SlideShare une entreprise Scribd logo

Digital Product Security Agenda

SoftServe
SoftServe

This document provides an overview of digital product security. It discusses common cyberattacks against businesses, security issues in product development processes, and tips for developing software with security by design. It emphasizes starting with secure requirements, using static analysis, dynamic testing, and manual reviews. Following secure SDLC practices and continuous integration of security tools can help improve security, reduce costs, and better satisfy security audits.

Logiciels
1  sur  44
Digital Product Security
Agenda • About me • Know your enemy first: Cyberattacks against modern business • Anatomy and security issues in Product Development • Tips and Tricks: Develop software security by design • How to get ROI • People, Process, Tools • References 2016
About me Security Consulting Lead @ SoftServe Manage Security Red Team OWASP Chapter Lead L'viv Penetration Tester Certified Ethical Hacker Researcher General summary: • 10+ years of experience in Information Security • 15+ years of UNIX systems network administration experience • 15+ years of MS Windows * administration experience • 4 years of Novell service and products administration experience • 1+ year of Oracle DB administration as a DBA • 15+ years in network infrastructure management Nazar Tymoshyk, Ph.D. CEH
Attack surface Attackers are targeting applications
Data breaches and cyber attacks in June 2016 (289,150,000+ records leaked) https://www.itgovernance.co.uk/blog/category/other-blogs/breaches-hacks/
Big names
Big names
Anatomy and security issues in Product Development
Developer • Focus on functional requirements • Knows about: • OWASP Top 10 • 1 threat (DEADLINE fail) • Concentrated on risks «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» Scott Hanselman «Risks are for managers, not developers» Unknown Security Officer • Focused on security requirements • Knows difference between vulnerability and attack • Focused on Toolset and it’s output • Focused on vulnerabilities
Application security testing tools are being sold as a solution to the problem of insecure software Many of the CWE vulnerability types, are design issues, or business logic issues. Why doesn’t code analysis resolve the problem?
Scanners Cannot THINK Security Scanner is not a panacea Looking for known, defined and predictable patterns Not searching for: • Logical defects • Rights separation • Complex attack vectors • Defects in architecture and design • Real Cryptography level • Etc. Scanners create the Illusion of SAFETY
Security AnalystQA Engineer VS In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, the security analysts team is concerned only with unexpected results, testing for the unknown, and looking for weaknesses
Tips and Tricks: Develop software security by design
Problems to Solve Determine activities that pay back faster during current state of the project Avoid inconsistent levels of security Minimize the cost of Security related issues Avoid repetitive security issues
Value Delivered • Reduced Cost of Security Issue Resolution • 3rd party evaluator during initial Penetration test didn’t find any serious security vulnerability • Delivered Secure Source Code, Secure Deployment, Secure Infrastructure • Application fully compliant (HIPAA, PCI, SOC, PII) • Metrics of security progress increased trust for key stakeholders and clients
vulnerability scanning / WAF security testing / dynamic analysis coding guidelines /code reviews/ static analysis security requirements / risk and threat analysis Secure SDLC Reactive ApproachProactive Approach Generic Approach for Security Build ProductionTestDesign
Than start process of re-Coding, re-Building, re-Testing, re-Auditing. How the security process looks in reality BACK to re-Coding, re-Building, re-Testing, re-Auditing Most Issues are found by security auditors prior to going live
How much time do you need to fix security issues in an app? • 4+ Weeks • 3-4 Weeks • 2-3 Weeks • 0-1 Week 82 percent of applications that were remediated to a satisfactory level did so in a week or less.
Simple ROI of Product security Figure 2: By identifying vulnerabilities early in the application lifecycle, your organization can prevent unnecessary costs when fixing application security issues. The costs represented in this illustration are based on a hypothetical hourly rate, but the magnitude of cost escalation that occurs through the application lifecycle is typical of what many organizations experience. Reduce costs by finding application vulnerabilities early* *Estimated costs based on IBM Global Business Services industry standards
