SlideShare a Scribd company logo

Building better product security

Download as PPTX, PDF
B
Bohdan Serednytskyi

The document discusses building product security through a secure software development lifecycle (SDLC). It recommends that engineers be involved throughout the development process to implement security best practices. These include defining security requirements, developing coding guidelines, implementing static code analysis, performing security testing and vulnerability testing. Following an SDLC can help avoid common failures like claiming vulnerabilities are features or installing applications in vulnerable environments. While rigorous, such a proactive approach can ultimately save a business by catching and fixing issues early.

Technology
1 of 21
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Building better product security an engineering approach
Who we are
Client was hacked
Security Assessment of completed product…
…is not good enough sometimes either
Secure Development Lifecycle
Engineer becomes a part of team
How security process looks in reality Than start process of re-Coding, re-Building, re-Testing, re-Auditing 3rd party or internal audit Tone of security defects BACK to re-Coding, re-Building, re-Testing, re-Auditing
Generic Approach for Security Design Build Test Production security requirements / risk and threat analysis coding guidelines /code reviews/ static analysis security testing / dynamic analysis vulnerability scanning / WAF Reactive ApproachProactive Approach Secure SDLC
Defining security requirements for a project
Developing coding guidelines and static code analysis
Security testing
Vulnerabilty testing
Common SDLC fails
CODE
It is not a vulnerability, it is a feature
Installling application after SDLC on vulnerable environment
SDLC makes everyone happy
Such approach eventually may save one’s business
Questions?
Thanks! http://owasp-lviv.blogspot.com

More Related Content

What's hot (20)

PPTX
Integrating Security Across SDLC Phases
Ishrath Sultana
 
PDF
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
PPTX
Building an AppSec Team Extended Cut
Mike Spaulding
 
PDF
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
PDF
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
PPTX
Secure Software Development Lifecycle
1&1
 
PDF
Олексій Барановський “Vulnerability assessment as part software testing process”
Dakiry
 
PDF
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
PDF
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
PDF
Manual Code Review
n|u - The Open Security Community
 
PPTX
Intro to Security in SDLC
Tjylen Veselyj
 
PPTX
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
PDF
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
PDF
The Complete Web Application Security Testing Checklist
Cigital
 
PPTX
What’s making way for secure sdlc
Avancercorp
 
PDF
Get Your Board to Say "Yes" to a BSIMM Assessment
Cigital
 
PPTX
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
PPTX
Secure Software Development Life Cycle
Maurice Dawson
 
PPTX
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
PPTX
Common Sense Security Framework
Jerod Brennen
 
Integrating Security Across SDLC Phases
Ishrath Sultana
 
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Building an AppSec Team Extended Cut
Mike Spaulding
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Secure Software Development Lifecycle
1&1
 
Олексій Барановський “Vulnerability assessment as part software testing process”
Dakiry
 
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Manual Code Review
n|u - The Open Security Community
 
Intro to Security in SDLC
Tjylen Veselyj
 
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
The Complete Web Application Security Testing Checklist
Cigital
 
What’s making way for secure sdlc
Avancercorp
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Cigital
 
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Secure Software Development Life Cycle
Maurice Dawson
 
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Common Sense Security Framework
Jerod Brennen
 

Similar to Building better product security (20)

PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
PPTX
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
PPTX
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
PPT
Software Security Engineering
Marco Morana
 
PDF
SDLC & DevSecOps
Irina Kostina
 
PDF
Applicaiton Security - Building The Audit Program
Michael Davis
 
PPT
Software security engineering
AHM Pervej Kabir
 
PPT
Software security engineering
AHM Pervej Kabir
 
PPTX
Digital Product Security
SoftServe
 
PPTX
Agile & Secure SDLC
Paul Yang
 
PDF
ACS-security-2821-001 Lecture Note 13.pdf
Mostafa Taghizade
 
PDF
AppSec in an Agile World
David Lindner
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
PPTX
Introduction of Secure Software Development Lifecycle
Rishi Kant
 
PPTX
Enumerating software security design flaws throughout the ssdlc cosac - 201...
John M. Willis
 
PPTX
Enumerating software security design flaws throughout the SSDLC
John M. Willis
 
PPTX
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
PPT
Software Security Frameworks
Marco Morana
 
PPTX
Secure SDLC Framework
Rishi Kant
 
PDF
5 Proven Success Strategies for your Software Security Program - LASCON 2013
Bankim Tejani
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Software Security Engineering
Marco Morana
 
SDLC & DevSecOps
Irina Kostina
 
Applicaiton Security - Building The Audit Program
Michael Davis
 
Software security engineering
AHM Pervej Kabir
 
Software security engineering
AHM Pervej Kabir
 
Digital Product Security
SoftServe
 
Agile & Secure SDLC
Paul Yang
 
ACS-security-2821-001 Lecture Note 13.pdf
Mostafa Taghizade
 
AppSec in an Agile World
David Lindner
 
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Introduction of Secure Software Development Lifecycle
Rishi Kant
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
John M. Willis
 
Enumerating software security design flaws throughout the SSDLC
John M. Willis
 
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Software Security Frameworks
Marco Morana
 
Secure SDLC Framework
Rishi Kant
 
5 Proven Success Strategies for your Software Security Program - LASCON 2013
Bankim Tejani
 
Ad

Recently uploaded (20)

PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
PDF
Learn Computer Forensics, Second Edition
AnuraShantha7
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PPT
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
Learn Computer Forensics, Second Edition
AnuraShantha7
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Ad

Building better product security