![Page 1: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/1.jpg)
Security as a New Metric for Your Business, Product and
Development Lifecycle
by Nazar Tymoshyk, SoftServe, Ph.D., CEH
![Page 2: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/2.jpg)
OWASP Chapter Lviv запрошує на останню зустріч групи OWASP Ukraine
цього року. Проведіть чудові 2 дні у Львові з найкращими Security спеціалістами України.
Реєстрація у: https://goo.gl/5hdvPH http://owasp-lviv.blogspot.com/
Тематика:• Безпека Веб і Мобільних аплікацій• Взлом REST і JavaScript базованих
аплікацій• Розслідування взломів• Reverse-Engineering• Розвод, кідалово і маніпуляція
свідомістю юзерів• Хмарна і безхмарна безпека• Фізичний взлом + Escape Quest
14 листопада 2015, субота, Львів, вул. Садова 2А
Львівка кава, кавярні і пиво, круте товариство, нові знайомства, воркшопи, знання на халяву – все це чекає на вас у нашому затишному місті!
OWASP Ukraine 2015
Security meetup у Львові
![Page 3: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/3.jpg)
Physical Hacking
Escape questOWASP Ukraine 2015 Lviv meetup, November 14, 2015
Elite HACKERS
Industry Experts
The most interesting Security event of Ukraine
Hands on Labs
Collaboration
Competition
Powered by
![Page 4: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/4.jpg)
Security as a metric
Total served: 24Completed: 10Internal: 3Lost: 14Win rate: 67%
H1 2014
Total served: 26Completed: 12Internal: 3Lost: 14Win rate: 46%
H1 2015
Updated business model allow us to generate more revenue from same amount of opportunities
![Page 5: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/5.jpg)
Agenda
Business
Products
Your imaginary
Questions
Developers
![Page 6: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/6.jpg)
BUSINESS
![Page 7: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/7.jpg)
A rough year in 2012
![Page 8: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/8.jpg)
A more challenging year - 2013
• Akamai reports that 2013 attack traffic is averaging over 86% above normal.
• This report shows April 30 attack traffic is 117.53% higher than the 42% increase seen in 2012
![Page 9: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/9.jpg)
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
![Page 10: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/10.jpg)
![Page 11: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/11.jpg)
![Page 12: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/12.jpg)
WHY your clients NEED Security
IndustryComplia
nce
Government
RegulationBusiness
availability
CapitalizationStatistic of Breaches
Customer requirem
entPrevious bad
experience
![Page 13: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/13.jpg)
Consequences of Security FAILURE
TrustMoney
Datastolen
Timeto recover
Penaltiesfor
incident
Customers
Reputation
![Page 14: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/14.jpg)
Super user
Subscriptions
Your very sad
client
Penalty tool
We were hacked
because of YOU!
![Page 15: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/15.jpg)
If your Cloud server is hacked….
![Page 16: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/16.jpg)
PRODUCT
![Page 17: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/17.jpg)
Simple ROI of Product security
![Page 18: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/18.jpg)
Connected Cars are part of
smart houses
smart TVs
smart watches
smart phones
smart cars
smart fridges
????
![Page 19: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/19.jpg)
Typical Security Report delivered by competitor
![Page 20: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/20.jpg)
How security is linked to development
Than start process of re-Coding, re-Building, re-Testing, re-Auditing
3rd party or internal audit
Tone of security defects
BACK to re-Coding, re-Building, re-Testing, re-Auditing
![Page 21: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/21.jpg)
Design Build Test Production
GENERIC APPROACH FOR SECURITY
security requirements / risk and threat analysis
coding guidelines /code reviews/ static
analysis
security testing / dynamic analysis
vulnerability scanning / WAF
Reactive ApproachProactive Approach
Secure SDLC
![Page 22: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/22.jpg)
How it should look like
With proper Security Program number of security defects should decrease
from phase to phase
Automated security
Tests
CIintegrated
ManualSecurity/penetration
Testing
OWASP methodology
Secure
Codingtrainings
RegularVulnerability
Scans
Minimize the costs of the Security related issues
Avoid repetitive security issues
Avoid inconsistent level of the security
Determine activities that pay back faster during current state of the project
![Page 23: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/23.jpg)
![Page 24: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/24.jpg)
Remember I'm offering you the truth. Nothing More.
To do Security or not to Do
![Page 25: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/25.jpg)
QA Engineer Security expert
In functional and performance testing, the expected results are
documented before the test begins, and the quality assurance team looks
at how well the expected results match the actual results
In security testing, security analysts team is concerned only with unexpected results and testing for the unknown and looking for weaknesses. They are EXPERTS.
VS.
![Page 26: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/26.jpg)
Our app code need to be verified for
Security
PM and SoftServeDemonstrate excellenceCom
petitive advantage
Reporting for 2 security experts
Report with findings
Fix it! Non compliant?Good boys!
Security Center of Excellence
RequestApp
verification
PM
• Explain security defect and severity
• Fix identified security defects
• Train developers and QA• Transfer checklists and
guides
Great Achievement
Scenario 1. PM worried about security on project.Code micro-assessment.
Re-checkMonitor
Next page
How to present to client and earn more $$$ ?
• Scan sources with Tools• Filtering False Positive• Compile report• Review architecture• Dynamic test• Rate risks
Delivery Director/PM
![Page 27: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/27.jpg)
Oh Rashid,
Who wrote it?
