SlideShare a Scribd company logo

Security for devs

Download as PPTX, PDF
A
Abdelrhman Shawky

This document provides an overview of security best practices for developers. It discusses the software development lifecycle (SDLC) and phases like planning, architecture, testing, and release. It also summarizes Microsoft's recommendations for securing the SDLC, which include training, defining security requirements, threat modeling, using cryptography standards, and regularly penetration testing. The document then covers topics like how HTTP works with different request and response types, common vulnerabilities from the OWASP Top 10, and ways to test applications through penetration testing and bug bounty programs. It provides tips on applying security best practices and knowing about new vulnerabilities, and recommends securing continuous integration/continuous delivery (CI/CD) through techniques like code analysis, container hardening, and

Software
Related topics:
Software Engineering
1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
SECURITY FOR DEVELOPERS @shawkyz1 @shawkyz
ABOUT ME • Built multiple CI/CD Pipelines for businesses with different needs. • Lived 4 Years in Germany and now I’m back to ‫الوطن‬ ‫أرض‬ • A Software Engineer at day, a Hacker by night. • Love to automate everything. • In love with Security and an OSCP Holder. • Technical Consultant @S3Geeks • Security and Systems Engineer @FuturaSolutionsGmbH
SDLC (SOFTWARE DEVELOPMENT LIFECYCLE) • A Software Development Life Cycle (SDLC) is a framework that defines the process used by organizations to build an application from its inception to its decommission. Over the years, multiple standard SDLC models have been proposed (Waterfall, Iterative, Agile, etc.) and used in various ways to fit individual circumstances.
• Planning and requirements. • Architecture and design. • Test planning. • Coding. • Testing and results. • Release and maintenance. SDLC PHASES
SECURE YOUR SDLC ACCORDING TO MICROSOFT • Provide Training. • Define Security Requirements. • Perform Thread Modeling. • Define and Use Cryptography Standards. • Follow Best Practices. • Perform Static Analysis. • Perform Dynamic Analysis. • Regularly Pentest. • Establish Incident Response Mechanism. Source: https://www.microsoft.com/en-us/securityengineering/sdl/practices
•What happens when you write a url in a browser and press enter?
HOW HTTP WORKS
• GET requests a specific resource in its entirety • HEAD requests a specific resource without the body content • POST adds content, messages, or data to a new page under an existing web resource • PUT directly modifies an existing web resource or creates a new URI if need be • DELETE gets rid of a specified resource • TRACE shows users any changes or additions made to a web resource • OPTIONS shows users which HTTP methods are available for a specific URL • CONNECT converts the request connection to a transparent TCP/IP tunnel • PATCH partially modifies a web resource HTTP REQUESTS
HTTP HEADERS • Origin • Accept • Accept-Encoding • Cookie • Cache-Control • Dnt but many more exist.
HTTP RESPONSES • 200 OK • 404 Not Found • 403 Forbidden • 301 Moved Permanently • 500 Internal Server Error • 304 Not Modified • 401 Unauthorized
OWASP TOP 10
RESOURCE FOR DEVS? • Troy Hunt‘s OWASP Top 10 for .NET developers • https://files.troyhunt.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf • OWASP TOP 10 2017 • https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
LET‘S DO SOME HACKING •DEMO WEBGOAT.NET
VULNERABILITY RATING •What is CVSS?
• Define your app Scope. • Regular and Internal Penetration tests. • Bug Bounty? Let the crowd hack you. SECURITY TESTS
HOW TO YOU APPLY BEST PRACTICES • Always check OWASP‘s Best practices for a certain vulnerability. • Look for OWASP‘s Library/Framework Recommendations.
HOW DO I KNOW ABOUT NEW 0DAYS? • Check if your local CERT if they offer a newsletter. • Subscribe to MITRE newsletter https://cve.mitre.org/news/newsletter.html • Regrularly Update Libraries/Frameworks you‘re using.
SECURE YOUR CI/CD • Code Analysis. Analyze code for application specific vulnerabilities. • Container Hardening. Remove unneeded libraries and packages; restrict functions. • Image Scanning. Scan images for vulnerabilities at build; regularly in registries. • Image Signing, e.g. Content Trust. Ensure trust with signing and author / publisher verification. • User Access Controls, e.g. Registries. Restrict and monitor access to trusted registries and deployment tools. • Host and Kernel Security. Use SECCOMP, AppArmor, or SELinux or equivalent host security settings. • Access Controls. Enable restricted access to system and Docker daemon. • Auditing, e.g. Docker Bench. Perform security audit using Docker CIS benchmark.
SECURE YOUR CI/CD • Network Inspection & Visualization. Inspect all container to container connections and build visualization for application stack behavior. • Threat Detection. Monitor applications for DDoS, DNS attacks and other network based application attacks. • Host & Container Privilege Escalation Detection. Detect privilege escalations on hosts and containers to predict break outs and attacks. • Packet Capture & Event Logging. Capture packets and event logs to enable forensics.
FOLLOW ME? @shawkyz1 @shawkyz @shawkyz1 https://shawkyz.info abdelrhmanshawky4@gmail.com

