SlideShare a Scribd company logo

Security for developers

Download as PPTX, PDF
A
Abdelrhman Shawky

This document discusses security best practices for software developers. It covers topics like the secure software development lifecycle (SDLC), threat modeling, static code analysis, and resources for developers. The SDLC framework defines the process for building applications from start to finish. Threat modeling involves analyzing potential threats and vulnerabilities. Static code analysis tools can find security issues. Resources recommended include OWASP documentation and Microsoft's security engineering practices. The goal is to integrate security practices into development like training, requirements, testing, and incident response.

Technology
Related topics:
Information Security
1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
SECURITY FOR DEVELOPERS @shawkyz1 @shawkyz
• Secure Software Development Life Cycle • Design Issues. • Threat Modeling. • Static Code Analysis. • Fuzzing. • Resources. AGENDA
SDLC (SOFTWARE DEVELOPMENT LIFECYCLE) • A Software Development Life Cycle (SDLC) is a framework that defines the process used by organizations to build an application from its inception to its decommission. Over the years, multiple standard SDLC models have been proposed (Waterfall, Iterative, Agile, etc.) and used in various ways to fit individual circumstances.
• Planning and requirements. • Architecture and design. • Test planning. • Coding. • Testing and results. • Release and maintenance. SDLC PHASES
SECURE YOUR SDLC ACCORDING TO MICROSOFT • Provide Training. • Define Security Requirements. • Perform Threat Modeling. • Define and Use Cryptography Standards. • Follow Best Practices. • Perform Static Analysis. • Perform Dynamic Analysis. • Regularly Pentest. • Establish Incident Response Mechanism. Source: https://www.microsoft.com/en-us/securityengineering/sdl/practices
EX: LOGIN PROCESS
EX: LOGIN PROCESS
EX: LOGIN PROCESS FLOW SSO
THREAT MODELING
THREAT MODELING
THREAT MODELING
EXAMPLE OF UNSAFE MANAGED CODE • unsafe static void Main() • { • fixed (char* value = "safe") • { • char* ptr = value; • while (*ptr != '0') • { • Console.WriteLine(*ptr); • ++ptr; • } • } • }
ATTACK SURFACE REDUCTION • Part of the process of reducing the attack surface is taking down APIs or functionalities that are no longer neeeded by following the LEAN engineering principle. • Threat modelling can also help with scaling-down the attack surface. • Unnecessary logic complexity can lead to security problems in the future. • Automated Tests (Static and/or dynamic analysis). • Pentesting your application.
STATIC ANALYSIS TOOLS • https://owasp.org/www-community/Source_Code_Analysis_Tools
BROWSER SECURITY FEATURES • HTTP Strict Transport Security (HSTS) • Public Key Pinning Extension for HTTP (HPKP) • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options • Content-Security-Policy • X-Permitted-Cross-Domain-Policies • Referrer-Policy • Expect-CT • Feature-Policy • Cookies attributes (Secure, Samesite).
OWASP TOP 10
RESOURCES? • Troy Hunt‘s OWASP Top 10 for .NET developers • https://files.troyhunt.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf • OWASP TOP 10 2017 • https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf • Security Engineering Practices • https://www.microsoft.com/en-us/securityengineering/sdl/practices
HOW TO APPLY BEST PRACTICES • Always check OWASP‘s Best practices for a certain vulnerability. • Look for OWASP‘s Library/Framework Recommendations. • Don‘t trust any default configs. Always double check it. • Never trust user‘s input. • Apply ACLs.
HOW DO I KNOW ABOUT NEW 0DAYS? • Check if your local CERT if they offer a newsletter. • Subscribe to MITRE newsletter https://cve.mitre.org/news/newsletter.html • Regrularly Update Libraries/Frameworks you‘re using.
FOLLOW ME? @shawkyz1 @shawkyz @shawkyz1 https://shawkyz.info abdelrhmanshawky4@gmail.com