How it should look How do you add Security in?With a proper Security Program the number of security defects should decrease from phase to phase
Case Study Analyze Current Practices Define Goals Define Roadmap Execute /Oversee /Adjust Discovery
Business Issue Client realized that most of his competitors had already beenhacked and his company could be the next target. He wanted to: • Stay compliant • Protect his Intellectual Property • Protect client data • Demonstrate excellence and high code quality • Avoid a data breach • Minimize security costs Drivers: Customer Request, Potential Issues Requestor: Security Department
Linear Integration Approach
Iteration Based Test Only Approach • After the backlog of security related items has been reviewed and evaluated by Development Management, a 2-week Development cycle (iteration) will address the highest ranked items • Upon delivery of completed code, security testing is performed both manually and using automated testing tools • Results from manual and automated scans end up in the same backlog repository, to be reviewed and prioritized by Development Management
Approach Focus on: • Developing products in a secure way • Starting with right Security Requirements • Static Security Code Analysis • Dynamic Application Security Testing • Manual Security Testing on Final Security Review
Security Education • Define Security Guidelines for Dev & QA • Develop Test Cases for QA team • Regular (quarterly) Session with Dev Team to talk about recent vulnerabilities • Knowledge Sharing
Requirements Definition Stage • Identity Management (IdM), SSO and Security Control • Data Segregation • Data Security & Privacy • Availability • Network & Transport Security • Operation Security • Define Security Quality Gates
SAST/DAST Security Testing • Static Code Analysis • Static Application Security Testing • Dynamic Application Security Testing • Custom Automation Testing • SonarQube with latest rule set to validate for each check-in • Regular (sprint based) source code and application in runtime security scan with IBM AppScan • Final security audit - security SAST&DAST assessment with Veracode
Manual Security Testing - Scope
Manual Security Testing – Activity • Create Dev & QA guide applicable for the project • Create Test Cases for Grey Box testing • Execute tests and assist dev team with explaining root and mitigation approaches of identified issues • Validation of new functionality and periodic remediation for modification • Educate QA and Dev team
Incident Response Plan Plan response for security incidents in case of: • Malicious Code Injection • Unauthorized Access • Unauthorized Utilization of Services • Data Manipulation/Theft • Virus and other Threats • Aggressive Probes
Typical involvement 1-4st month – 1 FTE • Scoping and prioritization • Manual Testing critical functionality • Full source code scan and upgrade SonarQube 5nd month onwards – 0.25-0,5 FTE • Complete test of remaining functionality • Scan changes introduced during the sprint • Conduct Training and collaborate with QA and Dev Team during design and implementation
Continues Vulnerability Monitoring / Scanning Automatic scan & Static Code Review Dynamic Testing Risk assessment Risk assessment WAF Incident Response plan Firewall / VPN security Backup and Recovery Infrastructure Security Application Penetration testing Business security
Working with development team
Working with development team
Value • Certified security experts to control security of project • SoftServe utilize different set of tools to ensure coverage (IBM, Veracode, PortSwinger, OpenVAS) • Regulars scans that could be integrated to CI • Education and Case study based on defect severity for Dev and QA • Following Secure SDLC practices • And many more Full coverage7 20-40% time for testing/re-testing decrease1 Catch problems as soon as possible2 Avoid repetitive security issues3 Improve Security Expertise/Practices for current Team4 Continuous Automation & Integration5 Proactive Security Reporting6
After successful build we pack app to transfer to Security testing tool Detect exact line of bugged code
CI security integration Workflow Dynamic tests with Security scanner OWASP Top 10 Risk coverage A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
High level vision Static Code Analysis Security Reports Dynamic Security testing CI tools Deploying applicationPull source code
Application Security Toolset
Demonstrate your security progress
Impress security auditors
USA HQ Toll Free: 866-687-3588 Tel: +1-512-516-8880 Ukraine HQ Tel: +380-32-240-9090 Bulgaria Tel: +359-2-902-3760 Germany Tel: +49-69-2602-5857 Netherlands Tel: +31-20-262-33-23 Poland Tel: +48-71-382-2800 UK Tel: +44-207-544-8414 EMAIL info@softserveinc.com WEBSITE: www.softserveinc.com Thank you!

