SlideShare a Scribd company logo

Software Development in the Age of Breaches

Download as PPTX, PDF
K
Karthik Bhat

The document highlights various security vulnerabilities and incidents involving compromised personal identifiable information (PII) across multiple companies due to issues like SQL injection and weak authentication. It emphasizes the importance of adopting secure development practices such as continuous integration of security measures, effective input validation, and the implementation of two-factor authentication. Additionally, it recommends the engagement of 'buddies' for code testing and peer feedback, along with establishing a white hat program for security assessments.

Software
Related topics:
Test-Driven Development
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Software Development in the Age of Breaches
Software Development in the Age of Breaches
Software Development in the Age of Breaches
Opportunistic Indeed ! TalkTalk 150K + PII records compromised SQL Injection Ashley Madison 37 MM records compromised Weak VPN Authentication HomeDepot 56MM PII records compromised Weak Access Control Patreon 2.3MM PII records compromised Debugger in Prod 000WebHost 13.5MM PII records compromised Using old PHP version
Software Development in the Age of Breaches
Software Development in the Age of Breaches
Test Driven Development • Bugs increase security risk • Allows you to release faster • Fixing issues while in development is cheaper • Only way to prove that “My code works”
Take it to the next level select version(); select current_database(); select current_user; select session_user; '));waitfor delay '0:0:3'-- "));waitfor delay '0:0:3'-- benchmark(10000000,MD5(1))# 1 or benchmark(10000000,MD5(1))# " or benchmark(10000000,MD5(1))# ' or benchmark(10000000,MD5(1))# getUserByName(first_name,last_name) { … }
Software Development in the Age of Breaches
New Responsibility Model • At SecureDB, we have no testers. Only “Buddies” • “Buddies” are fellow developers that: – Test your code – Review your code – Give you feedback • Switch “Buddies” every sprint
Software Development in the Age of Breaches
Software Development in the Age of Breaches
Where would I even start? STEP 1: Find a comparable company in your space STEP 2: COPY IDEAS SHAMELESSLY Examples: You’re a social media co that has too many locked accounts. A: How many login attempts does Twitter Allow? You’re an e-commerce site worried about fake accounts. A: How does Amazon do it? Don’t re-invent the wheel
Software Development in the Age of Breaches
Two Factor Everything • Evaluate every service you use for TFA support - Hosting - Code Repos - Email - SSH Access - DNS - File sharing systems • If a vendor does not support TFA – Are they really worth your time and money?
Change Default Accounts • Default Admin Username/Password – Databases – Key Stores – Content Management Systems • Disable Unnecessary Services • Delete unwanted accounts
Firewall Effectively • Dev environment is only for Developers – Block access from internet – IP Based restrictions • Restrict SSH access – IP Based restrictions – Easy to setup • Ingress and Egress • Install WAF (It’s FREE)
Software Development in the Age of Breaches
Continuous Security (DevSecOps) • Provisioning a new VM – Install latest patches – Apply right firewall policies – Stop unwanted services – Start appropriate services • Run as part of the build: – Fuzzing Tests – Run vulnerability scans – Static Analysis – Dynamic Analysis
Software Development in the Age of Breaches
Input Validation • Trust nothing that comes from client • Every layer to do it’s own validation • Whitelist vs Blacklist? – Whitelist is better • Use well tested libraries – Or OWASP RegEx • Specifically Test for SQLi and XSS • Example
Output Escaping • Escape all content to be rendered • Use UI Frameworks that escape by default • Scan the code to check the usage of un- escaped methods • Example
Authentication Web Form Based Authentication Two Factor Authentication TOTP Text Message Social Logins Facebook Twitter Google Basic Authentication Digest Authentication OAuth Certificate Based Auth. JWT (with JWS/JWE) APIs
Authorization • Privilege Escalation attacks are common • Authz mechanisms – Role Based Access Control (RBAC) – Attribute Based Access (ABAC) • Do Authz checks at every layer – Cookies – JWT (Mobile Friendly)
Software Development in the Age of Breaches
White Hat Program • Allow white hat hackers to find security issues and report them to you • Explicit contract laying out what kind of attacks they could execute • Implicit contract that they won’t go public with it – And give you reasonable time to fix it • Make payments per bug and severity • Example
you are the best CISO … of your application You are the best CISO of your application
Questions?