More Related Content

PDF
Continuous Integration: Live Static Analysis with Puma Scan
Cypress Data Defense
 
PPTX
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
PPTX
Secure programming with php
Mohmad Feroz
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
PDF
Secure code
ddeogun
 
PPTX
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
PPT
Owasp Code Crawler Presentation
alessiomarziali
 
PPTX
Secure Programming In Php
Akash Mahajan
 
Continuous Integration: Live Static Analysis with Puma Scan
Cypress Data Defense
 
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
Secure programming with php
Mohmad Feroz
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Secure code
ddeogun
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
Owasp Code Crawler Presentation
alessiomarziali
 
Secure Programming In Php
Akash Mahajan
 

What's hot (20)

PDF
Owasp lapse
n|u - The Open Security Community
 
PPTX
Owasp Top 10 - A1 Injection
Paul Ionescu
 
PPT
Agnitio: its static analysis, but not as we know it
Security BSides London
 
PPTX
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0
Scott Lee Davis
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
PPT
How To Detect Xss
Ferruh Mavituna
 
DOCX
Selenium interview-questions-freshers
Naga Mani
 
PPTX
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
PPTX
Secure programming language basis
Ankita Bhalla
 
PDF
Automated Security Testing
seleniumconf
 
PDF
Java Defects
Erika Barron
 
PPTX
Basics of Server Side Template Injection
Vandana Verma
 
PDF
Pragmatic Code Coverage
Alexandre (Shura) Iline
 
PPTX
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
PPTX
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PPTX
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
PPTX
Web Hacking Series Part 4
Aditya Kamat
 
PPTX
Hacker Proof web app using Functional tests
Ankita Gupta
 
PDF
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Pichaya Morimoto
 
Owasp lapse
n|u - The Open Security Community
 
Owasp Top 10 - A1 Injection
Paul Ionescu
 
Agnitio: its static analysis, but not as we know it
Security BSides London
 
OWASP PDX May 2016 : Scanning with Swagger (OAS) 2.0
Scott Lee Davis
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
How To Detect Xss
Ferruh Mavituna
 
Selenium interview-questions-freshers
Naga Mani
 
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Secure programming language basis
Ankita Bhalla
 
Automated Security Testing
seleniumconf
 
Java Defects
Erika Barron
 
Basics of Server Side Template Injection
Vandana Verma
 
Pragmatic Code Coverage
Alexandre (Shura) Iline
 
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
Web Hacking Series Part 4
Aditya Kamat
 
Hacker Proof web app using Functional tests
Ankita Gupta
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Pichaya Morimoto
 
Ad

Similar to Security for developers (20)

PPTX
Week 4.1 Building security into the software development lifecycle copy.pptx
azida3
 
PPTX
Integrating Security Across SDLC Phases
Ishrath Sultana
 
PPTX
Security for devs
Abdelrhman Shawky
 
PDF
SDLC & DevSecOps
Irina Kostina
 
PDF
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Thierry Zoller
 
PDF
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
PDF
AppSec in an Agile World
David Lindner
 
PPT
OWASP: Building Secure Web Apps
mlogvinov
 
PPT
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
PPTX
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
ACS-security-2821-001 Lecture Note 13.pdf
Mostafa Taghizade
 
PPT
Software Security Engineering
Marco Morana
 
PPTX
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
PPT
Software security engineering
AHM Pervej Kabir
 
PPT
Software security engineering
AHM Pervej Kabir
 
PPTX
Secure App Aspirations: Why it is very difficult in the real world
Ollie Whitehouse
 
PDF
Secure Software Design and Secure Programming
MustafaAlshekly1
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
PDF
App Sec Eu08 Sec Frm Not In Code
Samuele Reghenzi
 
PPTX
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Week 4.1 Building security into the software development lifecycle copy.pptx
azida3
 
Integrating Security Across SDLC Phases
Ishrath Sultana
 
Security for devs
Abdelrhman Shawky
 
SDLC & DevSecOps
Irina Kostina
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Thierry Zoller
 