Recommandé

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Ransomware protection
Ransomware protectionRansomware protection
Ransomware protectionRohit Srivastwa
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
DevOps intro
DevOps introDevOps intro
DevOps introAbdelrhman Shawky
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 

Recommandé

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Ransomware protection
Ransomware protectionRansomware protection
Ransomware protectionRohit Srivastwa
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
DevOps intro
DevOps introDevOps intro
DevOps introAbdelrhman Shawky
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
Managing code quality with SonarQube
Managing code quality with SonarQubeManaging code quality with SonarQube
Managing code quality with SonarQubeRadu Vunvulea
 
Continuous integration
Continuous integrationContinuous integration
Continuous integrationamscanne
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
Jenkins Overview
Jenkins OverviewJenkins Overview
Jenkins OverviewAhmed M. Gomaa
 
Modern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOpsModern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOpsGlobalLogic Ukraine
 
Introduction to devops
Introduction to devopsIntroduction to devops
Introduction to devopsUtpalenduChakrobortt1
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...Simplilearn
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+OpsShalu Ahuja
 
"DevOps > CI+CD "
"DevOps > CI+CD ""DevOps > CI+CD "
"DevOps > CI+CD "Innovation Roots
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Simplilearn
 
Devops Devops Devops, at Froscon
Devops Devops Devops, at FrosconDevops Devops Devops, at Froscon
Devops Devops Devops, at FrosconKris Buytaert
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Sonar qube
Sonar qubeSonar qube
Sonar qubepenetration Tester
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirillo
21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirillo21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirillo
21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirilloSierra Francisco Justo
 
Resumen producción publicitaria michelle
Resumen producción publicitaria michelleResumen producción publicitaria michelle
Resumen producción publicitaria michelleMichelle Medina
 

Contenu connexe

Tendances

Managing code quality with SonarQube
Managing code quality with SonarQubeManaging code quality with SonarQube
Managing code quality with SonarQubeRadu Vunvulea
 
Continuous integration
Continuous integrationContinuous integration
Continuous integrationamscanne
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
Modern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOpsModern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOpsGlobalLogic Ukraine
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...Simplilearn
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+OpsShalu Ahuja
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Simplilearn
 
Devops Devops Devops, at Froscon
Devops Devops Devops, at FrosconDevops Devops Devops, at Froscon
Devops Devops Devops, at FrosconKris Buytaert
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 

Tendances (20)

Managing code quality with SonarQube
Managing code quality with SonarQubeManaging code quality with SonarQube
Managing code quality with SonarQube
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 
Jenkins Overview
Jenkins OverviewJenkins Overview
Jenkins Overview
 
Modern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOpsModern CI/CD Pipeline Using Azure DevOps
Modern CI/CD Pipeline Using Azure DevOps
 
Introduction to devops
Introduction to devopsIntroduction to devops
Introduction to devops
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+Ops
 
"DevOps > CI+CD "
"DevOps > CI+CD ""DevOps > CI+CD "
"DevOps > CI+CD "
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
 
Devops Devops Devops, at Froscon
Devops Devops Devops, at FrosconDevops Devops Devops, at Froscon
Devops Devops Devops, at Froscon
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Sonar qube
Sonar qubeSonar qube
Sonar qube
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 

En vedette

21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirillo
21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirillo21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirillo
21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirilloSierra Francisco Justo
 
Resumen producción publicitaria michelle
Resumen producción publicitaria michelleResumen producción publicitaria michelle
Resumen producción publicitaria michelleMichelle Medina
 
03 i rap 2005 verdadero costo choques viales
03 i rap 2005 verdadero costo choques viales03 i rap 2005 verdadero costo choques viales
03 i rap 2005 verdadero costo choques vialesSierra Francisco Justo
 
Neatcall Very Short Demo
Neatcall Very Short DemoNeatcall Very Short Demo
Neatcall Very Short DemoNeatcall
 
Compilacion public roads magazine 16 tomos 100 articulos isv
Compilacion public roads magazine 16 tomos 100 articulos isvCompilacion public roads magazine 16 tomos 100 articulos isv
Compilacion public roads magazine 16 tomos 100 articulos isvSierra Francisco Justo
 
Flipbook Assignment: Digital Security
Flipbook Assignment: Digital SecurityFlipbook Assignment: Digital Security
Flipbook Assignment: Digital SecurityErica Carnevale
 
Clase 7 contaminacion ambiental
Clase 7 contaminacion ambientalClase 7 contaminacion ambiental
Clase 7 contaminacion ambientalUNASAM BARRANCA
 
