The Ten Best Practices
Software development involves many stakeholders, as depicted in
They can range from the analyst (business/requirements),
to architects, coders, testers, and operations personnel. Development
can also include management (product/project/personnel), and
in some cases even executive-level management. Additionally
included may be members from the security and audit teams.
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Web appsec and it’s 10 best SDLC practices
1. WebAppSec and it’s 10 Best
SDLC Practices
By: John Patrick Lita – C)SS
Philippine Institute of Cyber Security
Professionals (OWASP Academic Supporter)
with the Partnership of
The Open Web Application Security Project (OWASP)
(OWASP Philippines)
Open InfoSec Education Project
3. Most Developers already think there web application is
Secure.
Majority of web applcations have serious security
vulnerabilities
Most of the the developers not aware of the issue.
And we are thinking that all the application are secure?
5. MOST SITES NOT SECURE
•Attacker can access
unauthorized data
•Attacker can use
the application to
attack other users
6. THE WEB WASN’T DESIGN TO BE
SECURE!
• The website is design for static, read only pages to be
share internally
• Almost no intrinsic security
• A few security features was develope
7. WHAT DOES THAT MEAN?
•COOKIE-BASED
SESSIONS CAN
HIJACKED
•NO SEPARATION OF
LOGIC DATA
•ALL CLIENT SUPPLIED
DATA CANNOT BE
TRUSTED
13. TEN BEST PRACTICES
Protect the brand
your customers trust
Base in ISC(2) : The Ten Best Practices for Secure Software Development
14. TEN BEST PRACTICES
Know your business
and support it with
secure solutions
Base in ISC(2) : The Ten Best Practices for Secure Software Development
15. TEN BEST PRACTICES
Undestand the
technology of the
software
Base in ISC(2) : The Ten Best Practices for Secure Software Development
16. TEN BEST PRACTICES
Ensure compliance
to governance,
regulations and
privacy
Base in ISC(2) : The Ten Best Practices for Secure Software Development
17. TEN BEST PRACTICES
Know the basic components of
software security
Protection from Disclosure (Confidentiality)
Protection from Alteration (Integrity)
Protection from Destruction (Availability)
Who is making the request (Authentication)
What rights/privileges they have (Authorization)
The ability to build historical evidence (Auditing)
And the Management of configuration, sessions
exceptions
Base in ISC(2) : The Ten Best Practices for Secure Software Development
18. TEN BEST PRACTICES
Ensure the protection of
sensitive information
Base in ISC(2) : The Ten Best Practices for Secure Software Development
19. TEN BEST PRACTICES
Design software
with secure features
Base in ISC(2) : The Ten Best Practices for Secure Software Development
20. TEN BEST PRACTICES
Develop software
with secure features
Base in ISC(2) : The Ten Best Practices for Secure Software Development
21. TEN BEST PRACTICEs
Deploy software with
Secure features
Base in ISC(2) : The Ten Best Practices for Secure Software Development
22. TEN BEST PRACTICEs
Educate yourself
& others on how
to build secure
software
Base in ISC(2) : The Ten Best Practices for Secure Software Development
Editor's Notes
We are going to dicuss about the common security challenges that web developers paced
When building a web application or software development.
With this presentation you should have a background in Programming, or in web development in general
Or even you have a basics in programming lagguages to be familiar with our topic today.
Most Developers already think there web application is
Secure.Majority of web applcations have serious security vulnerabilities
Most of the the developers not aware of the issue.
And we are thinking that all the application are secure?
We use web applicaiton in our day to day life and
We also think that web application is secure.
We use Email, Social Media, online Shopping, Research
You common thoughts is the web app is secure? But majority of this applications are not secure!
What im saying NOT SECURE is
Specificly that the code contains some type of Flaw or some type of bugs that code be exploited
So that an attacker can misuse the application it means,
Attacker can Access Unauthorized data
And also the attacker can use the application to attack other users
And we will cover 10 best practices in development
Lets get
-The website is design for static, read only pages to be share internal
-Almost no intrinsic security, to compare the application we use to day
There is banking, Email, health care provider, Financial informationHealth care information, and with that the security was develop and they dont even have a session.
That we have to day in HTTP
The attacker mind set when they are using an application.
What are the entry points for an attacker to violate or bypass
Any security? How an attacker can get a sensitive information from other user?
Web Browser handles – Java Script (XSS), Tranparency, and Session
And we need to consider the data has been transported (Firewall) Client side (Tampering) Sniffing (Server Sides)
The system/software development life cycle has been around for years
what we now know is that it is important to embed software security
Priciples throughout the software development life cycle. This is easier said
Than done.
Software Development involves numberous stake holders
e.G (Top Management, Clients,Manager etc.) good thing is that
ISC2 come up with the best practices for secure software development
Attackers will now just disrupt the business operations
But may also impact consumers confidence.
A security professional must not only have strong background in technology,
But must also have through understanding of the business when it comes to creating secure solutions.
A lack of understanding of the technology used to build or buy
Software can lead to insecure implementations of the software.
A software security professional need to be well versed in meeting
Regulatory and privacy requirements.
The basic components are:
Protection from disclosure (Confidentiality)
Protection from Alteration (Integrity)
Protection from desctruction (Availability)
Who is making the request (Authentication)
What rights/privileges they have (Authorization)
The ability to build histrorical evidence (which is Auditing)
And the management of configuration, sessions, and exceptions
It’s just important to protect the brand customers trust,
But it is vital that any sensitive information be protected as well
When a software developer focuses only on finding security issues
In code, he or she runs the risk of missing out on the vulnerabilities
Such as Business Logic Flaws, which can’t be detected in code.
It is imperative that secure features are not ignored when design
Artifacts are converted into sytanx constructs.
A development team needs to ensure that the development and test
Environments properly simulate the production environment.
It is important to create a culture that factors in software security
From the very beginning by defauult. The National Institute
Of Standards and Technology (NIST) state that education should cause
A change in atitudes, which in turn will change the organization culture