More Related Content

PPTX
Securing Your MongoDB Deployment
MongoDB
 
PPTX
Security Testing - Zap It
Manjyot Singh
 
PPTX
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
PPTX
Ten Commandments of Secure Coding
Mateusz Olejarka
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
PPTX
Security testautomation
Linkesh Kanna Velu
 
PPTX
Exploiting NoSQL Like Never Before
Francis Alexander
 
PDF
Automated Security Testing
seleniumconf
 
Securing Your MongoDB Deployment
MongoDB
 
Security Testing - Zap It
Manjyot Singh
 
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Security testautomation
Linkesh Kanna Velu
 
Exploiting NoSQL Like Never Before
Francis Alexander
 
Automated Security Testing
seleniumconf
 

What's hot (20)

ODP
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
PPTX
Hacker Proof web app using Functional tests
Ankita Gupta
 
PPTX
[Wroclaw #7] Security test automation
OWASP
 
PPTX
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
PPTX
Java Secure Coding Practices
OWASPKerala
 
ODP
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
PDF
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
PPTX
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
PDF
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
ODP
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
ODP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
PPTX
The OWASP Zed Attack Proxy
Aditya Gupta
 
PPTX
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
PDF
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
PPTX
NoSQL Exploitation Framework
Francis Alexander
 
PDF
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
PDF
Fundamental of malware analysis
Sumedt Jitpukdebodin
 
PPTX
Zap vs burp
Tomasz Fajks
 
PPTX
Presentation on Web Attacks
Vivek Sinha Anurag
 
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
Hacker Proof web app using Functional tests
Ankita Gupta
 
[Wroclaw #7] Security test automation
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Java Secure Coding Practices
OWASPKerala
 
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
The OWASP Zed Attack Proxy
Aditya Gupta
 
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
NoSQL Exploitation Framework
Francis Alexander
 
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
Fundamental of malware analysis
Sumedt Jitpukdebodin
 
Zap vs burp
Tomasz Fajks
 
Presentation on Web Attacks
Vivek Sinha Anurag
 
Ad

Similar to Software Development in the Age of Breaches (20)

PPTX
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
PPTX
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
PDF
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
ODP
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Tabăra de Testare
 
PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PDF
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
PDF
CSS17: Houston - Protecting Web Apps
Alert Logic
 
PDF
NoSQL - No Security?
Gavin Holt
 
PDF
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
PDF
Lateral Movement - Hacker Halted 2016
Xavier Ashe
 
PPTX
Owasp first5 presentation
Ashwini Paranjpe
 
PPTX
Owasp first5 presentation
owasp-pune
 
PDF
Problems with parameters b sides-msp
Mike Saunders
 
PPT
Code Quality - Security
sedukull
 
PPTX
Top Ten Java Defense for Web Applications v2
Jim Manico
 
PPTX
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
PDF
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
PPTX
Plant_Ecommerce_Security_Presentation.pptx
LaxmipujaBiradar
 
PPTX
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Tabăra de Testare
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
CSS17: Houston - Protecting Web Apps
Alert Logic
 
NoSQL - No Security?
Gavin Holt
 
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Lateral Movement - Hacker Halted 2016
Xavier Ashe
 
Owasp first5 presentation
Ashwini Paranjpe
 
Owasp first5 presentation
owasp-pune
 
Problems with parameters b sides-msp
Mike Saunders
 
Code Quality - Security
sedukull
 
Top Ten Java Defense for Web Applications v2
Jim Manico
 
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Plant_Ecommerce_Security_Presentation.pptx
LaxmipujaBiradar
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 
Ad

