\



The Gentle Art Of Making Secure Software



\







Agenda





Most Common Issues
Classification and Tracking
Principles of Secure Development
SDLC and Pipeline
Security Process
Bring People Aware of Security
Challenges



Cross Site Scripting (XSS)



<script>alert(/XSS/)</script><img src="x" onerror="confirm(1);"> <img src="x" onerror="prompt(document.domain)"> <meta http-equiv="refresh" content="+.1,javascript:alert(document.cookie)"> <script src="data:text/javascript,window.history.eval(confirm(history.length));"></script> <script>with(this){confirm(window.location);}</script>



Cross-site request forgery 

(CSRF)



clickjacking



Header Manipulation 

 
XML External Entity (XXE) 

 
Log Forging 

 
Logical Flaws


Classification







Impacted Services x Impact x Urgency

Tracking




Automated Tools

Scan Results | Notes 


Content Management System (CMS)

Internally Developed | Fit our needs | Vulnerability Database


Integration with Developers Tools

Integration | Visibility | Fixing Track

Principles of Secure Development









Focus on Developers

Based on the most Commom Issues

Keep It Short and Simple

PRINCIPLES OF SECURE DEVELOPMENT




Validation



Error Handling / Auths / Session Management


Secure


Software Development Life Cycle



Secure Software Development Life Cycle






Security Champion






What we Do


What Tools we Use ?




Bring People Aware of Security






Security Champions Event





Security University







Show Something Cool



Future Challenges






New Technologies

Automation







Education














This is not Rocket Science!

Q&A 

Renato Rodrigues | @simps0n | www.pathonproject.com


www.blip.pt

  References





http://www.securityninja.co.uk/secure-development/

http://resources.infosecinstitute.com/intro-secure-software-development-life-cycle/

The Gentle Art of Making Secure Software

By Renato Rodrigues

The Gentle Art of Making Secure Software

Presentation for Rumos Web Application Tech Sessions at Lisbon and Porto.

  • 3,493
Loading comments...

More from Renato Rodrigues