Скачать презентацию Embed within SDLC Module to be combined OWASP Скачать презентацию Embed within SDLC Module to be combined OWASP

547bbdd9d7ba736a61f9196dccdd7144.ppt

  • Количество слайдов: 59

Embed within SDLC Module (to be combined) OWASP Education Project Copyright 2007 © The Embed within SDLC Module (to be combined) OWASP Education Project Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http: //www. owasp. org

Introduction OWASP 2 Introduction OWASP 2

People / Processes / Technology Training Awareness Guidelines Automated Testing Secure Development Application Firewalls People / Processes / Technology Training Awareness Guidelines Automated Testing Secure Development Application Firewalls Secure Code Review Secure Configuration Security Testing OWASP 3

A Few Facts and figures <Interesting Statistics – Employing code review 4 IBM Reduces A Few Facts and figures

People Awareness and Education OWASP 5 People Awareness and Education OWASP 5

Get Buy In! <Management support crucial <Talk Business: 4 Create Value 4 Controll Risk Get Buy In!

Web Application Security SDLC Elevator Pitch <Between 70% and 90% of web applications have Web Application Security SDLC Elevator Pitch

Developer and administrator training Give a man a fish and you feed him for Developer and administrator training Give a man a fish and you feed him for a day; Teach a man to fish and you feed him for a lifetime. Chinese proverb

Security Requirements and Abuse Cases OWASP 9 Security Requirements and Abuse Cases OWASP 9

Security Requirements < Security aspects must be part of the requirements < The ‘business’ Security Requirements < Security aspects must be part of the requirements < The ‘business’ should be informed of certain risks < Solid base for next application security controls < Define Security Requirements Standards 4 Which controls are necessary 4 When are they necessary (applicability) 4 Why are they necessary (e. g. SEC, SOX, etc. ) § Easy to use reference for requirements teams 4 Standard method to implement each control § Provide reference on how to implement OWASP 10

Application Security Requirements Tailoring <Get the security requirements and policy right <Generic set of Application Security Requirements Tailoring

Abuse Cases Source: Templates for Misuse Case Description, Sindre & Opdahl OWASP 12 Abuse Cases Source: Templates for Misuse Case Description, Sindre & Opdahl OWASP 12

Negative Scenarios are Not New Montignac Caves, Dordogne, France 'Suppose it turns and charges Negative Scenarios are Not New Montignac Caves, Dordogne, France 'Suppose it turns and charges us before it falls into the pit' OWASP 13

Misuse Cases < Guttorm Sindre and Andreas Opdahl, 2000 < Actor is a Hostile Misuse Cases < Guttorm Sindre and Andreas Opdahl, 2000 < Actor is a Hostile Agent < Bubble is drawn in inverted colours < Goal is a Threat to 'Our System‘ < Input for Threat Modelling OWASP 14

Threat Modeling OWASP 15 Threat Modeling OWASP 15

Why <Understand the operating environment your application is heading into <Identify, analyze and document Why

Overview <assets <input/output <exposure (internal, external, distributed, centralized. . ) <threat types (patterns) <impact Overview

Identifying threats – data flow diagrams dfd, level 0 <contains the major processes, system Identifying threats – data flow diagrams dfd, level 0

Categorizing and Quantifying Threats <Most known: Microsoft stride, dread 4 spoofing, tampering, repudiation, information Categorizing and Quantifying Threats

Threat Modeling <Select mitigation strategy and techniques based on identified, documented and rated threats. Threat Modeling