Application Security
Where left is the right direction
About me
Software Developer
Application Security
Agile Enthusiast
Open source contributions
I am
I do
I am
I do
About me
Software Developer
Application Security
Agile Enthusiast
Open source contributions
I am
I do
I am
I do
Agenda
Definition
Why?
How?
Who?
Definition
Wikipedia
Application security encompasses measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Gary McGraw
"...maintains that application security is a reactive approach, taking place once software has been deployed. Software security, on the other hand, involves a proactive approach, taking place within the pre-deployment phase."
Wikipedia
finding
fixing
preventing
Gary McGraw
application security reactive approach
software security proactive approach
Why?
Implementation bugs
Architectural bugs
Inexpensive
Expensive
Cost to fix bugs
Cost to fix bugs
Left
Right
Cost to fix bugs
How to?
Software Development Life Cycle
SDLC
Design
Code
Learning
Habits
How?
Design
Code
Learning
Habits
How?
How to?
Security by Learning
Training
Security by learning
![](https://media2.giphy.com/media/xT9Iguc1FSPtLmCw5W/giphy.gif)
Capture the flag
Security by learning
Consulting
Security by learning
Security by learning
![](https://c1.staticflickr.com/1/778/22947137613_69a88cb94b_b.jpg)
Design
Code
Learning
Habits
How?
How to?
Secure by Design
Architecture Review
Secure By Design
Attack Trees
![](https://www.schneier.com/images/bruce-blog3.jpg)
![](http://gemsres.com/photos/story/res/43842/fig4.jpg)
Secure By Design
Security Features
Secure By Design
Secure By Design
![](https://upload.wikimedia.org/wikipedia/commons/3/33/RSA-SecurID-Tokens.jpg)
Design
Code
Learning
Habits
How?
How to?
Secure Code
Code Review
Secure Code
![](https://media3.giphy.com/media/gtDnXcTcVEXiE/giphy.gif)
Static Analysis
Secure Code
![](https://media0.giphy.com/media/ntxLxpZ0xW1kA/giphy.gif)
Dependency Management
Secure Code
Secure Code
![](https://s3.amazonaws.com/media-p.slid.es/uploads/53776/images/5162644/dependencies.png)
Design
Code
Learning
Habits
How?
How to?
Security Habits
Define Contracts
Security Habits
Build Pipeline
Security Habits
Pen Testing
Security Habits
Bug Bounty
![](https://media1.giphy.com/media/ihAcMIHwgoO0U/giphy.gif)
Security Habits
Security Habits
How to?
Software Development Life Cycle
Reviewed!
SDLC Reviewed
Attack Trees
Security Features
Architecture Review
Code Review
Static Analysis
Dependency Management
Training
CTFs
Consulting
Contracts
Build Pipeline
Pen Testing
Bug bounty
Monitoring
Visibility
Drills
![](https://s3.amazonaws.com/media-p.slid.es/uploads/53776/images/5150403/image-new-com-curved-arrow-image-free.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/53776/images/5150411/image-new-com-curved-arrow-image-free-mirrored.png)
Infrastructure as Code
![](https://media0.giphy.com/media/B6chryYJDMaLC/giphy.gif)
Who?
Responsibility
![](https://s3.amazonaws.com/media-p.slid.es/uploads/53776/images/5142122/security-people-security-people-everywhere.jpg)
Accountability
![](https://media2.giphy.com/media/9hBW9Ay4pW10Y/giphy.gif)
Lessons
Title Text
Questions?
Application Security: Where left is the right direction
By Mário Areias
Application Security: Where left is the right direction
- 1,312