Upload File

implementing secure coding in your organization · implementing secure coding in your organization...

  • Home
  • Documents
  • Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert [email protected]
18
Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert [email protected]

Upload: others

Post on 20-Aug-2020

9 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

Implementing Secure Coding In Your Organization

Erez Metula (CISSP), Founder

Application Security Expert

[email protected]

Page 2: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

Agenda

SDLC

Security education for developers

Secure Design

Secure Coding

Security testing

Tools

Page 3: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

About Me – Erez Metula

Application security expert

Book author

Managed Code Rootkits (Syngress)

Speaker & Trainer

BlackHat, Defcon, RSA, OWASP, etc..

Founder of AppSec Labs

Page 4: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

AppSec LabsThe leading Application Security Company

A bunch of Application Security Experts

Ninja Pentesters of Web & Mobile Apps

Elite Trainers for Hacking & Secure coding courses

Page 5: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

Development Process Evolution

The iterative waterfall..

Page 6: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

Problem..

No security at all

..or doing security at the last stage of development

Sometimes a security bug can cause design changes

…and sometimes you can’t even fix it!!

Page 7: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

VIDEO

http://cis1.towson.edu/~cssecinj/secure-coding-workshop/workshop-structure/importance-of-secure-coding-15-min/

Page 8: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

Complex Threat Model

Major attack vectors - malicious user / malicious app

Malicious user attacking the client side app

Malicious user using the client app to attack the server side

Malicious user attacking the end user by having physical access to the device

Malicious app attacking the end user

Malicious app attacking other apps on same device

Page 9: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

Example – Mobile App Threat Model

Page 10: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

Cost of Change

Relative cost to fix a vulnerability – based on time of detection

Page 11: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

The Security Development Lifecycle

A process for software development, that defines security requirements and milestones

Page 12: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

Developers don’t know how to write secure code !!!

Those kind of problems are related directly to R&D department

NOT IT dept. and NOT Security dept.

Most developers didn’t have proper secure coding training

Page 13: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

What to do?

We need to educate them !

Page 14: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

AppSec LabsLearning Management System

Page 15: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

Grow your “Security champions”

A security champion is someone from your organization who will be responsible for advancing the application security initiative

Most often, he will be from the DEV team

A strong developer who truly cares about security

You should identify those kind of people and cherish them

Case study – HP and AppSec Labs TTT (“Train The Trainer)

Page 16: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

Summary

Security should be performed at every layer

Never trust the user!

All input should be considered malicious unless proven otherwise

Follow best practices of secure coding and common security principles

SDL should be part of the methodology

Page 17: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com
Page 18: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com

THANK YOU !

Erez Metula , Application Security Expert

AppSec Labs (Founder)

[email protected]


Contact Details Distributed Source Coding: Theory and Practice · coding (NC) SW coding WZ coding MT coding DS-NC Wireless Sensor Networks Distributed Video Coding Cooperative Diversity

Coding 101 Taken from “Beginning Coding”, “Intermediate Coding”, and “I Hate Coding” by Dianne Demers

PARTNERSHIPS CAPACITY supporting STUDENTS TECHNOLOGY€¦ · developing PARTNERSHIPS building CAPACITY supporting STUDENTS implementing TECHNOLOGY Coding with Raspberry Pi. SET-BC

Internet Of Things (IOT) InSecurity - OWASP · PDF fileInternet Of Things (IOT) InSecurity Erez Metula Chairman & Founder, AppSec Labs [email protected] ... 10/10 security

Audio Coding and Standards - jianhua.cis.k.hosei.ac.jp · Audio Coding and Standards • Models, Techniques & Requirements of Sound Coding • Entropy Coding: Run length Coding &

Coding Conventions & Secure Coding

CIL Coding Conventions · CIL Coding Conventions ThischapterdiscussescodingconventionsusedintheCTIOSClientInterfaceLibrary(CIL).Coding conventionsarestandardwaysofperformingcommontasks

4 incorporating by reference certain calculations of the 6 … · 2021. 1. 27. · Governor’s Budget Recommendation - Implementing Bill . CODING: Words stricken are deletions; words

