The  Gentle  Art  O Making  Secure  Software
By Renato rodrigues




Agenda





Most Common Issues
Classification and Tracking
Principles of Secure Development
SDLC and Pipeline
Security Process
Bring People Aware of Security
Challenges



Cross Site Scripting (XSS)



<script>alert(/XSS/)</script><img src="x" onerror="confirm(1);"> <img src="x" onerror="prompt(document.domain)"> <meta http-equiv="refresh" content="+.1,javascript:alert(document.cookie)"> <script src="data:text/javascript,window.history.eval(confirm(history.length));"></script> <script>with(this){confirm(window.location);}</script>



Cross-site request forgery 

(CSRF)



clickjacking



Header Manipulation 

 
XML External Entity (XXE) 

 
Log Forging 

 
Logical Flaws


Classification







Impacted Services x Impact x Urgency

Tracking




Automated Tools

Scan Results | Notes 


Content Management System (CMS)

Internally Developed | Fit our needs | Vulnerability Database


Integration with Developers Tools

Integration | Visibility | Fixing Track

Principles of Secure Development









Focus on Developers

Based on the most Commom Issues

Keep It Short and Simple

PRINCIPLES OF SECURE DEVELOPMENT




Validation



Error Handling / Auths / Session Management


Secure


Software Development Life Cycle



Secure Software Development Life Cycle






Security Champion



 

         

What we Do


What Tools we Use ?




 

In-house tools!

Bring People Aware of Security






Security Champions Event





Security University







Show Something Cool



Future Challenges






New Technologies

Automation







Education














This is not Rocket Science!

Q&A


 Renato Rodrigues | @simps0n | www.pathonproject.com

  References



https://github.com/Etraud123/JSpwn

http://www.securityninja.co.uk/secure-development/

http://resources.infosecinstitute.com/intro-secure-software-development-life-cycle/

The Gentle Art of Making Secure Software 2.0 (SINFO 2015)

By Renato Rodrigues

The Gentle Art of Making Secure Software 2.0 (SINFO 2015)

This talk is targeted to give an overview of Blip security procedures, of the principles of secure development and security implementation in the software pipeline. We will look into the most common issues that we find in our products, the classification process, automation processes, how to keep track of vulnerabilities and security challenges that may lie ahead.

  • 5,443