implementing secure coding in your organization · implementing secure coding in your organization...
TRANSCRIPT
Implementing Secure Coding In Your Organization
Erez Metula (CISSP), Founder
Application Security Expert
Agenda
SDLC
Security education for developers
Secure Design
Secure Coding
Security testing
Tools
About Me – Erez Metula
Application security expert
Book author
Managed Code Rootkits (Syngress)
Speaker & Trainer
BlackHat, Defcon, RSA, OWASP, etc..
Founder of AppSec Labs
AppSec LabsThe leading Application Security Company
A bunch of Application Security Experts
Ninja Pentesters of Web & Mobile Apps
Elite Trainers for Hacking & Secure coding courses
Development Process Evolution
The iterative waterfall..
Problem..
No security at all
..or doing security at the last stage of development
Sometimes a security bug can cause design changes
…and sometimes you can’t even fix it!!
VIDEO
http://cis1.towson.edu/~cssecinj/secure-coding-workshop/workshop-structure/importance-of-secure-coding-15-min/
Complex Threat Model
Major attack vectors - malicious user / malicious app
Malicious user attacking the client side app
Malicious user using the client app to attack the server side
Malicious user attacking the end user by having physical access to the device
Malicious app attacking the end user
Malicious app attacking other apps on same device
Example – Mobile App Threat Model
Cost of Change
Relative cost to fix a vulnerability – based on time of detection
The Security Development Lifecycle
A process for software development, that defines security requirements and milestones
Developers don’t know how to write secure code !!!
Those kind of problems are related directly to R&D department
NOT IT dept. and NOT Security dept.
Most developers didn’t have proper secure coding training
What to do?
We need to educate them !
AppSec LabsLearning Management System
Grow your “Security champions”
A security champion is someone from your organization who will be responsible for advancing the application security initiative
Most often, he will be from the DEV team
A strong developer who truly cares about security
You should identify those kind of people and cherish them
Case study – HP and AppSec Labs TTT (“Train The Trainer)
Summary
Security should be performed at every layer
Never trust the user!
All input should be considered malicious unless proven otherwise
Follow best practices of secure coding and common security principles
SDL should be part of the methodology