SlideShare une entreprise Scribd logo

Security as a part of quality assurance

Boy Baukema
Boy Baukema
Technologie
1  sur  24
Télécharger pour lire hors ligne
Security A part of Quality Assurance
In custom software, 
 if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and nonfunctional requirements. ! Worse yet if you 
 don’t even know what ‘it’ is supposed to be.
Boy Baukema Security Specialist @ Ibuildings.nl
Security what? Senior Engineer + interest in WebAppSec + 4 hours a week R&D + internal training & consultancy + internal & external auditing
Wait, where?
You
The plan 1. The journey 2. The holy grail 3. Riding off into the sunset
– My CTO “Make security something I can sell, give managers a knob to turn.”
LEVEL 1 LEVEL 2 LEVEL 3 CHAPTER 1
 1.1
 1.2
 1.3 ! X ! ! X ! X ! X X X CHAPTER 2
 2.1
 2.2
 2.3 X
 X 
 X X
 X ! X X
 X
ASVS (2013) Levels Level 0 - Bullshit compliance level (0) Level 1 - Opportunistic (47) Level 2 - Standard (136) Level 3 - Advanced (164)
ASVS Chapters V1. Authentication V2. Session Management V3. Access Control V4. Input Validation V5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection ! V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business Logic V12. Files and Resources V13. Mobile
V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links. (level 1, 2 & 3) !
–OWASP ASVS 2009 Level 2 V2.7 Verify that the strength of any authentication credentials are sufficient to withstand attacks that are typical of the threats in the deployed environment.
AASVS 2009, Scanners & 
 Report Generator
–Sahba Kazerooni “Done any day now!”
–OWASP ASVS 2013 Beta, 
 Application Security Verification Levels “… scope of the verification may go beyond the application’s custom-built code and include external components. Achieving a verification level under such scrutiny can be represented by annotating a “+” symbol to the verification level”
OWASP AASVS 2013
Security Assurance Maturity Model
Security Testing One aspect of a Secure Development LifeCycle
To be continued...

Recommandé

Getting job as security engineer
Getting job as security engineerGetting job as security engineer
Getting job as security engineerManish Agrawal
 
Spring Security in Action
Spring Security in ActionSpring Security in Action
Spring Security in ActionManning Publications
 
Some Myths in Software Development
Some Myths in Software DevelopmentSome Myths in Software Development
Some Myths in Software Developmentbryanbibat
 
Iftikar_Resume
Iftikar_ResumeIftikar_Resume
Iftikar_ResumeIftikar Ayub C
 
Java ppt
Java pptJava ppt
Java pptShimpyInfotech Institute
 
Java ppt
Java pptJava ppt
Java pptmansi sharma
 
TDC PoA submission
TDC PoA submissionTDC PoA submission
TDC PoA submissionMarcelo Yuri Benesciutti
 
Barney Edwards Resume 10.29.15
Barney Edwards Resume 10.29.15Barney Edwards Resume 10.29.15
Barney Edwards Resume 10.29.15Barney Edwards
 

Recommandé

Getting job as security engineer
Getting job as security engineerGetting job as security engineer
Getting job as security engineerManish Agrawal
 
Spring Security in Action
Spring Security in ActionSpring Security in Action
Spring Security in ActionManning Publications
 
Some Myths in Software Development
Some Myths in Software DevelopmentSome Myths in Software Development
Some Myths in Software Developmentbryanbibat
 
Iftikar_Resume
Iftikar_ResumeIftikar_Resume
Iftikar_ResumeIftikar Ayub C
 
Java ppt
Java pptJava ppt
Java pptShimpyInfotech Institute
 
Java ppt
Java pptJava ppt
Java pptmansi sharma
 
TDC PoA submission
TDC PoA submissionTDC PoA submission
TDC PoA submissionMarcelo Yuri Benesciutti
 
Barney Edwards Resume 10.29.15
Barney Edwards Resume 10.29.15Barney Edwards Resume 10.29.15
Barney Edwards Resume 10.29.15Barney Edwards
 
Session 1: ICT & Meaningful Learning
Session 1: ICT & Meaningful LearningSession 1: ICT & Meaningful Learning
Session 1: ICT & Meaningful LearningAshley Tan
 
ICT Quality Assurance
ICT Quality AssuranceICT Quality Assurance
ICT Quality AssuranceAshley Tan
 
Test Life Cycle
Test Life CycleTest Life Cycle
Test Life CycleNilesh Patange
 
Quality Assurance in Software Ind.
Quality Assurance in Software Ind.Quality Assurance in Software Ind.
Quality Assurance in Software Ind.Heritage Institute Of Tech,India
 
2 quality assurance
2 quality assurance2 quality assurance
2 quality assuranceJyothi Chinnasamy
 
