Beruflich Dokumente
Kultur Dokumente
Rudolph Araujo
Senior Principal, Foundstone Professional
Services
rudolph@foundstone.com
6th OWASP www.codesecurely.org
AppSec
Conference Copyright 2007 - The OWASP Foundation
Milan - May 2007 Permission is granted to copy, distribute and/or modify this document under the
terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this
license, visit http://creativecommons.org/licenses/by-sa/2.5/
3
6th OWASP AppSec Conference Milan May 2007
STATE OF SOFTWARE
SECURITY
6th OWASP AppSec Conference Milan May 2007 4
The Stages of Software Security
Application Security
Identifies and corrects instances of security issues in
applications
Tactical, near-term approach to securing an
application
Configuration Management
Data Protection in Storage & Transit
Authentication
Authorization
User & Session Management
Data Validation
Error Handling & Exception Management
Logging & Auditing
The Mindset
Training and exposure
Consider Foundstone Hacme* / WebGoat
Testers need to help define the threat model
Use threat model to prioritize and scope effort
Define attack libraries of test cases
Based on vulnerabilities and the security frame
Based on phase of testing
Choose which ones to apply to this rev
Data validation
Fuzzing
SQL injection
Buffer overflows
Cross site scripting
Authorization
Method level permissions
Document repository
Threat modeling artifact repository
Leverage commonality across similar applications
Metrics reporting
Benefits Gotchas!
Wide distribution of best Dont disclose too soon
practices even if it is internal only!
Prevention of repetition Anonymize the examples
and code if necessary
of similar issues
Share not only the issue but
Improved productivity
how the issue was
Overall better software discovered and fixed
quality Root cause analysis
Tweaking the SSDLC
Make sure the fix is bug
free!
33
6 OWASP AppSec Conference Milan May 2007
th
Special Case: Third Party Components
Open Source / COTS
OpenSSL
zlib
Who is tracking updates / patches?
The average developer???
Which of our applications are affected?
Whats the plan to rollout patches?
Back again to matrices!
Role: Software Security Architect
Subscribe to mailing lists
Patch reliability
Notify application owners
34