Recently uploaded (20)

PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Introduction Database Management System for Course Database
ReinertYosua
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Introduction to Artificial Intelligence
lohedi9363
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
System and Network Administraation Chapter 3
jaramharo
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 

Software Development in the Age of Breaches

  • 4. Opportunistic Indeed ! TalkTalk 150K + PII records compromised SQL Injection Ashley Madison 37 MM records compromised Weak VPN Authentication HomeDepot 56MM PII records compromised Weak Access Control Patreon 2.3MM PII records compromised Debugger in Prod 000WebHost 13.5MM PII records compromised Using old PHP version
  • 7. Test Driven Development • Bugs increase security risk • Allows you to release faster • Fixing issues while in development is cheaper • Only way to prove that “My code works”
  • 8. Take it to the next level select version(); select current_database(); select current_user; select session_user; '));waitfor delay '0:0:3'-- "));waitfor delay '0:0:3'-- benchmark(10000000,MD5(1))# 1 or benchmark(10000000,MD5(1))# " or benchmark(10000000,MD5(1))# ' or benchmark(10000000,MD5(1))# getUserByName(first_name,last_name) { … }
  • 10. New Responsibility Model • At SecureDB, we have no testers. Only “Buddies” • “Buddies” are fellow developers that: – Test your code – Review your code – Give you feedback • Switch “Buddies” every sprint
  • 13. Where would I even start? STEP 1: Find a comparable company in your space STEP 2: COPY IDEAS SHAMELESSLY Examples: You’re a social media co that has too many locked accounts. A: How many login attempts does Twitter Allow? You’re an e-commerce site worried about fake accounts. A: How does Amazon do it? Don’t re-invent the wheel
  • 15. Two Factor Everything • Evaluate every service you use for TFA support - Hosting - Code Repos - Email - SSH Access - DNS - File sharing systems • If a vendor does not support TFA – Are they really worth your time and money?
  • 16. Change Default Accounts • Default Admin Username/Password – Databases – Key Stores – Content Management Systems • Disable Unnecessary Services • Delete unwanted accounts
  • 17. Firewall Effectively • Dev environment is only for Developers – Block access from internet – IP Based restrictions • Restrict SSH access – IP Based restrictions – Easy to setup • Ingress and Egress • Install WAF (It’s FREE)
  • 19. Continuous Security (DevSecOps) • Provisioning a new VM – Install latest patches – Apply right firewall policies – Stop unwanted services – Start appropriate services • Run as part of the build: – Fuzzing Tests – Run vulnerability scans – Static Analysis – Dynamic Analysis
  • 21. Input Validation • Trust nothing that comes from client • Every layer to do it’s own validation • Whitelist vs Blacklist? – Whitelist is better • Use well tested libraries – Or OWASP RegEx • Specifically Test for SQLi and XSS • Example
  • 22. Output Escaping • Escape all content to be rendered • Use UI Frameworks that escape by default • Scan the code to check the usage of un- escaped methods • Example
  • 23. Authentication Web Form Based Authentication Two Factor Authentication TOTP Text Message Social Logins Facebook Twitter Google Basic Authentication Digest Authentication OAuth Certificate Based Auth. JWT (with JWS/JWE) APIs
  • 24. Authorization • Privilege Escalation attacks are common • Authz mechanisms – Role Based Access Control (RBAC) – Attribute Based Access (ABAC) • Do Authz checks at every layer – Cookies – JWT (Mobile Friendly)
  • 26. White Hat Program • Allow white hat hackers to find security issues and report them to you • Explicit contract laying out what kind of attacks they could execute • Implicit contract that they won’t go public with it – And give you reasonable time to fix it • Make payments per bug and severity • Example
  • 27. you are the best CISO … of your application You are the best CISO of your application