More Related Content

PPTX
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
Jakarta_EE
 
PDF
Monitor Micro-service with MicroProfile metrics
Rudy De Busscher
 
PDF
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
Rudy De Busscher
 
PDF
JBCNConf 2017 - Building microservices with Vert.x
Bert Jan Schrijver
 
PDF
GeekOut 2017 - Microservices in action at the Dutch National Police
Bert Jan Schrijver
 
PDF
Gradual migration to MicroProfile
Rudy De Busscher
 
PDF
Secure JAX-RS
Payara
 
PDF
Version Control in TFS 2013: GIT - 2013 Application Lifecycle Management Event
Delta-N
 
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
Jakarta_EE
 
Monitor Micro-service with MicroProfile metrics
Rudy De Busscher
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
Rudy De Busscher
 
JBCNConf 2017 - Building microservices with Vert.x
Bert Jan Schrijver
 
GeekOut 2017 - Microservices in action at the Dutch National Police
Bert Jan Schrijver
 
Gradual migration to MicroProfile
Rudy De Busscher
 
Secure JAX-RS
Payara
 
Version Control in TFS 2013: GIT - 2013 Application Lifecycle Management Event
Delta-N
 

What's hot (19)

PDF
Windows azure sql_database_security_isug012013
sqlserver.co.il
 
PDF
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Docker, Inc.
 
PPTX
Mastering Secrets Management in Rundeck
Rundeck
 
PDF
SQL Server 2017 CLR
Eduardo Piairo
 
PPTX
Production Challenges for Container Networking
Vipin Jain
 
PPT
Software Carpentry - Version control slides
anpawlik
 
PDF
EVE Microservices Platform
Alaa Qutaish
 
PPTX
MicroService Architecture
Md. Hasan Basri (Angel)
 
PDF
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
PPTX
Cloud native policy enforcement with Open Policy Agent
LibbySchulze
 
PDF
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PDF
[WSO2Con EU 2017] Writing Microservices Using MSF4J
WSO2
 
PDF
SQL Server 2017 CLR
Eduardo Piairo
 
PDF
Microservices Architecture
Srinivasan Nanduri
 
PPTX
Istio Mesh – Managing Container Deployments at Scale
Mofizur Rahman
 
PDF
OpenShift for Triangle JavaUG
Steve Speicher
 
PDF
Single Source of Truth in a Distributed World by Sven Erik Knop
Perforce
 
PDF
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
PDF
Crikeycon 2019 Velociraptor Workshop
Velocidex Enterprises
 
Windows azure sql_database_security_isug012013
sqlserver.co.il
 
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Docker, Inc.
 
