The  Gentle  Art  O Making  Secure  Software
By Renato rodrigues




Agenda





Most Common Issues
Classification and Tracking
Principles of Secure Development
SDLC and Pipeline
Security Process
Bring People Aware of Security
Challenges



Cross Site Scripting (XSS)



<script>alert(/XSS/)</script><img src="x" onerror="confirm(1);"> <img src="x" onerror="prompt(document.domain)"> <meta http-equiv="refresh" content="+.1,javascript:alert(document.cookie)"> <script src="data:text/javascript,window.history.eval(confirm(history.length));"></script> <script>with(this){confirm(window.location);}</script>



Cross-site request forgery 

(CSRF)



clickjacking



Header Manipulation 

 
XML External Entity (XXE) 

 
Log Forging 

 
Logical Flaws


Classification







Impacted Services x Impact x Urgency

Tracking




Automated Tools

Scan Results | Notes 


Content Management System (CMS)

Internally Developed | Fit our needs | Vulnerability Database


Integration with Developers Tools

Integration | Visibility | Fixing Track

Principles of Secure Development









Focus on Developers

Based on the most Commom Issues

Keep It Short and Simple

PRINCIPLES OF SECURE DEVELOPMENT




Validation



Error Handling / Auths / Session Management


Secure


Software Development Life Cycle



Secure Software Development Life Cycle






Security Champion



 

         

What we Do


What Tools we Use ?




 

In-house tools!

Bring People Aware of Security






Security Champions Event





Security University







Show Something Cool



Future Challenges






New Technologies

Automation







Education














This is not Rocket Science!

Q&A


 Renato Rodrigues | @simps0n | www.pathonproject.com

  References



https://github.com/Etraud123/JSpwn

http://www.securityninja.co.uk/secure-development/

http://resources.infosecinstitute.com/intro-secure-software-development-life-cycle/