Digital security -mariamustelier
Digital security -mariamustelierDigital security -mariamustelier
Digital security -mariamustelierFrank Gilbert
 
Social Media In The Workplace - CASLIS Workshop Jan2009
Social Media In The Workplace - CASLIS Workshop Jan2009Social Media In The Workplace - CASLIS Workshop Jan2009
Social Media In The Workplace - CASLIS Workshop Jan2009Hamilton Public Library
 
Digital safety security quest 4.1.2
Digital safety security quest 4.1.2Digital safety security quest 4.1.2
Digital safety security quest 4.1.2Deepa Muralidhar
 
Security in the Digital Workplace
Security in the Digital WorkplaceSecurity in the Digital Workplace
Security in the Digital WorkplaceLiveTiles
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyMark Albala
 

En vedette (20)

21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirillo
21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirillo21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirillo
21 tfhrc fhwa 1998 relación seguridad-velocidad solomon-cirillo
 
Resumen producción publicitaria michelle
Resumen producción publicitaria michelleResumen producción publicitaria michelle
Resumen producción publicitaria michelle
 
03 i rap 2005 verdadero costo choques viales
03 i rap 2005 verdadero costo choques viales03 i rap 2005 verdadero costo choques viales
03 i rap 2005 verdadero costo choques viales
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Neatcall Very Short Demo
Neatcall Very Short DemoNeatcall Very Short Demo
Neatcall Very Short Demo
 
Compilacion public roads magazine 16 tomos 100 articulos isv
Compilacion public roads magazine 16 tomos 100 articulos isvCompilacion public roads magazine 16 tomos 100 articulos isv
Compilacion public roads magazine 16 tomos 100 articulos isv
 
Zodiaxc
ZodiaxcZodiaxc
Zodiaxc
 
Eu vg malc
Eu vg malcEu vg malc
Eu vg malc
 
2012 01-11 misioneroadultos
2012 01-11 misioneroadultos2012 01-11 misioneroadultos
2012 01-11 misioneroadultos
 
WEBQUEST
WEBQUESTWEBQUEST
WEBQUEST
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Butaca Modlive
Butaca ModliveButaca Modlive
Butaca Modlive
 
Flipbook Assignment: Digital Security
Flipbook Assignment: Digital SecurityFlipbook Assignment: Digital Security
Flipbook Assignment: Digital Security
 
Clase 7 contaminacion ambiental
Clase 7 contaminacion ambientalClase 7 contaminacion ambiental
Clase 7 contaminacion ambiental
 
Digital security -mariamustelier
Digital security -mariamustelierDigital security -mariamustelier
Digital security -mariamustelier
 
Social Media In The Workplace - CASLIS Workshop Jan2009
Social Media In The Workplace - CASLIS Workshop Jan2009Social Media In The Workplace - CASLIS Workshop Jan2009
Social Media In The Workplace - CASLIS Workshop Jan2009
 
Digital safety security quest 4.1.2
Digital safety security quest 4.1.2Digital safety security quest 4.1.2
Digital safety security quest 4.1.2
 
Cambio climatico
Cambio climaticoCambio climatico
Cambio climatico
 
Security in the Digital Workplace
Security in the Digital WorkplaceSecurity in the Digital Workplace
Security in the Digital Workplace
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economy
 

Similaire à Digital Product Security Agenda

Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 

Similaire à Digital Product Security Agenda (20)

Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 

Plus de SoftServe

Approaching Quality in Digital Era
Approaching Quality in Digital EraApproaching Quality in Digital Era
Approaching Quality in Digital EraSoftServe
 
Testing Tools and Tips
Testing Tools and TipsTesting Tools and Tips
Testing Tools and TipsSoftServe
 
Android Mobile Application Testing: Human Interface Guideline, Tools
Android Mobile Application Testing: Human Interface Guideline, ToolsAndroid Mobile Application Testing: Human Interface Guideline, Tools
Android Mobile Application Testing: Human Interface Guideline, ToolsSoftServe
 
Android Mobile Application Testing: Specific Functional, Performance, Device ...
Android Mobile Application Testing: Specific Functional, Performance, Device ...Android Mobile Application Testing: Specific Functional, Performance, Device ...
Android Mobile Application Testing: Specific Functional, Performance, Device ...SoftServe
 
