The Gentle Art Of Making Secure Software
By Renato rodrigues
Agenda
Most Common Issues
Classification and Tracking
Principles of Secure Development
SDLC and Pipeline
Security Process
Bring People Aware of Security
Challenges
Cross Site Scripting (XSS)
Cross-site request forgery
(CSRF)
↓
clickjacking
Header Manipulation
XML External Entity (XXE)
Log Forging
Logical Flaws
Classification
Impacted Services x Impact x Urgency
Tracking
Automated Tools
Scan Results | Notes
Content Management System (CMS)
Internally Developed | Fit our needs | Vulnerability Database
Integration with Developers Tools
Integration | Visibility | Fixing Track
Principles of Secure Development
Focus on Developers
Based on the most Commom Issues
Keep It Short and Simple
PRINCIPLES OF SECURE DEVELOPMENT
Validation
Error Handling / Auths / Session Management
Secure
Software Development Life Cycle
Secure Software Development Life Cycle
Security Champion
What we Do
What Tools we Use ?
In-house tools!
Bring People Aware of Security
Security Champions Event
Security University
Show Something Cool
Future Challenges
New Technologies
Automation
Education
This is not Rocket Science!
Q&A
Renato Rodrigues | @simps0n | www.pathonproject.com
✎ References
https://github.com/Etraud123/JSpwn
http://www.securityninja.co.uk/secure-development/
http://resources.infosecinstitute.com/intro-secure-software-development-life-cycle/
The Gentle Art of Making Secure Software 2.0 (SINFO 2015)
By Renato Rodrigues
The Gentle Art of Making Secure Software 2.0 (SINFO 2015)
This talk is targeted to give an overview of Blip security procedures, of the principles of secure development and security implementation in the software pipeline. We will look into the most common issues that we find in our products, the classification process, automation processes, how to keep track of vulnerabilities and security challenges that may lie ahead.
