Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
144 views

Writing Secure Code

The document discusses how to write secure code and outlines various techniques for security including prevention, monitoring, detection, and response. It covers topics like vulnerabilities at different levels, the secure development lifecycle process, manual code reviews, threat modeling, penetration testing, and specific practices for securing applications, databases, and infrastructure.

Uploaded by

Abel P Mamani S
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
144 views

Writing Secure Code

The document discusses how to write secure code and outlines various techniques for security including prevention, monitoring, detection, and response. It covers topics like vulnerabilities at different levels, the secure development lifecycle process, manual code reviews, threat modeling, penetration testing, and specific practices for securing applications, databases, and infrastructure.

Uploaded by

Abel P Mamani S
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

Writing Secure Code

Alex Cespedes
About me
Software is everywhere
many vulnerabilities
Vulnerabilities can be classified
Humans

Network

Applications

Server Software

Operating System

Hardware
Applications
• Planning
• Development
• QA
OWASP Project
A3:2017 A4:2017
A1:2017 A2:2017
Sensitive Data XML External Entity
Injection Broken Authentication
Exposure (XXE)

A5:2017 A6:2017 A7:2017 A8:2017


Broken Access Security Cross-Site Scripting Insecure
Control Misconfiguration (XSS) Deserialization

A9:2017
A10:2017
Using Components
Insufficient Logging
with Known
& Monitoring
Vulnerabilities
SDLC

564132
Maintenance
Testing Planning
&
Analysis
Integration
Development
Design
SDLC
• Test Early and Test Often
• Understand the Scope of Security
• Develop the Right Mindset
• Understand the Subject
• Use the Right Tools
• Use Source Code When Available
• Develop Metrics
 If more education and training are required
 If there is a particular security mechanism that is not clearly understood by the dev team
 If the total number of security related problems being found each month is going down
Security Techniques
Advantages Disadvantages
Manual Inspections & • Requires no supporting • Can be time consuming
Reviews technology • Requires significant
• Can be applied to variety human thought and skill
of situations to be effective
• Flexible
• Promotes teamwork
• Early in the SDLC
Threat Modeling • Decomposing the • Relatively new technique
application • Good threat models don’t
• Defining and classifying mean good software
the assets
• Exploring potential
vulnerabilities/threats
• Creating mitigation
strategies
Security Techniques
Advantages Disadvantages
Code Review • Completeness and • Requires highly skilled
effectiveness security dev
• Accuracy • Can miss issues in
• Fast compiled libraries
• The source code actually
deployed might differ
from the one being
analyzed
Penetration Testing • Can be fast • Too late in the SDLC
• Requires a relatively • From impact testing only
lower skill-set than
source code review
• Test the code that is
actually being exposed
Prevention
Securing applications

Prevention

Monitoring Detection

Recovery Response
Development
• Scan your code continuously
 Application code
 Packages / Libraries

• Train developers in secure coding


• Make Friday – break the app
• Use secure crypto
• Log errors
• Don’t reinvent
 Login
Password Reset
Database
• Encrypt sensitive data (PI, Addresses, emails, passwords)
• Encrypt database on disk (including backups)
• Minimal privilege for application database user
• Do not store encryption keys in database
Infrastructure
• Secure your development environment
• Block development/Staging to the outside world with an username/password
• Turn off unused servers
• Multifactor authentication to all the infrastructure
• Use IDS/IPS
Thanks!!

You might also like