SlideShare une entreprise Scribd logo

Security as a new metric for Business, Product and Development Lifecycle

Télécharger en tant que PPTX, PDF
Nazar Tymoshyk, CEH, Ph.D.
Nazar Tymoshyk, CEH, Ph.D.

Security as a new metric for Business, Product and Development Lifecycle

Technologie
1  sur  68
Security as a New Metric for Your Business, Product and Development Lifecycle by Nazar Tymoshyk, SoftServe, Ph.D., CEH
OWASP Chapter Lviv запрошує на останню зустріч групи OWASP Ukraine цього року. Проведіть чудові 2 дні у Львові з найкращими Security спеціалістами України. Реєстрація у: https://goo.gl/5hdvPH http://owasp-lviv.blogspot.com/ Тематика: • Безпека Веб і Мобільних аплікацій • Взлом REST і JavaScript базованих аплікацій • Розслідування взломів • Reverse-Engineering • Розвод, кідалово і маніпуляція свідомістю юзерів • Хмарна і безхмарна безпека • Фізичний взлом + Escape Quest 14 листопада 2015, субота, Львів, вул. Садова 2А Львівка кава, кавярні і пиво, круте товариство, нові знайомства, воркшопи, знання на халяву – все це чекає на вас у нашому затишному місті! OWASP Ukraine 2015 Security meetup у Львові
Physical Hacking Escape quest OWASP Ukraine 2015 Lviv meetup, November 14, 2015 Elite HACKERS Industry Experts The most interesting Security event of Ukraine Hands on Labs Collaboration Competition Powered by
Security as a metric Total served: 24 Completed: 10 Internal: 3 Lost: 14 Win rate: 67% H1 2014 Total served: 26 Completed: 12 Internal: 3 Lost: 14 Win rate: 46% H1 2015 Updated business model allow us to generate more revenue from same amount of opportunities
Agenda Business Products Your imaginary Questions Developers
BUSINESS
A rough year in 2012
A more challenging year - 2013 • Akamai reports that 2013 attack traffic is averaging over 86% above normal. • This report shows April 30 attack traffic is 117.53% higher than the 42% increase seen in 2012
http://www.informationisbeautiful.net/visualizations/wor
WHY your clients NEED Security Industry Compliance Government Regulation Business availability Capitalization Statistic of Breaches Customer requirement Previous bad experience
Consequences of Security FAILURE Trust Money Data stolen Time to recover Penalties for incident Customers Reputation
Super user Subscriptions Your very sad client Penalty tool We were hacked because of YOU!
If your Cloud server is hacked….
PRODUCT
Simple ROI of Product security
Connected Cars are part of smart houses smart TVs smart watches smart phones smart cars smart fridges ????
Typical Security Report delivered by competitor
How security is linked to development Than start process of re-Coding, re-Building, re-Testing, re-Auditing 3rd party or internal audit Tone of security defects BACK to re-Coding, re-Building, re-Testing, re-Auditing
Design Build Test Production GENERIC APPROACH FOR SECURITY security requirements / risk and threat analysis coding guidelines /code reviews/ static analysis security testing / dynamic analysis vulnerability scanning / WAF Reactive ApproachProactive Approach Secure SDLC
How it should look like With proper Security Program number of security defects should decrease from phase to phase Automated security Tests CI integrated Manual Security/penetration Testing OWASP methodology Secure Coding trainings Regular Vulnerability Scans Minimize the costs of the Security related issues Avoid repetitive security issues Avoid inconsistent level of the security Determine activities that pay back faster during current state of the project
Remember I'm offering you the truth. Nothing More. To do Security or not to Do
QA Engineer Security expert In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, security analysts team is concerned only with unexpected results and testing for the unknown and looking for weaknesses. They are EXPERTS. VS.
Our app code need to be verified for Security PM and SoftServe Demonstrate excellence Competitiveadvantage Reporting for 2 security experts Report with findings Fix it! Non compliant?Good boys! Security Center of Excellence Request App verification PM • Explain security defect and severity • Fix identified security defects • Train developers and QA • Transfer checklists and guides GreatAchievement Scenario 1. PM worried about security on project. Code micro-assessment. Re-check Monitor Next page How to present to client and earn more $$$ ? • Scan sources with Tools • Filtering False Positive • Compile report • Review architecture • Dynamic test • Rate risks Delivery Director/PM