How to Reduce Time to Market Using Microsoft DevOps Solutions
How to Reduce Time to Market Using Microsoft DevOps SolutionsHow to Reduce Time to Market Using Microsoft DevOps Solutions
How to Reduce Time to Market Using Microsoft DevOps SolutionsSoftServe
 
Containerization: The DevOps Revolution
Containerization: The DevOps Revolution Containerization: The DevOps Revolution
Containerization: The DevOps Revolution SoftServe
 
Essential Data Engineering for Data Scientist
Essential Data Engineering for Data Scientist Essential Data Engineering for Data Scientist
Essential Data Engineering for Data Scientist SoftServe
 
Rapid Prototyping for Big Data with AWS
Rapid Prototyping for Big Data with AWS Rapid Prototyping for Big Data with AWS
Rapid Prototyping for Big Data with AWS SoftServe
 
Implementing Test Automation: What a Manager Should Know
Implementing Test Automation: What a Manager Should KnowImplementing Test Automation: What a Manager Should Know
Implementing Test Automation: What a Manager Should KnowSoftServe
 
Using AWS Lambda for Infrastructure Automation and Beyond
Using AWS Lambda for Infrastructure Automation and BeyondUsing AWS Lambda for Infrastructure Automation and Beyond
Using AWS Lambda for Infrastructure Automation and BeyondSoftServe
 
Advanced Analytics and Data Science Expertise
Advanced Analytics and Data Science ExpertiseAdvanced Analytics and Data Science Expertise
Advanced Analytics and Data Science ExpertiseSoftServe
 
Agile Big Data Analytics Development: An Architecture-Centric Approach
Agile Big Data Analytics Development: An Architecture-Centric ApproachAgile Big Data Analytics Development: An Architecture-Centric Approach
Agile Big Data Analytics Development: An Architecture-Centric ApproachSoftServe
 
Big Data as a Service: A Neo-Metropolis Model Approach for Innovation
Big Data as a Service: A Neo-Metropolis Model Approach for InnovationBig Data as a Service: A Neo-Metropolis Model Approach for Innovation
Big Data as a Service: A Neo-Metropolis Model Approach for InnovationSoftServe
 
Personalized Medicine in a Contemporary World by Eugene Borukhovich, SVP Heal...
Personalized Medicine in a Contemporary World by Eugene Borukhovich, SVP Heal...Personalized Medicine in a Contemporary World by Eugene Borukhovich, SVP Heal...
Personalized Medicine in a Contemporary World by Eugene Borukhovich, SVP Heal...SoftServe
 
Health 2.0 WinterTech: Will Artificial Intelligence change healthcare? by Eug...
Health 2.0 WinterTech: Will Artificial Intelligence change healthcare? by Eug...Health 2.0 WinterTech: Will Artificial Intelligence change healthcare? by Eug...
Health 2.0 WinterTech: Will Artificial Intelligence change healthcare? by Eug...SoftServe
 
Managing Requirements with Word and TFS by Max Markov
Managing Requirements with Word and TFS by Max MarkovManaging Requirements with Word and TFS by Max Markov
Managing Requirements with Word and TFS by Max MarkovSoftServe
 
How to Implement Hybrid Cloud Solutions Successfully
How to Implement Hybrid Cloud Solutions SuccessfullyHow to Implement Hybrid Cloud Solutions Successfully
How to Implement Hybrid Cloud Solutions SuccessfullySoftServe
 
Designing Big Data Systems Like a Pro
Designing Big Data Systems Like a ProDesigning Big Data Systems Like a Pro
Designing Big Data Systems Like a ProSoftServe
 
Product Management in Outsourcing by Roman Kolodchak and Roman Pavlyuk
Product Management in Outsourcing by Roman Kolodchak and Roman PavlyukProduct Management in Outsourcing by Roman Kolodchak and Roman Pavlyuk
Product Management in Outsourcing by Roman Kolodchak and Roman PavlyukSoftServe
 
From Sandbox to Production by Vadym Fedorov
From Sandbox to Production by Vadym FedorovFrom Sandbox to Production by Vadym Fedorov
From Sandbox to Production by Vadym FedorovSoftServe
 

