2. NEED FOR APPLICATION
SECURITY
• According to SANS
• 60% of all internet attacks target Web
applications
• SQL Injection and XSS constitute
80% of all recently discovered
vulnerabilities
• Application vulnerabilities now exceed
OS vulnerabilities
Applications
Operating Systems
Network
# Vulnerabilities
4. WHAT TO DO???
• More developers need to be made aware of the need for secure software development as
well as the practices associated with secure software development
• Education is key
• Security needs to be part of the mindset of any software development project from day 1
• Security CANNOT be an afterthought
• Security CANNOT be effectively added on later (e.g. firewalls)
5. WHY EDUCATION?
• Response from development team
– There is no issue here, you
encountered this error while using
Mozilla. Our product
documentation says the
application is only compatible with
IE.
6. A QUESTION OF CASE
• What the Fuzz?
• Basic testing or fuzzing would
have discovered that
capitalizing a letter would result
in all data being returned and
not just the authorized set
• Validation was only being done
client side
7. SECURING THE SDLC
• Requirements
• Security needs to be a requirement
• Risk Assessment
• Design
• Security controls to ensure all
requirements are met
• Design review
• Implementation
• Coding standards
• Static code analysis
• Peer code review
• Testing
• Abuse Cases
• Fuzzing
• Vulnerability scans
• Pen Testing
• Release/Maintenance
• Patching/Updating
Security needs to be a factor in all phases of the software
development lifecycle
8. THREAT MODELING
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of Service
• Elevation of privilege
• Makes programmers think like an
attacker in order to identify potential
ways in which their application could be
abused
9. RISK ASSESSMENT
• Damage potential
• Reproducibility
• Exploitability
• Affected Users
• Discoverability
• Each threat is ranked in each category
on a scale of 1 to 3, with 1 being a
threat with minimal potential impact and
3 being a serious threat
10. STRIDE + DREAD EXAMPLE
Helps to identify which threats pose the biggest risk
11. FUZZING
• Fuzzing is an automated process of providing invalid and random
inputs into an application and monitoring the application for crashes
• It can help to identify inputs that the application cannot properly handle
and that hence could be used as potential attack