Oh Rashid, Who wrote it? We have found some security issues with your legacy code Indian team. Our security experts can perform comprehensive Security Assessment And then our dev team will fix identified defects as it put other projects under risk Ok, do it. How much should it cost? Only $XX.XXX for Security AssessmentDeal! Do it ASAP. 1 2 34
Report sample
DEVELOPMENT
Risks are for managers, not developers
PEOPLE always bypass restriction if possible Keep in mind this when you design security
• Focus on functional requirements • Know about: – OWASP Top 10 – 1 threat (DEADLINE fail) • Implement Requirements as they can • Testing it’s for QA job «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman Developer & Security
Why code analysis do not resolve a problem? Many of the CWE vulnerability types, are design issues, or business logic issues. Application security testing tools are being sold as a solution to the problem of insecure software.
Mobile banking app from Pakistan
What is wrong?
Recommended error messages by OWASP Incorrect Response Examples "Login for User foo: invalid password" "Login failed, invalid user ID" "Login failed; account disabled" "Login failed; this user is not active" Correct Response Example "Login failed; Invalid userID or password" https://www.owasp.org/index.php/Authentication_Cheat_Sheet
What is wrong on next stage of Login process?
Critical Business Logic bypass There was possibility to get personal info (promo code, email, password etc.) of subscription which is not related to currently logged User using
Critical Business Logic bypass There was possibility to make changes to personal info of subscription (email, password, name e.g.) using User.updateSubscription method even in case appropriate user is not logged in
Critical Business Logic bypass • There is possibility to convert any standalone subscriptions to managed no matter whether appropriate user is logged in or not using User.setSubscriptionToManaged function (you can make any user to pay for paid features of your subscriptions)
Critical Business Logic bypass There was possibility to delete subscriptions/credit card which are not related to currently logged user using User.deleteSubscription/deleteCredit Card function
Browser exploitation framework
Social Engineering
SQL-Injections to win a Trip Dumped admin password hashes
Simple SOAP request fuzzing allow collecting information about existent system users, their emails, VIN, Last access time, user ID and other confidential, user/car related information Broken Session management
Why so simple?
Story about Hybrid Mobile Development in India
Reversing Java/iOS application this app feature Reversing Java / iOS application this app feature
WEAK Cryptography v Was cleaned up by Vendor Team
REMOVED CODE APPEARS AGAIN IN APPSTORE APP v Appear Again in App from AppStore
HARDCODED CREDENTIALS v v v Severity: Critical (C )/P1 Business impact: Medium (M)/P3
BACKEND SECURITY v v Severity: Critical (C )/P1 Business impact: Critical (C )/P1
WEAK PASSWORDS Severity: Critical (C )/P1 Business impact: Critical (C )/P1
DEVELOPER TEAM FACEPALM v
ENCRYPTION PASSWORD AFTER APPSTORE RELEASE vv v v v v
SENSITIVE FILE ARTIFACTS v Severity: Low (L)/P4. Business impact: No business impact v v
All Apps are considered safe until proven guilty by a security review Financial Institution
SENSITIVE CLIENT INFORMATION AS A CONSEQUENCE – CUSTOMERS TRUST COULD BE LOST.
Customers database dump
defaults and sample files
Forgotten Files on server
Upload Java shell and take server under control
Are your product Popular? You are Next Target
How to PROTECT? Security Frameworks Right Security Requirements Penetration Testing Code Scan and Review Security Trainings Threat Modelling Dedicated Security Expert OWASP.org
Add Security into your PROCESS
Security
THANK YOU 67 Contact me: skype: root_nt email: root.nt@gmail.com Join OWASP: http://owasp-lviv.blogspot.com/ FEEDBACK & QUESTIONS
Home Work

Recommandé

Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 

Recommandé

Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
Positive Hack Days
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
Suman Sourav
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
gjdevos
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Now – paramore
Now – paramoreNow – paramore
Now – paramore
CharLilyMay
 

Contenu connexe

Tendances

SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
Positive Hack Days
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 