We have found some security issues with your legacy code
Indian team. Our security experts can perform comprehensive Security Assessment
And then our dev team will fix identified defects as it put other projects under risk
Ok, do it. How much should it cost?
Only $XX.XXXfor Security Assessment
Deal! Do it ASAP.
1 2
34
![Page 28: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/28.jpg)
Report sample
![Page 29: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/29.jpg)
DEVELOPMENT
![Page 30: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/30.jpg)
Risks are for managers, not developers
![Page 31: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/31.jpg)
PEOPLEalwaysbypass restrictionif possible
Keep in mind this when you design security
![Page 32: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/32.jpg)
• Focus on functional requirements• Know about:
– OWASP Top 10– 1 threat (DEADLINE fail)
• Implement Requirements as they can• Testing it’s for QA job
«I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с)
Scott Hanselman
Developer & Security
![Page 33: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/33.jpg)
Why code analysis do not resolve a problem?
Many of the CWE vulnerability types, are design issues, or business logic issues.
Application security testing tools are being sold as a solution to the
problem of insecure software.
![Page 34: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/34.jpg)
Mobile banking app from Pakistan
![Page 35: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/35.jpg)
What is wrong?
![Page 36: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/36.jpg)
Recommended error messages by OWASPIncorrect Response Examples"Login for User foo: invalid password""Login failed, invalid user ID""Login failed; account disabled""Login failed; this user is not active"
Correct Response Example
"Login failed; Invalid userID or password"
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
![Page 37: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/37.jpg)
What is wrong on next stage of Login process?
![Page 38: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/38.jpg)
Critical Business Logic bypass
There was possibility to get personal info (promo code, email, password etc.) of subscription which is not related to currently logged User using
![Page 39: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/39.jpg)
Critical Business Logic bypass
There was possibility to make changes to personal info of subscription (email, password, name e.g.) using User.updateSubscription method even in case appropriate user is not logged in
![Page 40: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/40.jpg)
Critical Business Logic bypass
• There is possibility to convert any standalone subscriptions to managed no matter whether appropriate user is logged in or not using User.setSubscriptionToManaged function (you can make any user to pay for paid features of your subscriptions)
![Page 41: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/41.jpg)
Critical Business Logic bypass
There was possibility to delete subscriptions/credit card which are not related to currently logged user using User.deleteSubscription/deleteCredit Card function
![Page 42: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/42.jpg)
Browser exploitation framework
![Page 43: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/43.jpg)
Social Engineering
![Page 44: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/44.jpg)
SQL-Injections to win a TripDumped admin password hashes
![Page 45: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/45.jpg)
Simple SOAP request fuzzing allow collecting information about existent system users, their emails, VIN, Last access time, user ID and other confidential, user/car related information
Broken Session management
![Page 46: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/46.jpg)
Why so simple?
![Page 47: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/47.jpg)
Story about Hybrid Mobile Development
in India
![Page 48: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/48.jpg)
Reversing Java/iOS application this app feature
Reversing Java / iOS application this app feature
![Page 49: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/49.jpg)
WEAK Cryptography
v
Was cleaned up by Vendor Team
![Page 50: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/50.jpg)
REMOVED CODE APPEARS AGAIN IN APPSTORE APP
v
Appear Again in App from AppStore
![Page 51: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/51.jpg)
HARDCODED CREDENTIALS
v
vv
Severity: Critical (C )/P1
Business impact: Medium (M)/P3
![Page 52: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/52.jpg)
BACKEND SECURITY
v
v
Severity: Critical (C )/P1
Business impact: Critical (C )/P1
![Page 53: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/53.jpg)
WEAK PASSWORDSSeverity: Critical (C )/P1
Business impact: Critical (C )/P1
![Page 54: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/54.jpg)
DEVELOPER TEAM FACEPALM
v
![Page 55: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/55.jpg)
ENCRYPTION PASSWORD AFTER APPSTORE RELEASE
vv
v
v
v
v
![Page 56: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/56.jpg)
SENSITIVE FILE ARTIFACTS
v
Severity: Low (L)/P4.
Business impact: No business impact
v v
![Page 57: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/57.jpg)
All Apps are considered safe until proven guilty by a security review
Financial Institution
![Page 58: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/58.jpg)
SENSITIVE CLIENT INFORMATION
AS A CONSEQUENCE – CUSTOMERS TRUST COULD BE LOST.
![Page 59: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/59.jpg)
Customers database dump
![Page 60: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/60.jpg)
defaults and sample files
![Page 61: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/61.jpg)
Forgotten Files on server
![Page 62: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/62.jpg)
Upload Java shell and take server under control
![Page 63: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/63.jpg)
Are your product Popular?
You are Next Target
![Page 64: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/64.jpg)
How to PROTECT?
Security Frameworks
Right Security Requirements
Penetration Testing
Code Scan and Review
Security Trainings
Threat Modelling
Dedicated Security Expert
OWASP.org
![Page 65: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/65.jpg)
Add Security into your PROCESS
![Page 66: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/66.jpg)
Security
![Page 67: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/67.jpg)
THANK YOU67
Contact me:skype: root_ntemail: [email protected]
Join OWASP:http://owasp-lviv.blogspot.com/
FEEDBACK &
QUESTIONS
![Page 68: Security as a new metric for Business, Product and Development Lifecycle](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ab5f3d1a28abbc2a8b555d/html5/thumbnails/68.jpg)
Home Work