SlideShare a Scribd company logo

Agile and Secure SDLC

Download as PPTX, PDF
Nazar Tymoshyk, CEH, Ph.D.
Nazar Tymoshyk, CEH, Ph.D.

This document discusses implementing a secure software development lifecycle (SDLC) to improve application security. It outlines why the traditional approach of only involving security experts does not work. Instead, it proposes integrating security practices throughout each phase of the development process, including requirements, design, implementation, verification, and release. This includes training developers, conducting threat modeling and security testing, using security tools in continuous integration, and analyzing results to address issues early. The goal is to reduce security defects over time by changing developer mindsets and integrating security as applications are built.

1 of 45
Downloaded 330 times
Secure SDLC. Approach and realization by Nazar Tymoshyk, Ph.D., CEH
Even best applications get challenges
Big applications get bigger challenges
Security is important factor for your app
Consequences Reputation loss Penalties Data loss
IP Theft Breaching organizational perimeters Modify Victims website to deploy MALWARE to website visitors Threats Taking over high-value accounts
Hackers motives Previously, attackers used application vulnerabilities to cause embarrassment and disruption. But now these attackers are exploiting vulnerabilities to steal data and much more
Web application firewall Microsoft IIS Apache Nginx
CYA (cover your apps) Time-to-Fix vs. Time-to-Hack Automated Temporary Patches
Why • Effective design of protected code requires a change in the mindset of the participants involved. • Existing training resources impose on their study of the causes and consequences of resistance consequences instead of eliminating the causes. • Following the conventional approach, the designer must be qualified penetration tester to start writing secure code. • It DOES NOT WORK!
WHY • Effective design of protected code requires a change in the mindset of the participants involved. • Existing training resources impose on their study of the causes and consequences of resistance consequences instead of eliminating the causes. • Following the conventional approach, the designer must be qualified penetration tester to start writing secure code. It DOES NOT WORK!
Developer • Focus on functional requirements • Know about: – OWASP Top 10 – 1 threat (DEADLINE fail) • Concentrated on risks «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman
Security Officer • Focused on requirement to security • Known difference between vulnerability and attack  • Focused on vulnerabilities
Risks are for managers, not developers
Typical Security Report delivered by security firm
Typical Security Report delivered by other auditor
How security is linked to development 3rd party or internal audit Tone of security defects BACK to re-Coding, re-Building, re-Testing, re-Auditing Than start process of re-Coding, re-Building, re-Testing, re-Auditing
How much time you need to fix security issues in app?
How it should look With proper Security Program number of security defects should decrease from phase to phase Automated security Tests CI integrated Manual security Tests OWASP methodology Secure Coding trainings Regular Vulnerability Scans
Primary Benefits Minimize the costs of the Security related issues Avoid repetitive security issues Avoid inconsistent level of the security Determine activities that pay back faster during current state of the project
Secure Development Lifecycle
Mapping SDL to Agile •Every-Sprint practices: Essential security practices that should be performed in every release. •Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime. •One-Time practices: Foundational security practices that must be established once at the start of every new Agile project.
Microsoft SDL
Training PRE SDL TRAINING: • Introduction to Microsoft SDL • Essential Software Security Training for the Microsoft SDL • Basics of Secure Design, Development and Test • Introduction to Microsoft SDL Threat Modeling • SDL Quick Security References • SDL Developer Starter Kit
Requirements Phase • SDL Practice #2: Establish Security and Privacy Requirements (one time practice) • SDL Practice #3: Create Quality Gates/Bug Bars • SDL Practice #4: Perform Security and Privacy Risk Assessments (one time practice)
Design • Establish Design Requirements (one time practice) • Attack Surface Analysis/Reduction (one time practice) • Use Threat Modeling • Mitigation of threats • Secure Design • Formulating security guidelines • Security Design Review
Implementation • SDL Practice #8: Use Approved Tools • SDL Practice #9: Deprecate Unsafe Functions • SDL Practice #10: Perform Static Analysis
Verification Phase Bucket practices: • SDL Practice #11: Perform Dynamic Analysis • SDL Practice #12: Fuzz Testing • SDL Practice #13: Attack Surface Review
Release Phase • SDL Practice #14: Create an Incident Response Plan (one time practice) • SDL Practice #15: Conduct Final Security Review • SDL Practice #16: Certify Release and Archive
Response Phase • SDL Practice #17: Execute Incident Response Plan – Analysis vulnerability information – Risk calculation – Patch release – Clients notification – Information publishing
Value 20-40% time for testing/re-testing decrease Catch problems as soon as possible Avoid repetitive security issues Improve Security Expertise/Practices for current Team Automation, Integration, Continuously Proactive Security Reporting Full coverage
CI SECURITY
Typical CI Workflow
Continuous Integration Delivery Deployment
High level vision Static Code Analysis Dynamic Security testing CI tools Deploying application Security Reports Pull source code
CI Security process Build • Build code with special debug options Deploy • Pack build and code • Deploy app to VM for test Test Security • Run code test • Run Test dynamic web application from VM with security tools Analyze • Collect and format results • Verify results • Filter false positive / negative • Tune scanning engine • Fix defects
CI Workflow Dynamic tests with Security scanner OWASP Top 10 Risk coverage A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
Tools for Secure SDLC • IBM AppScan Sources • Burp Suite • Sonar • OWASP ZAP • HP Fortify • Netsparcer • Coverify • Veracode
Supported Languages • Java • .NET (C#, ASP.NET, and VB.NET) • JSP • Client-side JavaScript • Cold Fusion • C/C++ • Classic ASP (both JavaScript/VBScript) • PHP, Perl • Visual Basic 6 • COBOL • T-SQL, PL/SQL
Analysis of App Security Statistic
Sonar – for code quality coverage
Code Security Analysis We are able to detect line of bugged code
Filtering false positive
It really works! Applications Secured - Business Protected
THANK YOU 45 Email: root.nt@gmail.com Skype: root_nt
Ad

