Secure Software Teams

@channikhabra

Security starts with

YOU

Phishing

Spear Phishing

BAITING

Pretexting

Before you

SHIP

Assess the

Dependencies

  • Periodically re-verify on stale codebase
  • Bake it into the package manager

Leverage

Static Analysis

  • Catch 'em as you type 'em
  • Bake it into the package manager

CIA

  • Confidentiality
  • Integrity
  • Availability

Triad

  • Unauthorized access to information
  • e.g a database breach
  • e.g emails getting sent to wrong people

Confidentiality

  • Property of accuracy and completeness
  • e.g tampering with data during transit by unauthorized people

Integrity

  • Property of being accessible and usable on demand by an authorized entity.

  • e.g denial of service attacks

Availability

Least Privilege Principle

Fun stuff

ATTACKS

mitm

SQL Injection

sqlmap \
  --cookie JSESSIONID=9A59D520718559C9DD5C0E1BA5AC3E2E \
  --url http://webgoat:8080/WebGoat/SqlInjection/assignment5b \
  --data login_count=1\&userid=1 \
  -p userid
sqlmap \
  --cookie JSESSIONID=9A59D520718559C9DD5C0E1BA5AC3E2E \
  --url http://webgoat:8080/WebGoat/SqlInjection/attack9 \
  --data name=Smith\&auth_tan=3SL99A \
  -p name 

XSS

When you

SHIP

Automate

All the things

Continuous Integration

Continuous Builds

Continuous

Tests

Continuous

Scanning

=

+

+

Secure Team Practices

Secure Team Practices

1. Practice

Secure Team Practices

2. Practice

vs

Red Team

Blue Team

vs

Secure Team Practices

Establish a

RED TEAM

  • Consists of members who act as actual attackers
  • Attack blue teams without warning
  • No rules applied

Secure Team Practices

Enforce the

BLUE TEAM

  • Setup infra to detect red team activity
  • Aim to make red team campaigns as ineffective as they possibly can

Secure Team Practices

3. Continuous Scanning

  • Document and replay all Red Team successful attacks on every build

Secure Team Practices

Getting Serious

  • Bifurcate production traffic and create a break-able replica

Proposals for

Trantor

Proposals for Trantor

Establish a

RED TEAM

Organize CTFs

Proposals for Trantor

Create a bug/vuln bounty program

Proposals for Trantor

Thank You!