web appsec and it’s 10 best sdlc practices
TRANSCRIPT
![Page 1: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/1.jpg)
WebAppSec and it’s 10 Best SDLC PracticesBy: John Patrick Lita – C)SS
Philippine Institute of Cyber SecurityProfessionals (OWASP Academic Supporter)
with the Partnership of
The Open Web Application Security Project (OWASP)(OWASP Philippines)Open InfoSec Education Project
![Page 2: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/2.jpg)
FOCUS ON COMMON SECURITY CHALLENGES
![Page 3: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/3.jpg)
Most Developers already think there web application isSecure.Majority of web applcations have serious security vulnerabilitiesMost of the the developers not aware of the issue.And we are thinking that all the application are secure?
![Page 4: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/4.jpg)
EMAIL Social Networking Online Shopping
Research Online Banking Multimedia
NOT SECURE
![Page 5: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/5.jpg)
MOST SITES NOT SECURE•Attacker can access unauthorized data
•Attacker can use the application to attack other users
![Page 6: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/6.jpg)
THE WEB WASN’T DESIGN TO BE SECURE!
• The website is design for static, read only pages to be share internally
• Almost no intrinsic security• A few security features was develope
![Page 7: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/7.jpg)
WHAT DOES THAT MEAN?•COOKIE-BASED SESSIONS CAN HIJACKED•NO SEPARATION OF LOGIC DATA•ALL CLIENT SUPPLIED DATA CANNOT BE TRUSTED
![Page 8: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/8.jpg)
The Attacker MindSet
Browser WebServe
r
WebServer
DatabasesAccess Control
Authentication
FireWall
Click-Jacking
XSS CSRF
Tampering Sniffing
DirectoryTraversal
XMLInjection
SQLInjection
DirectObject
ReferenceForged Token
![Page 9: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/9.jpg)
- AJAX- FLASH / FLEX- SILVERLIGHT- APPLETS
THE ATTACK SURFACE AREA IS GROWING!
![Page 10: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/10.jpg)
APPLICATION SECURITY!THREAT
MODELING CODECHANGES
SECURE ARCHITECTUR
E
DEVELOPER &
ARCHITECT AWARENES
S
COMMON SECURITY CONTROLS
SOFTWAREDEVELOPMEN
TLIFECYCLE
![Page 11: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/11.jpg)
The Ten Best Practices for Secure Software Development
![Page 12: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/12.jpg)
SOFTWAREDEVELOPMENTSTAKEHOLDERS
TOP MANAGEMENT
CLIENTS
MANAGERS, ETC...
![Page 13: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/13.jpg)
TEN BEST PRACTICESProtect the brand your customers trust
Base in ISC(2) : The Ten Best Practices for Secure Software Development
![Page 14: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/14.jpg)
TEN BEST PRACTICESKnow your business and support it with secure solutions
Base in ISC(2) : The Ten Best Practices for Secure Software Development
![Page 15: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/15.jpg)
TEN BEST PRACTICESUndestand the technology of the software
Base in ISC(2) : The Ten Best Practices for Secure Software Development
![Page 16: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/16.jpg)
TEN BEST PRACTICESEnsure compliance to governance, regulations and privacy
Base in ISC(2) : The Ten Best Practices for Secure Software Development
![Page 17: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/17.jpg)
TEN BEST PRACTICESKnow the basic components of software securityProtection from Disclosure (Confidentiality)
Protection from Alteration (Integrity)Protection from Destruction (Availability)Who is making the request (Authentication)What rights/privileges they have (Authorization)The ability to build historical evidence (Auditing)And the Management of configuration, sessions exceptions
Base in ISC(2) : The Ten Best Practices for Secure Software Development
![Page 18: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/18.jpg)
TEN BEST PRACTICESEnsure the protection of sensitive information
Base in ISC(2) : The Ten Best Practices for Secure Software Development
![Page 19: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/19.jpg)
TEN BEST PRACTICESDesign software with secure features
Base in ISC(2) : The Ten Best Practices for Secure Software Development
![Page 20: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/20.jpg)
TEN BEST PRACTICESDevelop software with secure features
Base in ISC(2) : The Ten Best Practices for Secure Software Development
![Page 21: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/21.jpg)
TEN BEST PRACTICEsDeploy software withSecure features
Base in ISC(2) : The Ten Best Practices for Secure Software Development
![Page 22: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/22.jpg)
TEN BEST PRACTICEs
Educate yourself& others on how to build securesoftware
Base in ISC(2) : The Ten Best Practices for Secure Software Development
![Page 23: Web appsec and it’s 10 best SDLC practices](https://reader036.vdocuments.mx/reader036/viewer/2022062412/5876b8d51a28abad1a8b65cd/html5/thumbnails/23.jpg)