Plus de SoftServe (20)

Approaching Quality in Digital Era
Approaching Quality in Digital EraApproaching Quality in Digital Era
Approaching Quality in Digital Era
 
Testing Tools and Tips
Testing Tools and TipsTesting Tools and Tips
Testing Tools and Tips
 
Android Mobile Application Testing: Human Interface Guideline, Tools
Android Mobile Application Testing: Human Interface Guideline, ToolsAndroid Mobile Application Testing: Human Interface Guideline, Tools
Android Mobile Application Testing: Human Interface Guideline, Tools
 
Android Mobile Application Testing: Specific Functional, Performance, Device ...
Android Mobile Application Testing: Specific Functional, Performance, Device ...Android Mobile Application Testing: Specific Functional, Performance, Device ...
Android Mobile Application Testing: Specific Functional, Performance, Device ...
 
How to Reduce Time to Market Using Microsoft DevOps Solutions
How to Reduce Time to Market Using Microsoft DevOps SolutionsHow to Reduce Time to Market Using Microsoft DevOps Solutions
How to Reduce Time to Market Using Microsoft DevOps Solutions
 
Containerization: The DevOps Revolution
Containerization: The DevOps Revolution Containerization: The DevOps Revolution
Containerization: The DevOps Revolution
 
Essential Data Engineering for Data Scientist
Essential Data Engineering for Data Scientist Essential Data Engineering for Data Scientist
Essential Data Engineering for Data Scientist
 
Rapid Prototyping for Big Data with AWS
Rapid Prototyping for Big Data with AWS Rapid Prototyping for Big Data with AWS
Rapid Prototyping for Big Data with AWS
 
Implementing Test Automation: What a Manager Should Know
Implementing Test Automation: What a Manager Should KnowImplementing Test Automation: What a Manager Should Know
Implementing Test Automation: What a Manager Should Know
 
Using AWS Lambda for Infrastructure Automation and Beyond
Using AWS Lambda for Infrastructure Automation and BeyondUsing AWS Lambda for Infrastructure Automation and Beyond
Using AWS Lambda for Infrastructure Automation and Beyond
 
Advanced Analytics and Data Science Expertise
Advanced Analytics and Data Science ExpertiseAdvanced Analytics and Data Science Expertise
Advanced Analytics and Data Science Expertise
 
Agile Big Data Analytics Development: An Architecture-Centric Approach
Agile Big Data Analytics Development: An Architecture-Centric ApproachAgile Big Data Analytics Development: An Architecture-Centric Approach
Agile Big Data Analytics Development: An Architecture-Centric Approach
 
Big Data as a Service: A Neo-Metropolis Model Approach for Innovation
Big Data as a Service: A Neo-Metropolis Model Approach for InnovationBig Data as a Service: A Neo-Metropolis Model Approach for Innovation
Big Data as a Service: A Neo-Metropolis Model Approach for Innovation
 
Personalized Medicine in a Contemporary World by Eugene Borukhovich, SVP Heal...
Personalized Medicine in a Contemporary World by Eugene Borukhovich, SVP Heal...Personalized Medicine in a Contemporary World by Eugene Borukhovich, SVP Heal...
Personalized Medicine in a Contemporary World by Eugene Borukhovich, SVP Heal...
 
Health 2.0 WinterTech: Will Artificial Intelligence change healthcare? by Eug...
Health 2.0 WinterTech: Will Artificial Intelligence change healthcare? by Eug...Health 2.0 WinterTech: Will Artificial Intelligence change healthcare? by Eug...
Health 2.0 WinterTech: Will Artificial Intelligence change healthcare? by Eug...
 