Recommended

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
ShivamSharma909
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Sdlc
SdlcSdlc
Sdlc
Karuna Kak
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
Liran Tal
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
Ad

More Related Content

What's hot (20)

Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Sdlc
SdlcSdlc
Sdlc
Karuna Kak
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
Liran Tal
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Sdlc
SdlcSdlc
Sdlc
Karuna Kak
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
Liran Tal
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 

Viewers also liked (20)

Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - Beliaiev
Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Nazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...
Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...
Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...
Petra Trimmel - Product Management Hub | Art-Y-Sana
 
August 2 Treasure Emporium with Britty & Tazzy
August 2 Treasure Emporium with Britty & TazzyAugust 2 Treasure Emporium with Britty & Tazzy
August 2 Treasure Emporium with Britty & Tazzy
Britney Stanley-Wyatt
 
See andrew week2_ignite_presentation_slidesow
See andrew week2_ignite_presentation_slidesowSee andrew week2_ignite_presentation_slidesow
See andrew week2_ignite_presentation_slidesow
andyfullsail
 
Distribution
DistributionDistribution
Distribution
CharLilyMay
 
Lisa Lowder Ignite Slideshow, Choose Excellence
Lisa Lowder Ignite Slideshow, Choose ExcellenceLisa Lowder Ignite Slideshow, Choose Excellence
Lisa Lowder Ignite Slideshow, Choose Excellence
Lisa Choy
 
User Experience at Fundacion Paraguaya
User Experience at Fundacion ParaguayaUser Experience at Fundacion Paraguaya
User Experience at Fundacion Paraguaya
Jackie Wolf
 
Dasar kompetensi keahlian multimedia 2
Dasar kompetensi keahlian multimedia 2Dasar kompetensi keahlian multimedia 2
Dasar kompetensi keahlian multimedia 2
Roring Ever
 
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
anlio
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
Nazar Tymoshyk, CEH, Ph.D.
 