Quality Assurance Vs Quality Control
Quality Assurance Vs Quality ControlQuality Assurance Vs Quality Control
Quality Assurance Vs Quality ControlYogita patil
 
Introduction To Software Quality Assurance
Introduction To Software Quality AssuranceIntroduction To Software Quality Assurance
Introduction To Software Quality Assuranceruth_reategui
 
Quality Assurance and Software Testing
Quality Assurance and Software TestingQuality Assurance and Software Testing
Quality Assurance and Software Testingpingkapil
 
QUALITY ASSURANCE
QUALITY ASSURANCEQUALITY ASSURANCE
QUALITY ASSURANCEPharmaceutical
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceBoy Baukema
 
Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
개발자가 알아야 할 보안
개발자가 알아야 할 보안개발자가 알아야 할 보안
개발자가 알아야 할 보안Johnny Cho
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Security
SecuritySecurity
SecurityZuko Lopez
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Certified Ethical Hacking (CEH V9) Course Details | EC-Council
Certified Ethical Hacking (CEH V9) Course Details | EC-CouncilCertified Ethical Hacking (CEH V9) Course Details | EC-Council
Certified Ethical Hacking (CEH V9) Course Details | EC-CouncilCRAW CYBER SECURITY PVT LTD
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk AssessmentThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 

Contenu connexe

En vedette

Session 1: ICT & Meaningful Learning
Session 1: ICT & Meaningful LearningSession 1: ICT & Meaningful Learning
Session 1: ICT & Meaningful LearningAshley Tan
 
ICT Quality Assurance
ICT Quality AssuranceICT Quality Assurance
ICT Quality AssuranceAshley Tan
 
Quality Assurance Vs Quality Control
Quality Assurance Vs Quality ControlQuality Assurance Vs Quality Control
Quality Assurance Vs Quality ControlYogita patil
 
Introduction To Software Quality Assurance
Introduction To Software Quality AssuranceIntroduction To Software Quality Assurance
Introduction To Software Quality Assuranceruth_reategui
 
Quality Assurance and Software Testing
Quality Assurance and Software TestingQuality Assurance and Software Testing
Quality Assurance and Software Testingpingkapil
 

En vedette (9)

Session 1: ICT & Meaningful Learning
Session 1: ICT & Meaningful LearningSession 1: ICT & Meaningful Learning
Session 1: ICT & Meaningful Learning
 
ICT Quality Assurance
ICT Quality AssuranceICT Quality Assurance
ICT Quality Assurance
 
Test Life Cycle
Test Life CycleTest Life Cycle
Test Life Cycle
 
Quality Assurance in Software Ind.
Quality Assurance in Software Ind.Quality Assurance in Software Ind.
Quality Assurance in Software Ind.
 
2 quality assurance
2 quality assurance2 quality assurance
2 quality assurance
 
Quality Assurance Vs Quality Control
Quality Assurance Vs Quality ControlQuality Assurance Vs Quality Control
Quality Assurance Vs Quality Control
 
Introduction To Software Quality Assurance
Introduction To Software Quality AssuranceIntroduction To Software Quality Assurance
Introduction To Software Quality Assurance
 
Quality Assurance and Software Testing
Quality Assurance and Software TestingQuality Assurance and Software Testing
Quality Assurance and Software Testing
 
QUALITY ASSURANCE
QUALITY ASSURANCEQUALITY ASSURANCE
QUALITY ASSURANCE
 

Similaire à Security as a part of quality assurance

Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceBoy Baukema
 
Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
개발자가 알아야 할 보안
개발자가 알아야 할 보안개발자가 알아야 할 보안
개발자가 알아야 할 보안Johnny Cho
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Certified Ethical Hacking (CEH V9) Course Details | EC-Council
Certified Ethical Hacking (CEH V9) Course Details | EC-CouncilCertified Ethical Hacking (CEH V9) Course Details | EC-Council
Certified Ethical Hacking (CEH V9) Course Details | EC-CouncilCRAW CYBER SECURITY PVT LTD
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”Moshiul Islam, CISSP, CISA, CFE
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Horusec - Security & Vulnerability
Horusec - Security & VulnerabilityHorusec - Security & Vulnerability
Horusec - Security & VulnerabilityKnoldus Inc.
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityPriyanka Aash
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018Paula Januszkiewicz
 

Similaire à Security as a part of quality assurance (20)

Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality Assurance
 
Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
개발자가 알아야 할 보안
개발자가 알아야 할 보안개발자가 알아야 할 보안
개발자가 알아야 할 보안
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
Security
SecuritySecurity
Security
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Certified Ethical Hacking (CEH V9) Course Details | EC-Council
Certified Ethical Hacking (CEH V9) Course Details | EC-CouncilCertified Ethical Hacking (CEH V9) Course Details | EC-Council
Certified Ethical Hacking (CEH V9) Course Details | EC-Council
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
 
