1. Security for Managers and Executives
OWASP Education
Computer based training
Security for Managers and Executives
Welcome to the application security training I am Nishi Kumar. Today I wanted to bring awareness about something that you all know about but really don’t understand its full extent. I would like to talk about application security
Nishi Kumar
Systems Architect, FIS
OWASP CBT Project Lead

2. Objectives Things we can do that will help build secure applications
Bring application security awareness
Things we can do that will help build secure applications
Processes we can have for achieving this goal
Answer some common questions
How would you feel if your confidential data is stolen? Angry frustrated!!

3. How would you feel if your confidential data is stolen?
How would you feel if your confidential data is stolen? Angry frustrated!!
Angry! Frustrated!

4. Identity Theft Phishing
Have you heard about Identity Theft and Phishing attacks? Phishing is the fraudulent process to get sensitive information such as usernames, passwords and credit card details by a malicious web site by pretending to be an authentic one.

5. Facebook Phishing Attack
Lures people to a fake Facebook page and prompts them to log in.
This was a real life example of Phishing attack on Facebook where users were lured to provide login credentials. Facebook users got a message from a friend urging them to "check this out" and including a link to a Web page that appeared to be a Facebook log-in page
Unsuspecting Facebook users get a message from a friend urging them to "check this out" and including a link to a Web page that appears to be a Facebook log-in page.

6. Article from Wall Street & Technology
This is an article from Wall Street, which talks about how security attacks against banking organizations has soared 81 percent in the first half of this year. Hacking is a multibillion-dollar business.

7. Why Should We Care? Let’s just think this through…
How likely is a successful web application attack?
Stunningly prevalent
Easy to exploit without special tools or knowledge
Little chance of being detected
Hundreds of thousands of developers, tiny fraction with security
Consequences?
Corruption or disclosure of database contents
Root access to web and application servers
Loss of authentication and access control for users
Defacement
Secondary attacks from your application
The question is as a company why should we care about investing time and energy securing our applications? Believe it or not if applications contain vulnerabilities a successful attack is easier than you think. There are hundreds of thousands of developers in the world but only a tiny fraction of them have expertise and experience with security. Result of this is applications get compromised, sensitive data is leaked, database content get corrupted. Attackers can even get root access to web and application server. Later during this presentation I will show you how attackers can change the face of the application for their benefit. If malicious script gets injected in our application successfully then secondary attacks will happen from our application.

8. Cost of Non-Compliance
In the event of the a breach the acquirer CAN make the merchant responsible for:
Any fines from PCI-Co
Up to $500,000 per incident
Cost to notify victims
Cost to replace cards (about $10/card)
Cost for any fraudulent transactions
Forensics from a QDSC
Level 1 certification from a QDSC
The QDSC (Qualified Data Security Company certification) by Visa© authorizes a company to perform level-one onsite assessments for merchants and service providers requiring a "Report on Compliance" (ROC).
I also wanted to bring some awareness about cost of non-compliance. In the event of a breach the fines that our organization will have to pay is hefty. We will have to pay fine from PCI, up to $500,000 per incident, cost to notify the victims, around 10 dollars per card to replace the card, cost of fraudulent transactions, forensic investigation and a level one certification from qualified data Security Company.

9. Cost of Non-Compliance (Cont)
Let see how this translates to a potential scenario. Take a case where 50,000 credit card data are stolen. PCI penalty is $100,000. If we don’t have self assessment then it is $500,000. Card replacement $500,000. In year 2004 cost of average fraudulent transaction was $1,235. So total cost of fraudulent transaction would be approx sixty one million seven hundred and fifty thousands dollars. Of course, no amount of money would compensate for the bad publicity. As the saying goes, that is priceless.
Example: 50,000 credit cards stolen
PCI Penalty - $100,000 per incident
$500,000 if you do not have a self-assessment
Card Replacement - $500,000 (50,000 x $10 dollars per card)
Fraudulent Transaction – $61,750,000 ($1,235 x 50,000)
$1, average fraudulent transaction
Bad Publicity – Priceless!

10. Why Web Application Security important?
Attacks Shift Towards Application Layer
Security
Spending
Root cause of most of these attacks is Web applications security vulnerabilities. According to Gartner - 2/3rd of all web applications are vulnerable. Organizations think if they protect their network resources their applications are safe. But that is simply not true. 75% of the attack happens through the web applications. As you can see in this chart, 90% of the security spending happens on the network layer and only 10% on the application layer. Where as 75% of the attacks are happening on the application layer and only 25% of the attack on the network layer
% of Attacks
% of Dollars
10%
Web
Applications
75%
90%
Network Server
25%
2/3
of All Web Applications Are Vulnerable
Sources: Gartner, Watchfire

11. Problem Illustrated Application Layer Network Layer
Attacker sends attacks inside valid HTTP requests
Your custom code is tricked into doing something it should not
Security requires software development expertise, not signatures
Network Layer
Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.
Security relies on signature databases
Application Layer
Accounts
Finance
Administration
Transactions
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
Databases
Legacy Systems
Web Services
Directories
Human Resrcs
Billing
I wanted to illustrate here visually how the attack is happening. Attackers send an attack inside valid Http Request. Application code is tricked in doing something it was not supposed to do. Full application security requires specific software development expertise. Network layer security alone cannot stop attacks inside Http Request.
APPLICATION ATTACK
Custom Code
App Server
Web Server
Hardened OS
Network Layer
Firewall
Firewall
Insider

12. Demo Attack Phases of hacker attacks
I wanted to illustrate one of many possible way of a hackers attack. The first step is the hacker tries to gather information. Then he uses that information to attack on the infrastructure and do the exploit.

