Web appsec and it’s 10 best SDLC practices
•Download as PPTX, PDF•
5 likes•1,204 views
The Ten Best Practices Software development involves many stakeholders, as depicted in They can range from the analyst (business/requirements), to architects, coders, testers, and operations personnel. Development can also include management (product/project/personnel), and in some cases even executive-level management. Additionally included may be members from the security and audit teams.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (12)
Similar to Web appsec and it’s 10 best SDLC practices
Similar to Web appsec and it’s 10 best SDLC practices (20)
Recently uploaded
Recently uploaded (20)
Web appsec and it’s 10 best SDLC practices
- 1. WebAppSec and it’s 10 Best SDLC Practices By: John Patrick Lita – C)SS Philippine Institute of Cyber Security Professionals (OWASP Academic Supporter) with the Partnership of The Open Web Application Security Project (OWASP) (OWASP Philippines) Open InfoSec Education Project
- 2. FOCUS ON COMMON SECURITY CHALLENGES
- 3. Most Developers already think there web application is Secure. Majority of web applcations have serious security vulnerabilities Most of the the developers not aware of the issue. And we are thinking that all the application are secure?
- 4. EMAIL Social Networking Online Shopping Research Online Banking Multimedia
- 5. MOST SITES NOT SECURE •Attacker can access unauthorized data •Attacker can use the application to attack other users
- 6. THE WEB WASN’T DESIGN TO BE SECURE! • The website is design for static, read only pages to be share internally • Almost no intrinsic security • A few security features was develope
- 7. WHAT DOES THAT MEAN? •COOKIE-BASED SESSIONS CAN HIJACKED •NO SEPARATION OF LOGIC DATA •ALL CLIENT SUPPLIED DATA CANNOT BE TRUSTED
- 8. The Attacker MindSet Browser WebServer WebServer DatabasesAccess ControlAuthentication FireWall Click- Jacking XSS CSRF Tampering Sniffing Directory Traversal XML Injection SQL Injection DirectObject Reference Forged Token
- 9. - AJAX - FLASH / FLEX - SILVERLIGHT - APPLETS THE ATTACK SURFACE AREA IS GROWING!
- 11. The Ten Best Practices for Secure Software Development
- 13. TEN BEST PRACTICES Protect the brand your customers trust Base in ISC(2) : The Ten Best Practices for Secure Software Development
- 14. TEN BEST PRACTICES Know your business and support it with secure solutions Base in ISC(2) : The Ten Best Practices for Secure Software Development
- 15. TEN BEST PRACTICES Undestand the technology of the software Base in ISC(2) : The Ten Best Practices for Secure Software Development
- 16. TEN BEST PRACTICES Ensure compliance to governance, regulations and privacy Base in ISC(2) : The Ten Best Practices for Secure Software Development
- 17. TEN BEST PRACTICES Know the basic components of software security Protection from Disclosure (Confidentiality) Protection from Alteration (Integrity) Protection from Destruction (Availability) Who is making the request (Authentication) What rights/privileges they have (Authorization) The ability to build historical evidence (Auditing) And the Management of configuration, sessions exceptions Base in ISC(2) : The Ten Best Practices for Secure Software Development
- 18. TEN BEST PRACTICES Ensure the protection of sensitive information Base in ISC(2) : The Ten Best Practices for Secure Software Development
- 19. TEN BEST PRACTICES Design software with secure features Base in ISC(2) : The Ten Best Practices for Secure Software Development
- 20. TEN BEST PRACTICES Develop software with secure features Base in ISC(2) : The Ten Best Practices for Secure Software Development
- 21. TEN BEST PRACTICEs Deploy software with Secure features Base in ISC(2) : The Ten Best Practices for Secure Software Development
- 22. TEN BEST PRACTICEs Educate yourself & others on how to build secure software Base in ISC(2) : The Ten Best Practices for Secure Software Development
Editor's Notes
- We are going to dicuss about the common security challenges that web developers paced When building a web application or software development. With this presentation you should have a background in Programming, or in web development in general Or even you have a basics in programming lagguages to be familiar with our topic today.
- Most Developers already think there web application is Secure. Majority of web applcations have serious security vulnerabilities Most of the the developers not aware of the issue. And we are thinking that all the application are secure?
- We use web applicaiton in our day to day life and We also think that web application is secure. We use Email, Social Media, online Shopping, Research You common thoughts is the web app is secure? But majority of this applications are not secure! What im saying NOT SECURE is
- Specificly that the code contains some type of Flaw or some type of bugs that code be exploited So that an attacker can misuse the application it means, Attacker can Access Unauthorized data And also the attacker can use the application to attack other users And we will cover 10 best practices in development Lets get
- -The website is design for static, read only pages to be share internal -Almost no intrinsic security, to compare the application we use to day There is banking, Email, health care provider, Financial information Health care information, and with that the security was develop and they dont even have a session. That we have to day in HTTP
- The attacker mind set when they are using an application. What are the entry points for an attacker to violate or bypass Any security? How an attacker can get a sensitive information from other user? Web Browser handles – Java Script (XSS), Tranparency, and Session And we need to consider the data has been transported (Firewall) Client side (Tampering) Sniffing (Server Sides)
- The system/software development life cycle has been around for years what we now know is that it is important to embed software security Priciples throughout the software development life cycle. This is easier said Than done.
- Software Development involves numberous stake holders e.G (Top Management, Clients,Manager etc.) good thing is that ISC2 come up with the best practices for secure software development
- Attackers will now just disrupt the business operations But may also impact consumers confidence.
- A security professional must not only have strong background in technology, But must also have through understanding of the business when it comes to creating secure solutions.
- A lack of understanding of the technology used to build or buy Software can lead to insecure implementations of the software.
- A software security professional need to be well versed in meeting Regulatory and privacy requirements.
- The basic components are: Protection from disclosure (Confidentiality) Protection from Alteration (Integrity) Protection from desctruction (Availability) Who is making the request (Authentication) What rights/privileges they have (Authorization) The ability to build histrorical evidence (which is Auditing) And the management of configuration, sessions, and exceptions
- It’s just important to protect the brand customers trust, But it is vital that any sensitive information be protected as well
- When a software developer focuses only on finding security issues In code, he or she runs the risk of missing out on the vulnerabilities Such as Business Logic Flaws, which can’t be detected in code.
- It is imperative that secure features are not ignored when design Artifacts are converted into sytanx constructs.
- A development team needs to ensure that the development and test Environments properly simulate the production environment.
- It is important to create a culture that factors in software security From the very beginning by defauult. The National Institute Of Standards and Technology (NIST) state that education should cause A change in atitudes, which in turn will change the organization culture