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
azzaranf
 
Botacora de tecnologia1
Botacora de tecnologia1Botacora de tecnologia1
Botacora de tecnologia1
Orianitha Arboleda
 
Training in vidya electrotech pvt. ltd. noida
Training in vidya electrotech pvt. ltd. noidaTraining in vidya electrotech pvt. ltd. noida
Training in vidya electrotech pvt. ltd. noida
Arjit Nigam
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - Beliaiev
Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Nazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...
Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...
Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...
Petra Trimmel - Product Management Hub | Art-Y-Sana
 
August 2 Treasure Emporium with Britty & Tazzy
August 2 Treasure Emporium with Britty & TazzyAugust 2 Treasure Emporium with Britty & Tazzy
August 2 Treasure Emporium with Britty & Tazzy
Britney Stanley-Wyatt
 
See andrew week2_ignite_presentation_slidesow
See andrew week2_ignite_presentation_slidesowSee andrew week2_ignite_presentation_slidesow
See andrew week2_ignite_presentation_slidesow
andyfullsail
 
Distribution
DistributionDistribution
Distribution
CharLilyMay
 
Lisa Lowder Ignite Slideshow, Choose Excellence
Lisa Lowder Ignite Slideshow, Choose ExcellenceLisa Lowder Ignite Slideshow, Choose Excellence
Lisa Lowder Ignite Slideshow, Choose Excellence
Lisa Choy
 
User Experience at Fundacion Paraguaya
User Experience at Fundacion ParaguayaUser Experience at Fundacion Paraguaya
User Experience at Fundacion Paraguaya
Jackie Wolf
 
Dasar kompetensi keahlian multimedia 2
Dasar kompetensi keahlian multimedia 2Dasar kompetensi keahlian multimedia 2
Dasar kompetensi keahlian multimedia 2
Roring Ever
 
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
anlio
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
Nazar Tymoshyk, CEH, Ph.D.
 
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
azzaranf
 
Botacora de tecnologia1
Botacora de tecnologia1Botacora de tecnologia1
Botacora de tecnologia1
Orianitha Arboleda
 
Training in vidya electrotech pvt. ltd. noida
Training in vidya electrotech pvt. ltd. noidaTraining in vidya electrotech pvt. ltd. noida
Training in vidya electrotech pvt. ltd. noida
Arjit Nigam
 
Ad

Similar to Agile and Secure SDLC (20)

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
DevSecOps Story with added security controls
DevSecOps Story with added security controlsDevSecOps Story with added security controls
DevSecOps Story with added security controls
HareeshNani5
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
lior mazor
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
Michael Davis
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
DevSecOps Story with added security controls
DevSecOps Story with added security controlsDevSecOps Story with added security controls
DevSecOps Story with added security controls
HareeshNani5
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
lior mazor
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
Michael Davis
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Ad

Recently uploaded (20)

Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 

Agile and Secure SDLC

  • 1. Secure SDLC. Approach and realization by Nazar Tymoshyk, Ph.D., CEH
  • 2. Even best applications get challenges
  • 3. Big applications get bigger challenges
  • 4. Security is important factor for your app
  • 5. Consequences Reputation loss Penalties Data loss
  • 6. IP Theft Breaching organizational perimeters Modify Victims website to deploy MALWARE to website visitors Threats Taking over high-value accounts
  • 7. Hackers motives Previously, attackers used application vulnerabilities to cause embarrassment and disruption. But now these attackers are exploiting vulnerabilities to steal data and much more
  • 8. Web application firewall Microsoft IIS Apache Nginx
  • 9. CYA (cover your apps) Time-to-Fix vs. Time-to-Hack Automated Temporary Patches
  • 10. Why • Effective design of protected code requires a change in the mindset of the participants involved. • Existing training resources impose on their study of the causes and consequences of resistance consequences instead of eliminating the causes. • Following the conventional approach, the designer must be qualified penetration tester to start writing secure code. • It DOES NOT WORK!
  • 11. WHY • Effective design of protected code requires a change in the mindset of the participants involved. • Existing training resources impose on their study of the causes and consequences of resistance consequences instead of eliminating the causes. • Following the conventional approach, the designer must be qualified penetration tester to start writing secure code. It DOES NOT WORK!
  • 12. Developer • Focus on functional requirements • Know about: – OWASP Top 10 – 1 threat (DEADLINE fail) • Concentrated on risks «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman
  • 13. Security Officer • Focused on requirement to security • Known difference between vulnerability and attack  • Focused on vulnerabilities
  • 14. Risks are for managers, not developers
  • 15. Typical Security Report delivered by security firm
  • 16. Typical Security Report delivered by other auditor
  • 17. How security is linked to development 3rd party or internal audit Tone of security defects BACK to re-Coding, re-Building, re-Testing, re-Auditing Than start process of re-Coding, re-Building, re-Testing, re-Auditing
  • 18. How much time you need to fix security issues in app?
  • 19. How it should look With proper Security Program number of security defects should decrease from phase to phase Automated security Tests CI integrated Manual security Tests OWASP methodology Secure Coding trainings Regular Vulnerability Scans
  • 20. Primary Benefits Minimize the costs of the Security related issues Avoid repetitive security issues Avoid inconsistent level of the security Determine activities that pay back faster during current state of the project
  • 22. Mapping SDL to Agile •Every-Sprint practices: Essential security practices that should be performed in every release. •Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime. •One-Time practices: Foundational security practices that must be established once at the start of every new Agile project.
  • 24. Training PRE SDL TRAINING: • Introduction to Microsoft SDL • Essential Software Security Training for the Microsoft SDL • Basics of Secure Design, Development and Test • Introduction to Microsoft SDL Threat Modeling • SDL Quick Security References • SDL Developer Starter Kit
  • 25. Requirements Phase • SDL Practice #2: Establish Security and Privacy Requirements (one time practice) • SDL Practice #3: Create Quality Gates/Bug Bars • SDL Practice #4: Perform Security and Privacy Risk Assessments (one time practice)
  • 26. Design • Establish Design Requirements (one time practice) • Attack Surface Analysis/Reduction (one time practice) • Use Threat Modeling • Mitigation of threats • Secure Design • Formulating security guidelines • Security Design Review
  • 27. Implementation • SDL Practice #8: Use Approved Tools • SDL Practice #9: Deprecate Unsafe Functions • SDL Practice #10: Perform Static Analysis
  • 28. Verification Phase Bucket practices: • SDL Practice #11: Perform Dynamic Analysis • SDL Practice #12: Fuzz Testing • SDL Practice #13: Attack Surface Review
  • 29. Release Phase • SDL Practice #14: Create an Incident Response Plan (one time practice) • SDL Practice #15: Conduct Final Security Review • SDL Practice #16: Certify Release and Archive
  • 30. Response Phase • SDL Practice #17: Execute Incident Response Plan – Analysis vulnerability information – Risk calculation – Patch release – Clients notification – Information publishing
  • 31. Value 20-40% time for testing/re-testing decrease Catch problems as soon as possible Avoid repetitive security issues Improve Security Expertise/Practices for current Team Automation, Integration, Continuously Proactive Security Reporting Full coverage
  • 35. High level vision Static Code Analysis Dynamic Security testing CI tools Deploying application Security Reports Pull source code
  • 36. CI Security process Build • Build code with special debug options Deploy • Pack build and code • Deploy app to VM for test Test Security • Run code test • Run Test dynamic web application from VM with security tools Analyze • Collect and format results • Verify results • Filter false positive / negative • Tune scanning engine • Fix defects
  • 37. CI Workflow Dynamic tests with Security scanner OWASP Top 10 Risk coverage A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 38. Tools for Secure SDLC • IBM AppScan Sources • Burp Suite • Sonar • OWASP ZAP • HP Fortify • Netsparcer • Coverify • Veracode
  • 39. Supported Languages • Java • .NET (C#, ASP.NET, and VB.NET) • JSP • Client-side JavaScript • Cold Fusion • C/C++ • Classic ASP (both JavaScript/VBScript) • PHP, Perl • Visual Basic 6 • COBOL • T-SQL, PL/SQL
  • 40. Analysis of App Security Statistic
  • 41. Sonar – for code quality coverage
  • 42. Code Security Analysis We are able to detect line of bugged code
  • 44. It really works! Applications Secured - Business Protected
  • 45. THANK YOU 45 Email: [email protected] Skype: root_nt