Secure Software Teams
@bitspook
Security starts with
YOU
Phishing
Spear Phishing
BAITING
Pretexting
Before you
SHIP
Assess the
Dependencies
- Periodically re-verify on stale codebase
- Bake it into the package manager
Leverage
Static Analysis
- Catch 'em as you type 'em
- Bake it into the package manager
CIA
- Confidentiality
- Integrity
- Availability
Triad
- Unauthorized access to information
- e.g a database breach
- e.g emails getting sent to wrong people
Confidentiality
- Property of accuracy and completeness
- e.g tampering with data during transit by unauthorized people
Integrity
-
Property of being accessible and usable on demand by an authorized entity.
- e.g denial of service attacks
Availability
Least Privilege Principle
Fun stuff
ATTACKS
mitm
SQL Injection
sqlmap \
--cookie JSESSIONID=9A59D520718559C9DD5C0E1BA5AC3E2E \
--url http://webgoat:8080/WebGoat/SqlInjection/assignment5b \
--data login_count=1\&userid=1 \
-p userid
sqlmap \
--cookie JSESSIONID=9A59D520718559C9DD5C0E1BA5AC3E2E \
--url http://webgoat:8080/WebGoat/SqlInjection/attack9 \
--data name=Smith\&auth_tan=3SL99A \
-p name 
When you
SHIP
Automate
All the things
Continuous Integration
Continuous Builds
Continuous
Tests
Continuous
Scanning
=
+
+
Secure Team Practices
Secure Team Practices
1. Practice
- Deliberately vulnerable apps
- CTF (Capture the flag) games
- Organize and participation in meetup sessions
Secure Team Practices
2. Practice
vs
Red Team
Blue Team
vs
Secure Team Practices
Establish a
RED TEAM
- Consists of members who act as actual attackers
- Attack blue teams without warning
- No rules applied
Secure Team Practices
Enforce the
BLUE TEAM
- Setup infra to detect red team activity
- Aim to make red team campaigns as ineffective as they possibly can
Secure Team Practices
3. Continuous Scanning
- Document and replay all Red Team successful attacks on every build
Secure Team Practices
Getting Serious
- Bifurcate production traffic and create a break-able replica