This document discusses software security and how companies can manage it. It begins with an introduction to software security risks from the perspectives of end users and companies. It then explains how companies can implement software security best practices using OWASP (Open Web Application Security Project) standards and processes. This includes incorporating security activities like risk assessments, secure design reviews, and testing throughout the entire software development lifecycle (SDLC). The document emphasizes that without focusing on security, vulnerabilities will exist, and that the OWASP resources can help integrate security practices.

1. Software Security in a
interconnected world
Matteo Meucci, CEO @ Minded Security – 10th November 2016
Università degli Studi di Napoli ‘’L’Orientale’’

2. <AGENDA>
1. Introduction to Software Security
1.1 Who uses software?
1.2 What are the risks for the end users?
1.3 What are the risks for the Companies?
2. How can a Company manage Software Security?
2.2 The OWASP standards
2.2 Software Security Processes
</AGENDA>

3. Informatics Engineer (since 2001)
Research
• OWASP contributor (since 2002)
• OWASP-Italy Chair (since 2005)
• OWASP Testing Guide Lead (since 2006)
Work
• 15+ years on Information Security focusing on
Software Security
• CEO @ Minded Security – The Software
Security Company (since 2007)
3
Who am I?

4. 1. INTRODUCTION TO SOFTWARE
SECURITY
1.1 SCENARIO: WHO USES SOFTWARE?

5. EVERYONE IS CONNECTED!

6. EVERYONE USES SOFTWARE!
Users
Cyber criminals
Companies
Governments

7. 1.2 FROM THE END USER POINT OF
VIEW: WHAT ARE THE RISKS?

8. HOW CAN I UNDERSTAND IF AN APP IS SAFE OR NOT?

9. It’s secure! It’s on the
store! Sure! Everyone uses it!
IS THIS APP “SECURE”?

10. HOW CAN I UNDERSTAND IF AN APPLICATION IS “SECURE”?

11. It’s secure! Looks at the
lock, down on the right!
It’s secure! It’s Google!
Sure! The news said
that is unbreakable!
IS YOUR GOOGLE MAIL “SECURE”?

12. Gmail vulnerability: 2 days ago

13. USER risks
• Software not updated: critical risk
• Shared Software: high risk
• Implicit trust: high risk

14. Operative system not updated
• http://www.eweek.com/security/google-patches-39-android-vulnerabilities-in-april-update.html

15. Software not updated
250 M of users are still using XP with no updated software for example Internet
Explorer
An e-mail or a Web site can compromise a pc with XP in a few seconds!!!

16. Shared software

17. Implicit Trust (e.g.: WiFi Pineapple)
• How many of you connect automatically to
open wifi?
• How many of you think that it is dangerous to
do that?
• Let’s show you the result of a test done at the
last Festival of Journalism in Perugia

18. Wifi Sniffing at IJF 2016

19. Man-in-the-middle IJF 2016 results

20. Risk: disclosure of sensitive information

21. From an end user point of view
• There is not perception of the usage of a secure
software or not
• Most of the users download everything (risk
malware), interact with everything (risk possible
exploit of vulnerabilities), trust everything (risk
possible disclosure of information)

22. 1.3 FROM A COMPANY POINT OF VIEW

23. Actors
User: who uses the
software
Ministry of
Informatics:
who buys the
software
Development teams
(internal/external):
who develops the
software

24. Press conference for the launch of the service
Now you can take advantage
of a new service on the
portal of the Ministry of
Informatics
Fantastic!! Compliments!!

25. The day after…

26. Users access to the portal…
John Black – 12/12/1970 – JBlack@company.com
Josh White - 10/09/1982 – White@bank.com
Paul Red– 09/02/1960 – Paul@bank.com

27. Users access to the portal…
Oh oh...I find a problem...

28. Some days after…

29. The reactions…
Ohh..how it was possible?
Fault of the developers!
but it is impossible !?
We followed all your
instructions
If you do not ask for security, no one will develop secure software

30. • The Vulnerabilities in the software development
process are expected.
• The control of the security bugs and flaws in the
software should be considered as part of the process
of software development.
SOFTWARE SECURITY PRINCIPLES

31. 2. HOW CAN A COMPANY MANAGE
"SECURE SOFTWARE”?
2.1 THE OWASP STANDARDS

32. • The Open Web Application Security Project (OWASP) is
a 501c3 not-for-profit also registered in Europe as a
worldwide charitable organization focused on
improving the security of software.
• Our mission is to make application security visible, so
that people and organizations can make informed
decisions about true application security risks.
• Everyone is welcomed to participate in OWASP and all
of our materials are available under free and open
software licenses.
OWASP

