\

The Gentle Art Of Making Secure Software

\

Agenda

Most Common Issues

Classification and Tracking

Principles of Secure Development

SDLC and Pipeline

Security Process

Bring People Aware of Security

Challenges

Cross Site Scripting (XSS)

<script>alert(/XSS/)</script><img src="x" onerror="confirm(1);"> <img src="x" onerror="prompt(document.domain)"> <meta http-equiv="refresh" content="+.1,javascript:alert(document.cookie)"> <script src="data:text/javascript,window.history.eval(confirm(history.length));"></script> <script>with(this){confirm(window.location);}</script>

Cross-site request forgery

(CSRF)

↓

clickjacking

Header Manipulation

XML External Entity (XXE)

Log Forging

Logical Flaws

Classification

Impacted Services x Impact x Urgency

Tracking

Automated Tools

Scan Results | Notes

Content Management System (CMS)

Internally Developed | Fit our needs | Vulnerability Database

Integration with Developers Tools

Integration | Visibility | Fixing Track

0

Principles of Secure Development

Focus on Developers

Based on the most Commom Issues

Keep It Short and Simple

PRINCIPLES OF SECURE DEVELOPMENT

Validation

Error Handling / Auths / Session Management

Secure

Software Development Life Cycle

Secure Software Development Life Cycle

Security Champion

What we Do

What Tools we Use ?

Bring People Aware of Security

Security Champions Event

Security University

Show Something Cool

Future Challenges

New Technologies

Automation

Education

This is not Rocket Science!

Q&A

Renato Rodrigues | @simps0n | www.pathonproject.com

www.blip.pt

✎ References

http://www.securityninja.co.uk/secure-development/

http://resources.infosecinstitute.com/intro-secure-software-development-life-cycle/

The Gentle Art of Making Secure Software

By Renato Rodrigues

The Gentle Art of Making Secure Software

Presentation for Rumos Web Application Tech Sessions at Lisbon and Porto.

6,697

Renato Rodrigues