Implementing Secure Coding In Your Organization

Erez Metula (CISSP), Founder

Application Security Expert

ErezMetula@AppSec-Labs.com

Agenda

SDLC

Security education for developers

Secure Design

Secure Coding

Security testing

Tools

About Me – Erez Metula

Application security expert

Book author

Managed Code Rootkits (Syngress)

Speaker & Trainer

BlackHat, Defcon, RSA, OWASP, etc..

Founder of AppSec Labs

AppSec LabsThe leading Application Security Company

A bunch of Application Security Experts

Ninja Pentesters of Web & Mobile Apps

Elite Trainers for Hacking & Secure coding courses

Development Process Evolution

The iterative waterfall..

Problem..

No security at all

..or doing security at the last stage of development

Sometimes a security bug can cause design changes

…and sometimes you can’t even fix it!!

VIDEO

http://cis1.towson.edu/~cssecinj/secure-coding-workshop/workshop-structure/importance-of-secure-coding-15-min/

Complex Threat Model

Major attack vectors - malicious user / malicious app

Malicious user attacking the client side app

Malicious user using the client app to attack the server side

Malicious user attacking the end user by having physical access to the device

Malicious app attacking the end user

Malicious app attacking other apps on same device

Example – Mobile App Threat Model

Cost of Change

Relative cost to fix a vulnerability – based on time of detection

The Security Development Lifecycle

A process for software development, that defines security requirements and milestones

Developers don’t know how to write secure code !!!

Those kind of problems are related directly to R&D department

NOT IT dept. and NOT Security dept.

Most developers didn’t have proper secure coding training

What to do?

We need to educate them !

AppSec LabsLearning Management System

Grow your “Security champions”

A security champion is someone from your organization who will be responsible for advancing the application security initiative

Most often, he will be from the DEV team

A strong developer who truly cares about security

You should identify those kind of people and cherish them

Case study – HP and AppSec Labs TTT (“Train The Trainer)

Summary

Security should be performed at every layer

Never trust the user!

All input should be considered malicious unless proven otherwise

Follow best practices of secure coding and common security principles

SDL should be part of the methodology

THANK YOU !

Erez Metula , Application Security Expert

AppSec Labs (Founder)

ErezMetula@AppSec-Labs.com