33. BUILD SECURE SOFTWARE

34. 1: Parameterize Queries
2: Encode Data
3: Validate All Inputs
4: Implement Appropriate Access Controls
5: Establish Identity and Authentication Controls
6: Protect Data and Privacy
7: Implement Logging, Error Handling and Intrusion
Detection
8: Leverage Security Features of Frameworks and
Security Libraries
9: Include Security-Specific Requirements
10: Design and Architect Security In
Project leaders:
Jim.Manico@owasp.org
Jim.Bird@owasp.org
Katy.Anton@owasp.org
TOP10 PROACTIVE CONTROLS (BUILDERS)

35. Hack your code!

36. www.owasp.org/index.php/Code_Review_Guide
CODE REVIEW GUIDE (BREAKERS)
• Most comprehensive open
source secure code review
guide on the web
• Years of development effort
• Version 2 alfa 2016
• Numerous contributors
• Project Leader and Editor
 eoin.keary@owasp.org

37. www.owasp.org/index.php/Testing_Guide
• Most comprehensive open
source secure testing guide
on the web
• Years of development effort
• Version 4.0 produced in 2014
• Hundred of contributors
• Project Leader and Editor
• Matteo Meucci, Andrew Muller
 matteo.meucci@owasp.org,
andrew.muller@owasp.org
TESTING GUIDE (BREAKERS)

38. THE OWASP GUIDES: COMMUNITY DRIVEN FOR ALL THE
ENTERPRISES

39. Fight with the same weapons (knowledge)

40. 2.2 HOW TO USE THE OWASP
STANDARDS IN YOUR
PROCESSES

41. Roles and responsibilities
Define Design Develop Deploy Maintain
Risk
Assessment
Secure
Design
Design
Review
Software
Acceptance
Web Intrusion
Monitoring
Secure
Requirements
Threat
Modeling
Secure
Development
Secure
Installation
Change
Management
Secure
Architecture
SCR and
WAPT
Hardening
Fixing
Business Analyst
Security Manager
Business Analyst
AppSec Specialist
Business Analyst
Software Architect,
AppSec Specialist
Security Manager
Application Owner
Software Architect
Security Manager
Security Manager
Developer
AppSec Specialist
Developer
Security Manager
App Owner
Sistemista
Sistemista
AppSec Specialist
Sec Manager
App Owner
Develper

42. Software Security Maturity
Define Design Develop Deploy Maintain
Risk
Assessment
Secure
Design
Design
Review
Application
Penetration
Testing
Web Intrusion
Monitoring
Secure
Requirements
Threat
Modeling
Secure
Development
Software
Acceptance
Change
Management
Secure
Architecture
Secure Code
Review
Secure
Installation
Fixing Hardening
Source: Minded Security – Results of 12 SAMM assessments from 2012 to 2015
20
%
60
%
30
%
10
%
30
%
30
%
60
%
40
%
30
%
90
%
30
%
50
%
60
%
40
%
40
%

43. OWASP resources into your SDLC
If you do not ask for security, no one will develop secure software
Use the OWASP Software Contract Annex to regulate your
outsourcer contracts
If you do not know the application threats, you will develop unsecure software
Use the OWASP Top 10 for General Awareness
Use the CISO Guide for Management’s Awareness
Vulnerabilities in the software development process are expected
Use the OWASP Building Guide and ESAPI to write more secure software
Use the OWASP Secure Code Review Guide to review the code
Use the OWASP Testing Guide to review to test your application

44. OWASP resources into your SDLC
The fixing process is the most important step of the process of software security
Retest your application after a bug fixing or a new release to be
sure that the right implementations are in place
How can I manage the Software Security Governance?
Use the OWASP SAMM to assess your maturity and to build
an Application Security Program to manage the SDLC

45. CONCLUSIONS

46. • Awareness on SwSec! From developers to analyst, application owner,
management.
• Hire Information Security managers: Application Security manager and
Privacy Security managers
• Software Security Program: without a program and assigned
responsibilities it is difficult to manage Software Security.
NEXT STEPS: WHAT IS MISSING TODAY?

47. QUESTIONS?
WWW.MINDEDSECURITY.COM
MATTEO.MEUCCI@MINDEDSECURITY.COM
THANKS!