Managing Requirements with Word and TFS by Max Markov
Managing Requirements with Word and TFS by Max MarkovManaging Requirements with Word and TFS by Max Markov
Managing Requirements with Word and TFS by Max Markov
 
How to Implement Hybrid Cloud Solutions Successfully
How to Implement Hybrid Cloud Solutions SuccessfullyHow to Implement Hybrid Cloud Solutions Successfully
How to Implement Hybrid Cloud Solutions Successfully
 
Designing Big Data Systems Like a Pro
Designing Big Data Systems Like a ProDesigning Big Data Systems Like a Pro
Designing Big Data Systems Like a Pro
 
Product Management in Outsourcing by Roman Kolodchak and Roman Pavlyuk
Product Management in Outsourcing by Roman Kolodchak and Roman PavlyukProduct Management in Outsourcing by Roman Kolodchak and Roman Pavlyuk
Product Management in Outsourcing by Roman Kolodchak and Roman Pavlyuk
 
From Sandbox to Production by Vadym Fedorov
From Sandbox to Production by Vadym FedorovFrom Sandbox to Production by Vadym Fedorov
From Sandbox to Production by Vadym Fedorov
 

Dernier

Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 

Dernier (20)

Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 

Digital Product Security Agenda

  • 2. Agenda • About me • Know your enemy first: Cyberattacks against modern business • Anatomy and security issues in Product Development • Tips and Tricks: Develop software security by design • How to get ROI • People, Process, Tools • References 2016
  • 3. About me Security Consulting Lead @ SoftServe Manage Security Red Team OWASP Chapter Lead L'viv Penetration Tester Certified Ethical Hacker Researcher General summary: • 10+ years of experience in Information Security • 15+ years of UNIX systems network administration experience • 15+ years of MS Windows * administration experience • 4 years of Novell service and products administration experience • 1+ year of Oracle DB administration as a DBA • 15+ years in network infrastructure management Nazar Tymoshyk, Ph.D. CEH
  • 4. Attack surface Attackers are targeting applications
  • 5. Data breaches and cyber attacks in June 2016 (289,150,000+ records leaked) https://www.itgovernance.co.uk/blog/category/other-blogs/breaches-hacks/
  • 8. Anatomy and security issues in Product Development
  • 9. Developer • Focus on functional requirements • Knows about: • OWASP Top 10 • 1 threat (DEADLINE fail) • Concentrated on risks «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» Scott Hanselman «Risks are for managers, not developers» Unknown Security Officer • Focused on security requirements • Knows difference between vulnerability and attack • Focused on Toolset and it’s output • Focused on vulnerabilities
  • 10. Application security testing tools are being sold as a solution to the problem of insecure software Many of the CWE vulnerability types, are design issues, or business logic issues. Why doesn’t code analysis resolve the problem?
  • 11. Scanners Cannot THINK Security Scanner is not a panacea Looking for known, defined and predictable patterns Not searching for: • Logical defects • Rights separation • Complex attack vectors • Defects in architecture and design • Real Cryptography level • Etc. Scanners create the Illusion of SAFETY
  • 12. Security AnalystQA Engineer VS In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, the security analysts team is concerned only with unexpected results, testing for the unknown, and looking for weaknesses
  • 13. Tips and Tricks: Develop software security by design
  • 14. Problems to Solve Determine activities that pay back faster during current state of the project Avoid inconsistent levels of security Minimize the cost of Security related issues Avoid repetitive security issues
  • 15. Value Delivered • Reduced Cost of Security Issue Resolution • 3rd party evaluator during initial Penetration test didn’t find any serious security vulnerability • Delivered Secure Source Code, Secure Deployment, Secure Infrastructure • Application fully compliant (HIPAA, PCI, SOC, PII) • Metrics of security progress increased trust for key stakeholders and clients
  • 16. vulnerability scanning / WAF security testing / dynamic analysis coding guidelines /code reviews/ static analysis security requirements / risk and threat analysis Secure SDLC Reactive ApproachProactive Approach Generic Approach for Security Build ProductionTestDesign
  • 17. Than start process of re-Coding, re-Building, re-Testing, re-Auditing. How the security process looks in reality BACK to re-Coding, re-Building, re-Testing, re-Auditing Most Issues are found by security auditors prior to going live
  • 18. How much time do you need to fix security issues in an app? • 4+ Weeks • 3-4 Weeks • 2-3 Weeks • 0-1 Week 82 percent of applications that were remediated to a satisfactory level did so in a week or less.