Tendances (20)

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 

En vedette

Now – paramore
Now – paramoreNow – paramore
Now – paramore
CharLilyMay
 
Geldvoorelkaar journaal 4
Geldvoorelkaar journaal 4Geldvoorelkaar journaal 4
Geldvoorelkaar journaal 4
Gerard Umans
 
Superbowl Ad review vu par Leo Burnett France
Superbowl Ad review vu par Leo Burnett FranceSuperbowl Ad review vu par Leo Burnett France
Superbowl Ad review vu par Leo Burnett France
PlanningLeoBurnettFrance
 
15082005174118 wca article-vfinal
15082005174118 wca article-vfinal15082005174118 wca article-vfinal
15082005174118 wca article-vfinal
sunilareddyk
 
Functional UI and Unidirectional Dataflow
Functional UI and Unidirectional DataflowFunctional UI and Unidirectional Dataflow
Functional UI and Unidirectional Dataflow
mikaelbr
 
Focus group analysis
Focus group analysisFocus group analysis
Focus group analysis
CharLilyMay
 

En vedette (20)

Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Now – paramore
Now – paramoreNow – paramore
Now – paramore
 
電撃の巨人 by チームモスキート
電撃の巨人 by チームモスキート電撃の巨人 by チームモスキート
電撃の巨人 by チームモスキート
 
Andrés alfaro salas
Andrés alfaro salasAndrés alfaro salas
Andrés alfaro salas
 
Team 15
Team 15Team 15
Team 15
 
私的CSS変遷史
私的CSS変遷史私的CSS変遷史
私的CSS変遷史
 
Geldvoorelkaar journaal 4
Geldvoorelkaar journaal 4Geldvoorelkaar journaal 4
Geldvoorelkaar journaal 4
 
Kelompok butterfly
Kelompok butterflyKelompok butterfly
Kelompok butterfly
 
Superbowl Ad review vu par Leo Burnett France
Superbowl Ad review vu par Leo Burnett FranceSuperbowl Ad review vu par Leo Burnett France
Superbowl Ad review vu par Leo Burnett France
 
Dhanwantari Immurich: (Info of Cow Colostrum)
Dhanwantari Immurich: (Info of Cow Colostrum)Dhanwantari Immurich: (Info of Cow Colostrum)
Dhanwantari Immurich: (Info of Cow Colostrum)
 
15082005174118 wca article-vfinal
15082005174118 wca article-vfinal15082005174118 wca article-vfinal
15082005174118 wca article-vfinal
 
Functional UI and Unidirectional Dataflow
Functional UI and Unidirectional DataflowFunctional UI and Unidirectional Dataflow
Functional UI and Unidirectional Dataflow
 
Work4 22
Work4 22Work4 22
Work4 22
 
August 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & TazzyAugust 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & Tazzy
 
Ib estonia justification
Ib estonia justificationIb estonia justification
Ib estonia justification
 
places in the City
places in the Cityplaces in the City
places in the City
 
Botacora de tecnologia
Botacora de tecnologiaBotacora de tecnologia
Botacora de tecnologia
 
Focus group analysis
Focus group analysisFocus group analysis
Focus group analysis
 
Team11
Team11Team11
Team11
 
Web Design Principles - Jessica, Grant, and Rachel
Web Design Principles - Jessica, Grant, and RachelWeb Design Principles - Jessica, Grant, and Rachel
Web Design Principles - Jessica, Grant, and Rachel
 

Similaire à Security as a new metric for Business, Product and Development Lifecycle

What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 

Similaire à Security as a new metric for Business, Product and Development Lifecycle (20)

Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief Tour
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality Assurance
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 

Plus de Nazar Tymoshyk, CEH, Ph.D.

Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - Beliaiev
Nazar Tymoshyk, CEH, Ph.D.
 