Mastering Secrets Management in Rundeck
Rundeck
 
SQL Server 2017 CLR
Eduardo Piairo
 
Production Challenges for Container Networking
Vipin Jain
 
Software Carpentry - Version control slides
anpawlik
 
EVE Microservices Platform
Alaa Qutaish
 
MicroService Architecture
Md. Hasan Basri (Angel)
 
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
Cloud native policy enforcement with Open Policy Agent
LibbySchulze
 
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
[WSO2Con EU 2017] Writing Microservices Using MSF4J
WSO2
 
SQL Server 2017 CLR
Eduardo Piairo
 
Microservices Architecture
Srinivasan Nanduri
 
Istio Mesh – Managing Container Deployments at Scale
Mofizur Rahman
 
OpenShift for Triangle JavaUG
Steve Speicher
 
Single Source of Truth in a Distributed World by Sven Erik Knop
Perforce
 
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
Crikeycon 2019 Velociraptor Workshop
Velocidex Enterprises
 
Ad

Similar to Security for devs (20)

PPTX
DevOps intro
Abdelrhman Shawky
 
PPTX
12 Factor App Methodology
laeshin park
 
PDF
Building scalbale cloud native apps with .NET 8
GillesMathieu10
 
PDF
Containers and microservices for realists
Karthik Gaekwad
 
PDF
Containers and Microservices for Realists
Oracle Developers
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Containers, microservices and serverless for realists
Karthik Gaekwad
 
PDF
Agile Secure Cloud Application Development Management
Adam Getchell
 
PDF
Auditing Drupal Sites for Performance, Content and Optimal Configuration - SA...
Jon Peck
 
PDF
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
Vietnam Open Infrastructure User Group
 
PPTX
Power of Azure Devops
Azure Riyadh User Group
 
PDF
15-factor-apps.pdf
Nilesh Gule
 
PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
PDF
BYOP: Custom Processor Development with Apache NiFi
DataWorks Summit
 
PDF
Terrascan - Cloud Native Security Tool
sangam biradar
 
PPTX
Staying Close to Experts with Executable Specifications
Vagif Abilov
 
PDF
Getting to Walk with DevOps
Eklove Mohan
 
PPTX
OpenStack Enabling DevOps
Cisco DevNet
 
PDF
Improving WordPress Development and Deployments with Docker
Brett Palmer
 
PDF
Continuous Delivery in the Cloud with Bitbucket Pipelines
Atlassian
 
DevOps intro
Abdelrhman Shawky
 
12 Factor App Methodology
laeshin park
 
Building scalbale cloud native apps with .NET 8
GillesMathieu10
 
Containers and microservices for realists
Karthik Gaekwad
 
Containers and Microservices for Realists
Oracle Developers
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Containers, microservices and serverless for realists
Karthik Gaekwad
 
Agile Secure Cloud Application Development Management
Adam Getchell
 
Auditing Drupal Sites for Performance, Content and Optimal Configuration - SA...
Jon Peck
 
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
Vietnam Open Infrastructure User Group
 
Power of Azure Devops
Azure Riyadh User Group
 
15-factor-apps.pdf
Nilesh Gule
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
BYOP: Custom Processor Development with Apache NiFi
DataWorks Summit
 
Terrascan - Cloud Native Security Tool
sangam biradar
 
Staying Close to Experts with Executable Specifications
Vagif Abilov
 
Getting to Walk with DevOps
Eklove Mohan
 
OpenStack Enabling DevOps
Cisco DevNet
 
Improving WordPress Development and Deployments with Docker
Brett Palmer
 
Continuous Delivery in the Cloud with Bitbucket Pipelines
Atlassian
 
Ad

Recently uploaded (20)

PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
System and Network Administration Chapter 2
jaramharo
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Transform Your Business with a Software ERP System
Canada Software Company
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 

