Upload File

path to self - isaca presentations... · path to self securing code gary robinson & yan huang...

  • Home
  • Documents
  • Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT
22

Upload: hadiep

Post on 16-May-2018

218 views

Category:

Documents


3 download

Report

TRANSCRIPT

Page 1: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT
Page 2: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Path to Self

Securing Code

Gary Robinson & Yan Huang

Uleska & CSIT

Page 3: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

The Path to Self Securing Code

Gary Robinson

• Founder & Director at Uleska

• OWASP Europe Board Member

• Previously, Senior Application

Security Architect at CitiGroup

Dr. Yan Huang

• Sr. Engineer at the Center for

Secure Information

Technologies (CSIT)

• Part of Queens University

Belfast

• Sr. Engineer at CSITLabs

Page 4: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

“Software development has accelerated and improved in almost

every aspect – apart from application security.”

“How can we change this?”

Page 5: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Fact

The Application Security industry already knows how to solve every software security issue.

The issue is in execution!

Page 6: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Inputs Outputs

Page 7: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Writing an Effective Source Code Scanner

Using Open Source tools to understand the application from it’s

code

Page 8: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

www.csitlabs.com

Page 9: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Code Scanner Static Code Analysis

• Model Checking

• Control-flow analysis

• Data-flow analysis

• Symbolic analysis

• Information-flow analysis

Attack Surface Analysis

• Identify what functions and what parts of

the system you need to review/test for

security vulnerabilities

• Identify high risk areas of code that

require defence-in-depth protection Reducing Attack Surface

Page 10: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Java Source Code Scanner

• Traverses source code directory

• Enumeration of web interface attack surface

• GET/POST parameters

• Store information in a JSON format

JavaParser

• Java Open-Source Library

• LGPL License / Apache License

• The parser is extra lightweight, no dependencies

• Get an Abstract Syntax Tree (AST) from Java code

• Visitor design pattern

Page 11: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

ANTLR (Another Tool For Language Recognition)

Language Grammar

Language Parser

AST

Tree Walker

Page 12: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT
Page 13: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

What can we do with this

Project Model?

Using the power of a Project Model to Secure Software

Page 14: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Issues with current application

security

Page 15: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Project Model

Documentation printing engine

Real-time Risk Enumeration

Page 16: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Project Model

Data Flow engine

Real-time Data Flow

Enumeration

Page 17: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Project Models

Data/Artifact Recording Engine

Data/Artifact Enumeration

CVE, data type, library query

Page 18: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Project Model

Security Feature Code

Security Feature Automation Security Model

Page 19: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Project Model

Secure Configuration Generation

Secure Configuration

Automation Security Model

Page 20: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Project Model

Security Test Generation

Security Test Automation Security Model

Page 21: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Project Model

Security Code/Feature

Implementation Generation

Real-time Security

Implementation Security Model

Page 22: Path to Self - ISACA Presentations... · Path to Self Securing Code Gary Robinson & Yan Huang Uleska & CSIT

Convenio Colectivo 6 - CSIT

Self-Reliance My Path Edition - media.ldscdn.org

Mountain Path Aikido Self-Paced Kyu Testing System

Catalogo CSIT 2012

Choosing Your Self-Publishing Path

self binding path gravel - Smiths Bletchington Binding Path... · email [email protected] self binding path gravel Self Binding Path Gravel These are guidelines only

The Self, Self-knowledge, and a Flattened Path to Self … · The Self, Self-knowledge, and a Flattened Path to Self-improvement Robert D. Rupert University of Colorado, Boulder November

Self-Adjusting Grid Networks to Minimize Expected Path …borokhom/presentation_sirocco2013.pdf · Self-Adjusting Grid Networks to Minimize Expected Path Length Chen Avin,Michael

CSIT 313 DB PROGRAMMING

My Path to Self Reliance Spa

CSIT 301 (Blum)1 Processor Specs. CSIT 301 (Blum)2 Package Type (Pentium 4)

CSIT 301 (Blum)1 More About Processors. CSIT 301 (Blum)2 Pentium 4 Processor Specs

The Self-Worth Path - Yoga Alliance

CSIT PPP OFS

CSIT PARKOUR CHASE GAME

Ethiopia: The Path to Self-Resiliency

Converters - csit-sun.pub.ro

PRESENTASI DIRI DALAM MEDIA SOSIAL PATH SELF …

My Path to Self Reliance Eng

My Path to Self-Reliance (Ang Aking Landas Patungong Self

S2P2: Self-Supervised Goal-Directed Path Planning Using

CSIT 301 (Blum)1 1 Processor Specs (Continued). CSIT 301 (Blum)2 2 Package Type

CSIT 561: CSIT 561: Computer Networks“Computer Networks”

MTech CSIT Syllabus

BA Book Review a Path to Self Study

26112014 assosoftware roadshow csit

The Technological Path To Effortless Self-Correction

Anti-Self-Help - The Certain Path to Success

THE CSIT REVIEW - southeastern.edu

CSIT 58: The Internet

2 - CSIT Laboratory

CSIT 534 Presentation Cherri_edmond

CSIT 301 (Blum)1 File Systems. FAT CSIT 301 (Blum)2

Crowd Self-Organization, Streaming and Short Path Smoothing

Lighting the Path to 5G - Amazon S3s3.amazonaws.com/JuJaMa.UserContent/84ce8d70-fe5a-4e82-9c59-35… · Lighting the Path to 5G ... • Self-configuration, self-optimization, self-healing