Plus de Nazar Tymoshyk, CEH, Ph.D. (7)

Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and Prevention
 
CIA Hacking Organization in the Nutshell
CIA Hacking Organization in the NutshellCIA Hacking Organization in the Nutshell
CIA Hacking Organization in the Nutshell
 
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
 
Automotive security testing
Automotive security testing Automotive security testing
Automotive security testing
 
Проект реабілітації військових в ІТ
Проект реабілітації військових в ІТПроект реабілітації військових в ІТ
Проект реабілітації військових в ІТ
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - Beliaiev
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Security as a new metric for Business, Product and Development Lifecycle

  • 1. Security as a New Metric for Your Business, Product and Development Lifecycle by Nazar Tymoshyk, SoftServe, Ph.D., CEH
  • 2. OWASP Chapter Lviv запрошує на останню зустріч групи OWASP Ukraine цього року. Проведіть чудові 2 дні у Львові з найкращими Security спеціалістами України. Реєстрація у: https://goo.gl/5hdvPH http://owasp-lviv.blogspot.com/ Тематика: • Безпека Веб і Мобільних аплікацій • Взлом REST і JavaScript базованих аплікацій • Розслідування взломів • Reverse-Engineering • Розвод, кідалово і маніпуляція свідомістю юзерів • Хмарна і безхмарна безпека • Фізичний взлом + Escape Quest 14 листопада 2015, субота, Львів, вул. Садова 2А Львівка кава, кавярні і пиво, круте товариство, нові знайомства, воркшопи, знання на халяву – все це чекає на вас у нашому затишному місті! OWASP Ukraine 2015 Security meetup у Львові
  • 3. Physical Hacking Escape quest OWASP Ukraine 2015 Lviv meetup, November 14, 2015 Elite HACKERS Industry Experts The most interesting Security event of Ukraine Hands on Labs Collaboration Competition Powered by
  • 4. Security as a metric Total served: 24 Completed: 10 Internal: 3 Lost: 14 Win rate: 67% H1 2014 Total served: 26 Completed: 12 Internal: 3 Lost: 14 Win rate: 46% H1 2015 Updated business model allow us to generate more revenue from same amount of opportunities
  • 7. A rough year in 2012
  • 8. A more challenging year - 2013 • Akamai reports that 2013 attack traffic is averaging over 86% above normal. • This report shows April 30 attack traffic is 117.53% higher than the 42% increase seen in 2012
  • 10.
  • 11.
  • 12. WHY your clients NEED Security Industry Compliance Government Regulation Business availability Capitalization Statistic of Breaches Customer requirement Previous bad experience
  • 13. Consequences of Security FAILURE Trust Money Data stolen Time to recover Penalties for incident Customers Reputation
  • 14. Super user Subscriptions Your very sad client Penalty tool We were hacked because of YOU!
  • 15. If your Cloud server is hacked….
  • 17. Simple ROI of Product security
  • 18. Connected Cars are part of smart houses smart TVs smart watches smart phones smart cars smart fridges ????
  • 19. Typical Security Report delivered by competitor
  • 20. How security is linked to development Than start process of re-Coding, re-Building, re-Testing, re-Auditing 3rd party or internal audit Tone of security defects BACK to re-Coding, re-Building, re-Testing, re-Auditing
  • 21. Design Build Test Production GENERIC APPROACH FOR SECURITY security requirements / risk and threat analysis coding guidelines /code reviews/ static analysis security testing / dynamic analysis vulnerability scanning / WAF Reactive ApproachProactive Approach Secure SDLC
  • 22. How it should look like With proper Security Program number of security defects should decrease from phase to phase Automated security Tests CI integrated Manual Security/penetration Testing OWASP methodology Secure Coding trainings Regular Vulnerability Scans Minimize the costs of the Security related issues Avoid repetitive security issues Avoid inconsistent level of the security Determine activities that pay back faster during current state of the project
  • 23.
  • 24. Remember I'm offering you the truth. Nothing More. To do Security or not to Do
  • 25. QA Engineer Security expert In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, security analysts team is concerned only with unexpected results and testing for the unknown and looking for weaknesses. They are EXPERTS. VS.