  • 19. Simple ROI of Product security Figure 2: By identifying vulnerabilities early in the application lifecycle, your organization can prevent unnecessary costs when fixing application security issues. The costs represented in this illustration are based on a hypothetical hourly rate, but the magnitude of cost escalation that occurs through the application lifecycle is typical of what many organizations experience. Reduce costs by finding application vulnerabilities early* *Estimated costs based on IBM Global Business Services industry standards
  • 20. How it should look How do you add Security in?With a proper Security Program the number of security defects should decrease from phase to phase
  • 22. Business Issue Client realized that most of his competitors had already beenhacked and his company could be the next target. He wanted to: • Stay compliant • Protect his Intellectual Property • Protect client data • Demonstrate excellence and high code quality • Avoid a data breach • Minimize security costs Drivers: Customer Request, Potential Issues Requestor: Security Department
  • 24. Iteration Based Test Only Approach • After the backlog of security related items has been reviewed and evaluated by Development Management, a 2-week Development cycle (iteration) will address the highest ranked items • Upon delivery of completed code, security testing is performed both manually and using automated testing tools • Results from manual and automated scans end up in the same backlog repository, to be reviewed and prioritized by Development Management
  • 25.
  • 26. Approach Focus on: • Developing products in a secure way • Starting with right Security Requirements • Static Security Code Analysis • Dynamic Application Security Testing • Manual Security Testing on Final Security Review
  • 27. Security Education • Define Security Guidelines for Dev & QA • Develop Test Cases for QA team • Regular (quarterly) Session with Dev Team to talk about recent vulnerabilities • Knowledge Sharing
  • 28. Requirements Definition Stage • Identity Management (IdM), SSO and Security Control • Data Segregation • Data Security & Privacy • Availability • Network & Transport Security • Operation Security • Define Security Quality Gates
  • 29. SAST/DAST Security Testing • Static Code Analysis • Static Application Security Testing • Dynamic Application Security Testing • Custom Automation Testing • SonarQube with latest rule set to validate for each check-in • Regular (sprint based) source code and application in runtime security scan with IBM AppScan • Final security audit - security SAST&DAST assessment with Veracode
  • 31. Manual Security Testing – Activity • Create Dev & QA guide applicable for the project • Create Test Cases for Grey Box testing • Execute tests and assist dev team with explaining root and mitigation approaches of identified issues • Validation of new functionality and periodic remediation for modification • Educate QA and Dev team
  • 32. Incident Response Plan Plan response for security incidents in case of: • Malicious Code Injection • Unauthorized Access • Unauthorized Utilization of Services • Data Manipulation/Theft • Virus and other Threats • Aggressive Probes
  • 33. Typical involvement 1-4st month – 1 FTE • Scoping and prioritization • Manual Testing critical functionality • Full source code scan and upgrade SonarQube 5nd month onwards – 0.25-0,5 FTE • Complete test of remaining functionality • Scan changes introduced during the sprint • Conduct Training and collaborate with QA and Dev Team during design and implementation
  • 34. Continues Vulnerability Monitoring / Scanning Automatic scan & Static Code Review Dynamic Testing Risk assessment Risk assessment WAF Incident Response plan Firewall / VPN security Backup and Recovery Infrastructure Security Application Penetration testing Business security
  • 37. Value • Certified security experts to control security of project • SoftServe utilize different set of tools to ensure coverage (IBM, Veracode, PortSwinger, OpenVAS) • Regulars scans that could be integrated to CI • Education and Case study based on defect severity for Dev and QA • Following Secure SDLC practices • And many more Full coverage7 20-40% time for testing/re-testing decrease1 Catch problems as soon as possible2 Avoid repetitive security issues3 Improve Security Expertise/Practices for current Team4 Continuous Automation & Integration5 Proactive Security Reporting6
  • 38. After successful build we pack app to transfer to Security testing tool Detect exact line of bugged code
  • 39. CI security integration Workflow Dynamic tests with Security scanner OWASP Top 10 Risk coverage A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 40. High level vision Static Code Analysis Security Reports Dynamic Security testing CI tools Deploying applicationPull source code
  • 44. USA HQ Toll Free: 866-687-3588 Tel: +1-512-516-8880 Ukraine HQ Tel: +380-32-240-9090 Bulgaria Tel: +359-2-902-3760 Germany Tel: +49-69-2602-5857 Netherlands Tel: +31-20-262-33-23 Poland Tel: +48-71-382-2800 UK Tel: +44-207-544-8414 EMAIL info@softserveinc.com WEBSITE: www.softserveinc.com Thank you!