\
The Gentle Art Of Making Secure Software
\
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/441962/BLIP__web_.png)
Agenda
Most Common Issues
Classification and Tracking
Principles of Secure Development
SDLC and Pipeline
Security Process
Bring People Aware of Security
Challenges
Cross Site Scripting (XSS)
Cross-site request forgery
(CSRF)
↓
clickjacking
Header Manipulation
XML External Entity (XXE)
Log Forging
Logical Flaws
Classification
Impacted Services x Impact x Urgency
Tracking
Automated Tools
Scan Results | Notes
Content Management System (CMS)
Internally Developed | Fit our needs | Vulnerability Database
Integration with Developers Tools
Integration | Visibility | Fixing Track
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444745/vulnman.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444748/fat.png)
Principles of Secure Development
Focus on Developers
Based on the most Commom Issues
Keep It Short and Simple
PRINCIPLES OF SECURE DEVELOPMENT
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/443994/Drawing1.png)
Validation
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/443996/Cloud_3__1_.png)
Error Handling / Auths / Session Management
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444016/error_auth_session__1_.png)
Secure
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444008/Secure__1_.png)
Software Development Life Cycle
Secure Software Development Life Cycle
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/445630/Drawing1.png)
Security Champion
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/445461/Security_Champion.png)
What we Do
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/445459/g33k__1_.png)
What Tools we Use ?
![](https://www.owasp.org/images/1/11/Zap128x128.png)
![](http://tctechcrunch2011.files.wordpress.com/2010/08/fortify-software-picture.jpeg)
![](http://resources.infosecinstitute.com/wp-content/uploads/012814_2020_WebServices1.png)
Bring People Aware of Security
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444087/121411_1611_SecureRando1.png)
Security Champions Event
Security University
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/445392/unicclass.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/445386/appsecezine_small.png)
Show Something Cool
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444096/coolstuff.png)
Future Challenges
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444033/futurama_professor_farnsworth-t2.jpg)
New Technologies
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444041/js.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444058/BXhBtGoCYAAFwwJ.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444040/nodejs.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444051/scala-logo.png)
Automation
![](https://s3.amazonaws.com/media-p.slid.es/uploads/simpson/images/444077/gears.png)
Education
![](http://www.fsslimited.com/images/education-security-solutions.jpg)
This is not Rocket Science!
Q&A
Renato Rodrigues | @simps0n | www.pathonproject.com
www.blip.pt
✎ References
http://www.securityninja.co.uk/secure-development/
http://resources.infosecinstitute.com/intro-secure-software-development-life-cycle/
The Gentle Art of Making Secure Software
By Renato Rodrigues
The Gentle Art of Making Secure Software
Presentation for Rumos Web Application Tech Sessions at Lisbon and Porto.
- 6,543