® Implementing QI Validation Tools for Coding and Clinical Quality Improvement in Academic Medical Centers September 11, 2012 Leslie Prellwitz, MBA, CCS,

UNIT II TEXT COMPRESSION. a. Outline Compression techniques Run length coding Huffman coding Adaptive Huffman Coding Arithmetic coding Shannon-Fano coding

4 incorporating by reference certain calculations of the 6 ......Governor’s Budget Recommendation - Implementing Bill CODING: Words stricken are deletions; words underlined are additions

Software Coding- Software Coding

CODING AND DECODING. TYPES Letter Coding Number Coding Substitution Mixed Number/Letter Coding

Dynamic Analysis of Android Apps - OWASP IL 2014 Analysis of Android Apps OWASP IL 2014 Erez Metula , Application Security Expert AppSec Labs (Founder) [email protected]

CODING MANAGEMENT (Part II) Recap Coding What are Coding Dictionaries Structure of Dictionaries Different Forms of Coding How Organizations Handle Coding?

Types of Coding - Purdue Engineeringbouman/ece637/notes/pdf/Source...Types of Coding •Source Coding ... Two Types of Source (Image) Coding •Lossless coding (entropy coding)

Internet Of Things (IOT) InSecurity - OWASP...Internet Of Things (IOT) InSecurity Erez Metula Chairman & Founder, AppSec Labs [email protected] Israel Chorzevski CTO, AppSec

International outage coding system for nuclear power plants · 2004-05-24 · coding system. When implementing the modified coding system into PRIS, its performance indicators and

ErezMetula (CISSP), Founder Application Security Expert ...€¦ · ErezMetula (CISSP), Founder Application Security Expert [email protected]. Breaking modern crypto is impractical

Perceptual Audio Coding - Hong Kong Polytechnic Universityenyhchan/ce_asc.pdf · perceptual coding Coding techniques Subband coding Transform coding MPEG Audio standards MP1 MP2 MP3

Verilogerilog Coding Coding - NCU

Bar Coding Pyxis S. Rimkus. Bar Coding Overview HistoryHistory DefinitionsDefinitions How Bar Coding worksHow Bar Coding works Bar Coding ApplicationsBar

Implementing Coding Tools for a New Classification

Implementing Medicare and Commercial Insurance Coding Changes in 2006 Patricia Falconer, MBA President, Health Options 650-949-2526 phone 650-745-1122

Analog MOS Circuits Implementing a Temporal Coding Neural ...lalsie.ist.hokudai.ac.jp/publication/dlcenter.php?fn=paper/jsp... · Analog MOS Circuits Implementing a Temporal Coding

IMPLEMENTING EU REGULATION 161/2016 - NEW ......Phone: +49 3529 551-661 [email protected] EU Regulation 161/2016 » Laser coding properties PTS DF 105 » Inkjet coding properties

Audio Coding and Standards Models, Techniques & Requirements of Sound Coding Entropy Coding: Run length Coding & Huffman coding Differential Coding – DPCM

Channel Coding (Error Control Coding)

net reverse engineering · .NET Reverse Engineering Erez Metula, CISSP Application Security Department Manager Security Software Engineer 2B Secure ErezMetula @2bsecure.co.il

What is Coding?amandapowellsellars.weebly.com/uploads/2/6/9/1/26910614/what_is… · What is Coding? Program The process of developing and implementing various sets of instructions

NET Framework Rootkits: Backdoors inside your Framework Erez Metula, Application Security Department Manager, Security Software Engineer, 2BSecure [email protected]

Signal coding Definitions Types of coding schemes Inferring sender and receiver coding Signal function and coding

Implementing Unifier at a $5B Facilities Capital ... Capital Improvement Program ... –Based upon cost sheet control ... –WBS Code –aligns to PeopleSoft / P6 Activity Coding

Yalin Zhang [email protected]. Huffman Coding Variations of Huffman Coding Length-limited coding Unequal-cost coding Mixed-radix coding Reserved-length

CS552 Coding and Delievery1 Coding and Delivery. CS552 Coding and Delievery2 Coding Standards Outline 1. Enforcing Standards 2. General Coding Standards