building better product security
TRANSCRIPT
Building better product securityan engineering approach
Who we are
Client was hacked
Security Assessment of completed product…
…is not good enough sometimes either
Secure Development Lifecycle
Engineer becomes a part of team
How security process looks in reality
Than start process of re-Coding, re-Building, re-Testing, re-Auditing
3rd party or internal audit
Tone of security defects
BACK to re-Coding, re-Building, re-Testing, re-Auditing
Generic Approach for Security
Design Build Test Production
security requirements / risk and threat analysis
coding guidelines /code reviews/ static
analysis
security testing / dynamic analysis
vulnerability scanning / WAF
Reactive ApproachProactive Approach
Secure SDLC
Defining security requirements for a project
Developing coding guidelines and static code analysis
Security testing
Vulnerabilty testing
Common SDLC fails
CODE
It is not a vulnerability, it is a feature
Installling application after SDLC on vulnerable environment
SDLC makes everyone happy
Such approach eventually may save one’s business
Questions?
Thanks!
http://owasp-lviv.blogspot.com