  • 26. Our app code need to be verified for Security PM and SoftServe Demonstrate excellence Competitiveadvantage Reporting for 2 security experts Report with findings Fix it! Non compliant?Good boys! Security Center of Excellence Request App verification PM • Explain security defect and severity • Fix identified security defects • Train developers and QA • Transfer checklists and guides GreatAchievement Scenario 1. PM worried about security on project. Code micro-assessment. Re-check Monitor Next page How to present to client and earn more $$$ ? • Scan sources with Tools • Filtering False Positive • Compile report • Review architecture • Dynamic test • Rate risks Delivery Director/PM
  • 27. Oh Rashid, Who wrote it? We have found some security issues with your legacy code Indian team. Our security experts can perform comprehensive Security Assessment And then our dev team will fix identified defects as it put other projects under risk Ok, do it. How much should it cost? Only $XX.XXX for Security AssessmentDeal! Do it ASAP. 1 2 34
  • 30. Risks are for managers, not developers
  • 31. PEOPLE always bypass restriction if possible Keep in mind this when you design security
  • 32. • Focus on functional requirements • Know about: – OWASP Top 10 – 1 threat (DEADLINE fail) • Implement Requirements as they can • Testing it’s for QA job «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman Developer & Security
  • 33. Why code analysis do not resolve a problem? Many of the CWE vulnerability types, are design issues, or business logic issues. Application security testing tools are being sold as a solution to the problem of insecure software.
  • 34. Mobile banking app from Pakistan
  • 36. Recommended error messages by OWASP Incorrect Response Examples "Login for User foo: invalid password" "Login failed, invalid user ID" "Login failed; account disabled" "Login failed; this user is not active" Correct Response Example "Login failed; Invalid userID or password" https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 37. What is wrong on next stage of Login process?
  • 38. Critical Business Logic bypass There was possibility to get personal info (promo code, email, password etc.) of subscription which is not related to currently logged User using
  • 39. Critical Business Logic bypass There was possibility to make changes to personal info of subscription (email, password, name e.g.) using User.updateSubscription method even in case appropriate user is not logged in
  • 40. Critical Business Logic bypass • There is possibility to convert any standalone subscriptions to managed no matter whether appropriate user is logged in or not using User.setSubscriptionToManaged function (you can make any user to pay for paid features of your subscriptions)
  • 41. Critical Business Logic bypass There was possibility to delete subscriptions/credit card which are not related to currently logged user using User.deleteSubscription/deleteCredit Card function
  • 44. SQL-Injections to win a Trip Dumped admin password hashes
  • 45. Simple SOAP request fuzzing allow collecting information about existent system users, their emails, VIN, Last access time, user ID and other confidential, user/car related information Broken Session management
  • 47. Story about Hybrid Mobile Development in India
  • 48. Reversing Java/iOS application this app feature Reversing Java / iOS application this app feature
  • 49. WEAK Cryptography v Was cleaned up by Vendor Team
  • 50. REMOVED CODE APPEARS AGAIN IN APPSTORE APP v Appear Again in App from AppStore
  • 51. HARDCODED CREDENTIALS v v v Severity: Critical (C )/P1 Business impact: Medium (M)/P3
  • 52. BACKEND SECURITY v v Severity: Critical (C )/P1 Business impact: Critical (C )/P1
  • 53. WEAK PASSWORDS Severity: Critical (C )/P1 Business impact: Critical (C )/P1
  • 56. SENSITIVE FILE ARTIFACTS v Severity: Low (L)/P4. Business impact: No business impact v v
  • 57. All Apps are considered safe until proven guilty by a security review Financial Institution
  • 58. SENSITIVE CLIENT INFORMATION AS A CONSEQUENCE – CUSTOMERS TRUST COULD BE LOST.
  • 62. Upload Java shell and take server under control
  • 64. How to PROTECT? Security Frameworks Right Security Requirements Penetration Testing Code Scan and Review Security Trainings Threat Modelling Dedicated Security Expert OWASP.org
  • 65. Add Security into your PROCESS
  • 67. THANK YOU 67 Contact me: skype: root_nt email: root.nt@gmail.com Join OWASP: http://owasp-lviv.blogspot.com/ FEEDBACK & QUESTIONS

Notes de l'éditeur

  1. майндмапа дала зрозуміти які сценарії і як використовувати щоб приносити бенефіти на існуючих проектах сценарії бабло інволвмент виконавці часові фрейми усування конкурентів вирішення ряду бізнес проблем наприклад усунення конкурентів