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
AppSec in an Agile World
David Lindner
 
OWASP: Building Secure Web Apps
mlogvinov
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
ACS-security-2821-001 Lecture Note 13.pdf
Mostafa Taghizade
 
Software Security Engineering
Marco Morana
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Software security engineering
AHM Pervej Kabir
 
Software security engineering
AHM Pervej Kabir
 
Secure App Aspirations: Why it is very difficult in the real world
Ollie Whitehouse
 
Secure Software Design and Secure Programming
MustafaAlshekly1
 
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
App Sec Eu08 Sec Frm Not In Code
Samuele Reghenzi
 
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Ad

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Approach and Philosophy of On baking technology
30anthuong17
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Encapsulation theory and applications.pdf
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
KodekX | Application Modernization Development
KodekX
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 

Security for developers

  • 2. • Secure Software Development Life Cycle • Design Issues. • Threat Modeling. • Static Code Analysis. • Fuzzing. • Resources. AGENDA
  • 3. SDLC (SOFTWARE DEVELOPMENT LIFECYCLE) • A Software Development Life Cycle (SDLC) is a framework that defines the process used by organizations to build an application from its inception to its decommission. Over the years, multiple standard SDLC models have been proposed (Waterfall, Iterative, Agile, etc.) and used in various ways to fit individual circumstances.
  • 4. • Planning and requirements. • Architecture and design. • Test planning. • Coding. • Testing and results. • Release and maintenance. SDLC PHASES
  • 5. SECURE YOUR SDLC ACCORDING TO MICROSOFT • Provide Training. • Define Security Requirements. • Perform Threat Modeling. • Define and Use Cryptography Standards. • Follow Best Practices. • Perform Static Analysis. • Perform Dynamic Analysis. • Regularly Pentest. • Establish Incident Response Mechanism. Source: https://www.microsoft.com/en-us/securityengineering/sdl/practices
  • 8. EX: LOGIN PROCESS FLOW SSO
  • 12. EXAMPLE OF UNSAFE MANAGED CODE • unsafe static void Main() • { • fixed (char* value = "safe") • { • char* ptr = value; • while (*ptr != '0') • { • Console.WriteLine(*ptr); • ++ptr; • } • } • }
  • 13. ATTACK SURFACE REDUCTION • Part of the process of reducing the attack surface is taking down APIs or functionalities that are no longer neeeded by following the LEAN engineering principle. • Threat modelling can also help with scaling-down the attack surface. • Unnecessary logic complexity can lead to security problems in the future. • Automated Tests (Static and/or dynamic analysis). • Pentesting your application.
  • 14. STATIC ANALYSIS TOOLS • https://owasp.org/www-community/Source_Code_Analysis_Tools
  • 15. BROWSER SECURITY FEATURES • HTTP Strict Transport Security (HSTS) • Public Key Pinning Extension for HTTP (HPKP) • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options • Content-Security-Policy • X-Permitted-Cross-Domain-Policies • Referrer-Policy • Expect-CT • Feature-Policy • Cookies attributes (Secure, Samesite).
  • 17. RESOURCES? • Troy Hunt‘s OWASP Top 10 for .NET developers • https://files.troyhunt.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf • OWASP TOP 10 2017 • https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf • Security Engineering Practices • https://www.microsoft.com/en-us/securityengineering/sdl/practices
  • 18. HOW TO APPLY BEST PRACTICES • Always check OWASP‘s Best practices for a certain vulnerability. • Look for OWASP‘s Library/Framework Recommendations. • Don‘t trust any default configs. Always double check it. • Never trust user‘s input. • Apply ACLs.
  • 19. HOW DO I KNOW ABOUT NEW 0DAYS? • Check if your local CERT if they offer a newsletter. • Subscribe to MITRE newsletter https://cve.mitre.org/news/newsletter.html • Regrularly Update Libraries/Frameworks you‘re using.

Editor's Notes