Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Rob Carver

Published byLucinda Wilcox Modified over 6 years ago

Similar presentations

Presentation on theme: "Presented by Rob Carver"— Presentation transcript:

1

2 Presented by Rob Carver
Secure Coding 201 Presented by Rob Carver

3 Bugs and Flaws Bugs Flaws
Software Defects as a result of written code. Flaws Software Architecture Integration Architecture Infrastructure Architecture

4 Threat & Vulnerability Management

5 Secure Software Development Lifecycle (SSDLC)

6 Plan PenTest SCR Secure Code Review
% Bugs introduced in this phase % Bugs found in this phase $ Cost to repair bug in this phase $16,000 $1,000 $100 $250 $25 85% Percentage of Bugs and Flaws Code Build Test Release Plan PenTest Everyone wants to create more secure software, but: developers aren’t security experts and security teams find flaws too late in the SDLC Secure Code Review helps developers find and fix software security defects early in the SDLC SCR *Integrating corrective action into the developers native environment is key (today)

7 Actionable guidance for fixing security bugs
Not only finds problems, but shows the right way to fix it. Contextual Guidance and examples specific to the programming language Customizable Incorporate company-specific custom rules. Validated Guidance based on real-world security experience. Just-in-time analysis Contextual and actionable guidance Error detection as the developer codes

8 Source Code Review and Organization Specific Metrics
LEVEL RATING OPEN VULN COUNT DESCRIPTION Prod (95 apps) Pre-Prod (77 apps) 5 Critical 52 17 Attacker can assume remote root or remote administrator roles. Exposes entire host to attacker; backend database, personally identifiable records, credit card data. Full read and write access, remote execution of commands 4 High 63 110 Attacker can assume remote user only, not root or admin. Exposes internal IP addresses, source code. Partial file-system access (full read access without full write access) 3 Medium 94 71 Exposes security settings, software distributions and versions, database names 2 Low 60 53 Exposes precise versions of applications. Sensitive configuration information may be used to research potential attacks against host 1 Note --- General information may be exposed to attackers, such as developer comments

9 Application Vulnerability Trending

10 Software Security Training for Every Role

11 Software Security Satellite Training Program
Yellow Belt eLearning (CBT) Activity Foundations of Software Security OWASP Top 10 Advanced Training (ILT) Static Analysis Application On-Boarding (1 app) Advanced Practices Green Belt Defensive Programming (for relevant language) Software Security Requirements Attack & Defense Threat Modeling Security Testing Defensive Programming ILT Threat Modeling ILT Brown Belt Contribute to Threat Models Black Belt Serve on standards Build re-usable IP to prevent risk Teach and influence peers Certification Level Progression Implement static analysis coverage enhancements Combining CBT, ILT, and practice adoption within a progressive program is an effective implementation strategy

12 BSIMM: Software Security Measurement
Real data from (78) real initiatives 161 measurements 21 (4) over time McGraw, Migues, & West

13 Who gets measured by the BSIMM?

14 A Software Security Framework

15 BSIMM: A Software Security Framework

16 BSIMM: Measurement is Benchmarking

17 Earth (78)

18 BSIMM6 Score Distrobution

19 No Special Snowflakes!

20 BSIMM by the Numbers

21 The Vendor BSIMM (vBSIMM)

22 Questions?

Download ppt "Presented by Rob Carver"

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
OWASP APPSEC, 2013 JEREMIAH GROSSMAN Founder and THE REAL STATE OF WEBSITE SECURITY and THE TRUTH ABOUT ACCOUNTABILITY and “BEST-PRACTICES.”

OWASP APPSEC, 2013 JEREMIAH GROSSMAN Founder and THE REAL STATE OF WEBSITE SECURITY and THE TRUTH ABOUT ACCOUNTABILITY and “BEST-PRACTICES.”
8/27/20151NeST Controlled. 2 Communication Transportation Education Banking Home Applications.

8/27/20151NeST Controlled. 2 Communication Transportation Education Banking Home Applications.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Test Organization and Management

Test Organization and Management
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
CLEANROOM SOFTWARE ENGINEERING.

CLEANROOM SOFTWARE ENGINEERING.
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.

 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
CSCE 548 Secure Software Development Test 1 Review.

CSCE 548 Secure Software Development Test 1 Review.
CSCE 548 Code Review. CSCE 548 - Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.

Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
This chapter is extracted from Sommerville’s slides. Textbook chapter 22 1 1.

This chapter is extracted from Sommerville’s slides. Textbook chapter
Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Similar presentations

Ads by Google