available dynamic and static scanning technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers – Recommended to have – Virtual Application Scanner – Will allow audit and security professionals to identify, track and report on application security vulnerabilities and remediation activities/effectiveness. – Should be Quarterly updating their Scan Engine, Vulnerability Databases, & Support, facilities and services – This may match to fulfill our quarterly / half-yearly internal compliance, Information Security Policies, Security standards, frameworks and compliance – FISMA, SANS, PCI-DSS, OWASP etc. as per organization’s convenience. Manoj Purandare
  • 39. CyberFrat Queries / Suggestions welcome Manoj Purandare You can reach me for any further assistance and consulting in : - SAST and DAST based vulnerabilities assessments and guidance. - How to save yourself from Hacks - Safeguarding your IT Assets - Secure Code Assessments / Static Code Review - Security testing for Information Assets, Network and applications. - Security Audits for your Applications / Websites and Infosec too. - Forensics and Investigation and Consulting - Information Security Consulting. - A query /suggestion in case of - Application Security / Information Security
  • 40. CyberFrat Manoj Purandare My sincere acknowledgements and Special Thanks to all 1. My friend - Gaurav Batra, APAC, CISO, Mondelez International & CYBERFRAT 2. All the members of Vidyalankar Institute of Technology. 3. All the members of CYBERFRAT Team 4. All my friends in our Cyber FRAT Groups, re-knowned members of Infosec, Security, Investigations field worldwide. 5. Websites: Owasp.org, blackducksoftware.com, Itcentralisation.com, and many other important sites. 6. Joe Krull, Director, Denim Group 7. My colleagues, seniors, and all the members of Information Security Industry.
  • 41. CyberFrat Thank you Manoj Purandare Manoj Purandare General Manager – Application Security – ACPL Systems Ltd. manojypurandare@gmail.com, technicalmanoj@gmail.com www.linkedin.com/in/manojypurandare Mobile: 9820841115 / 1111