Security for devs

  • 2. ABOUT ME • Built multiple CI/CD Pipelines for businesses with different needs. • Lived 4 Years in Germany and now I’m back to ‫الوطن‬ ‫أرض‬ • A Software Engineer at day, a Hacker by night. • Love to automate everything. • In love with Security and an OSCP Holder. • Technical Consultant @S3Geeks • Security and Systems Engineer @FuturaSolutionsGmbH
  • 3. SDLC (SOFTWARE DEVELOPMENT LIFECYCLE) • A Software Development Life Cycle (SDLC) is a framework that defines the process used by organizations to build an application from its inception to its decommission. Over the years, multiple standard SDLC models have been proposed (Waterfall, Iterative, Agile, etc.) and used in various ways to fit individual circumstances.
  • 4. • Planning and requirements. • Architecture and design. • Test planning. • Coding. • Testing and results. • Release and maintenance. SDLC PHASES
  • 5. SECURE YOUR SDLC ACCORDING TO MICROSOFT • Provide Training. • Define Security Requirements. • Perform Thread Modeling. • Define and Use Cryptography Standards. • Follow Best Practices. • Perform Static Analysis. • Perform Dynamic Analysis. • Regularly Pentest. • Establish Incident Response Mechanism. Source: https://www.microsoft.com/en-us/securityengineering/sdl/practices
  • 6. •What happens when you write a url in a browser and press enter?
  • 8. • GET requests a specific resource in its entirety • HEAD requests a specific resource without the body content • POST adds content, messages, or data to a new page under an existing web resource • PUT directly modifies an existing web resource or creates a new URI if need be • DELETE gets rid of a specified resource • TRACE shows users any changes or additions made to a web resource • OPTIONS shows users which HTTP methods are available for a specific URL • CONNECT converts the request connection to a transparent TCP/IP tunnel • PATCH partially modifies a web resource HTTP REQUESTS
  • 9. HTTP HEADERS • Origin • Accept • Accept-Encoding • Cookie • Cache-Control • Dnt but many more exist.
  • 10. HTTP RESPONSES • 200 OK • 404 Not Found • 403 Forbidden • 301 Moved Permanently • 500 Internal Server Error • 304 Not Modified • 401 Unauthorized
  • 12. RESOURCE FOR DEVS? • Troy Hunt‘s OWASP Top 10 for .NET developers • https://files.troyhunt.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf • OWASP TOP 10 2017 • https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 13. LET‘S DO SOME HACKING •DEMO WEBGOAT.NET
  • 15. • Define your app Scope. • Regular and Internal Penetration tests. • Bug Bounty? Let the crowd hack you. SECURITY TESTS
  • 16. HOW TO YOU APPLY BEST PRACTICES • Always check OWASP‘s Best practices for a certain vulnerability. • Look for OWASP‘s Library/Framework Recommendations.
  • 17. HOW DO I KNOW ABOUT NEW 0DAYS? • Check if your local CERT if they offer a newsletter. • Subscribe to MITRE newsletter https://cve.mitre.org/news/newsletter.html • Regrularly Update Libraries/Frameworks you‘re using.
  • 18. SECURE YOUR CI/CD • Code Analysis. Analyze code for application specific vulnerabilities. • Container Hardening. Remove unneeded libraries and packages; restrict functions. • Image Scanning. Scan images for vulnerabilities at build; regularly in registries. • Image Signing, e.g. Content Trust. Ensure trust with signing and author / publisher verification. • User Access Controls, e.g. Registries. Restrict and monitor access to trusted registries and deployment tools. • Host and Kernel Security. Use SECCOMP, AppArmor, or SELinux or equivalent host security settings. • Access Controls. Enable restricted access to system and Docker daemon. • Auditing, e.g. Docker Bench. Perform security audit using Docker CIS benchmark.
  • 19. SECURE YOUR CI/CD • Network Inspection & Visualization. Inspect all container to container connections and build visualization for application stack behavior. • Threat Detection. Monitor applications for DDoS, DNS attacks and other network based application attacks. • Host & Container Privilege Escalation Detection. Detect privilege escalations on hosts and containers to predict break outs and attacks. • Packet Capture & Event Logging. Capture packets and event logs to enable forensics.