Software risk management
Software risk managementSoftware risk management
Software risk management
 
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Horusec - Security & Vulnerability
Horusec - Security & VulnerabilityHorusec - Security & Vulnerability
Horusec - Security & Vulnerability
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring Security
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
 

Plus de Boy Baukema

Security horrors
Security horrorsSecurity horrors
Security horrorsBoy Baukema
 
Tampering with JavaScript
Tampering with JavaScriptTampering with JavaScript
Tampering with JavaScriptBoy Baukema
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application SecurityBoy Baukema
 
Ibuildings ISO 27001 lunchbox
Ibuildings ISO 27001 lunchboxIbuildings ISO 27001 lunchbox
Ibuildings ISO 27001 lunchboxBoy Baukema
 
OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?Boy Baukema
 
Verifying Drupal modules with OWASP ASVS 2014
Verifying Drupal modules with OWASP ASVS 2014Verifying Drupal modules with OWASP ASVS 2014
Verifying Drupal modules with OWASP ASVS 2014Boy Baukema
 
Secure Drupal, from start to finish
Secure Drupal, from start to finishSecure Drupal, from start to finish
Secure Drupal, from start to finishBoy Baukema
 
Recursive descent parsing
Recursive descent parsingRecursive descent parsing
Recursive descent parsingBoy Baukema
 
SURFconext and Mobile
SURFconext and MobileSURFconext and Mobile
SURFconext and MobileBoy Baukema
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014Boy Baukema
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!Boy Baukema
 
Javascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love ItJavascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love ItBoy Baukema
 

Plus de Boy Baukema (12)

Security horrors
Security horrorsSecurity horrors
Security horrors
 
Tampering with JavaScript
Tampering with JavaScriptTampering with JavaScript
Tampering with JavaScript
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application Security
 
Ibuildings ISO 27001 lunchbox
Ibuildings ISO 27001 lunchboxIbuildings ISO 27001 lunchbox
Ibuildings ISO 27001 lunchbox
 
OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?OWASP ASVS 3 - What's new for level 1?
OWASP ASVS 3 - What's new for level 1?
 
Verifying Drupal modules with OWASP ASVS 2014
Verifying Drupal modules with OWASP ASVS 2014Verifying Drupal modules with OWASP ASVS 2014
Verifying Drupal modules with OWASP ASVS 2014
 
Secure Drupal, from start to finish
Secure Drupal, from start to finishSecure Drupal, from start to finish
Secure Drupal, from start to finish
 
Recursive descent parsing
Recursive descent parsingRecursive descent parsing
Recursive descent parsing
 
SURFconext and Mobile
SURFconext and MobileSURFconext and Mobile
SURFconext and Mobile
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014
 
Let's build a parser!
Let's build a parser!Let's build a parser!
Let's build a parser!
 
Javascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love ItJavascript: 8 Reasons Every PHP Developer Should Love It
Javascript: 8 Reasons Every PHP Developer Should Love It
 

Dernier

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 

Dernier (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 

Security as a part of quality assurance

  • 1. Security A part of Quality Assurance
  • 2. In custom software, 
 if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and nonfunctional requirements. ! Worse yet if you 
 don’t even know what ‘it’ is supposed to be.
  • 4. Security what? Senior Engineer + interest in WebAppSec + 4 hours a week R&D + internal training & consultancy + internal & external auditing
  • 6. You
  • 7. The plan 1. The journey 2. The holy grail 3. Riding off into the sunset
  • 8.
  • 9.
  • 10. – My CTO “Make security something I can sell, give managers a knob to turn.”
  • 11.
  • 12. LEVEL 1 LEVEL 2 LEVEL 3 CHAPTER 1
 1.1
 1.2
 1.3 ! X ! ! X ! X ! X X X CHAPTER 2
 2.1
 2.2
 2.3 X
 X 
 X X
 X ! X X
 X
  • 13. ASVS (2013) Levels Level 0 - Bullshit compliance level (0) Level 1 - Opportunistic (47) Level 2 - Standard (136) Level 3 - Advanced (164)
  • 14. ASVS Chapters V1. Authentication V2. Session Management V3. Access Control V4. Input Validation V5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection ! V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business Logic V12. Files and Resources V13. Mobile
  • 15. V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links. (level 1, 2 & 3) !
  • 16.
  • 17. –OWASP ASVS 2009 Level 2 V2.7 Verify that the strength of any authentication credentials are sufficient to withstand attacks that are typical of the threats in the deployed environment.
  • 18. AASVS 2009, Scanners & 
 Report Generator
  • 20. –OWASP ASVS 2013 Beta, 
 Application Security Verification Levels “… scope of the verification may go beyond the application’s custom-built code and include external components. Achieving a verification level under such scrutiny can be represented by annotating a “+” symbol to the verification level”
  • 23. Security Testing One aspect of a Secure Development LifeCycle