13. Phase 1 Information search Fingerprinting
Hacker tries to gather information about the operating system, web server and database. Compares information with vulnerability database
1. Hacker searches information about victim’s target system
Operating System
Web Server
Database
2. Compares information with vulnerability database

14. Phase 1 - Information Search
SQL Injection
Hacker tries to gather information about the operating system, web server and database. Compares information with vulnerability database
1. Hacker found vulnerability
Search for (specific) user
Find additional information about user
2. Needs information for next phase of attack

15. Phase 2 - Infrastructure
Cross Site Scripting (XSS)
Then uses the vulnerability to get personal information like and phone number. Sends an to the victim, which has malicious script.
1. Hacker found personal information about user
Phone number …
2. Sends with unsuspicious topic
3. Includes XSS in that sends user session to the hackers server

16. Phase 2 - Infrastructure
Cross Site Scripting (XSS)
This is the time when you will receive an saying something like “Please login to your online baking to update your account information”. You think this is a valid . You click that link. XSS or the malicious code included in that link takes your session cookie and sends it to the hacker.
1. User receives
2. is unsuspicious to user
Topic
Originator
3. Included XSS sends all cookies to hacker’s web site

17. Phase 3 - Exploit Session hijacking
Hacker receives all the cookies. Cookies are used to identify users. He uses that to resume your session. Now hacker has logged in to your banking site with your access right.
1. Hacker received all cookies from user
2. Cookies are used to identify users
3. Hacker uses cookie to resume user session
4. Hacker is logged in as user “victim” with user’s access rights

18. That was just the beginning
That was just the beginning. You can easily imagine what is going to happen next

19. Demo Cross-site scripting
Xss-Proxy
XSS-Proxy is a tool for leveraging Cross-Site-Scripting (XSS) flaws to hijack victim browsers and allows a bi-directional interactive control channel between attacker, victim browser and an XSS vulnerable site.
Web Goat XSS

20. Leverage OWASP for Web Application Security Training
At this point I wanted to Introduce OWASP. It is an international non-profit organization primarily staffed by volunteers and funded by participating companies. The mission of this organization is to make Web application security visible. You can find additional information about OWASP at www. OWASP.org
The Open Web Application Security Project (OWASP Foundation Inc.)
Participation in OWASP is free and open to all
The vision is a software market that produces code that’s secure.  The mission is to make security visible so that software buyers and sellers are on equal footing and market forces can work. 
International not-for-profit charitable organization funded primarily by volunteers time and OWASP Memberships

21. What are the Top 10 Vulnerabilities?
The question is what are top 10 web application vulnerabilities? After doing extensive research and analysis OWASP came up with Top 10 vulnerabilities that plagues a typical web application.
OWASP Top 10

22. Common Security Issues: The OWASP Top 10 2010
The OWASP top 10 is aimed to educate developers, architects and security practitioners about the most common web application vulnerabilities.
The Ten Most Critical
Aimed to educate developers, architects and security practitioners about the consequences of the most common web application security vulnerabilities
Living document: 2007 T10 different from 2004 T10
OWASP Top released

23. Users and Adopters
Payment Card Industry (PCI)
PCI DSS - Requirements is OWASP Top 10
PA-DSS - Requirements – is OWASP Top Security code review for all the custom code.
OWASP Supporters
The OWASP Top 10 has been adopted by organizations across the world. PCI DSS requirements is OWASP Top 10 and PA-DSS requirements – is OWASP Top 10

24. Common Security Issues: The OWASP Top 10 2007
A1: Cross Site Scripting (XSS)
A2: Injection Flaws
A3: Malicious File Execution
A4: Insecure Direct Object Reference
A5: Cross Site Request Forgery (CSRF)
A6: Information Leakage and Improper Error Handling
A7: Broken Authentication and Session Management
A8: Insecure Cryptographic Storage
A9: Insecure Communications
A10: Failure to Restrict URL Access
These are the ten most common security issues in a web application

25. Common Security Issues: The OWASP Top 10 2010
These are the ten most common security issues in a web application

26. Security Threats and OWASP T10 Vulnerabilities
Other threats like, System compromise, financial loss and reputation loss is also OWASP Top 10
Phishing
Exploit weak authentication, authorization, session management and input validation (XSS, XFS) vulnerabilities
Privacy violations
Exploit poor input validation, business rule and weak authorization, injection flaws, information leakage vulnerabilities
Identity theft
Exploit poor or non-existent cryptographic controls, malicious file execution, authentication, business rule and auth checks vulnerabilities

27. Security Threats and OWASP T10 Vulnerabilities (cont)
Other threats like, System compromise, financial loss and reputation loss is also OWASP Top 10
System compromise, data alteration or data destruction
Exploit injection flaws, remote file inclusion-upload vulnerabilities
Financial loss
Exploit unauthorized transactions and CSRF attacks, broken authentication and session management, insecure object reference, weak authorization-forceful browsing vulnerabilities
Reputation loss
Depend on any evidence (not necessarily exploitation) of a web application vulnerability

28. OWASP Top Ten 2007 and ESAPI (Enterprise Security API)
If there is a problem there is solution. OWASP has also provided the solution. ESAPI is Enterprise security api’s for remediation of all these 10 vulnerabilities. It has generic api's for each of these vulnerability. This is a great source where application developers can see how specific issues can be Remediate.

29. OWASP Documentation on Web Application Security
Application Security Desk Reference (ASDR)
Basic reference material on application security terminology
Developer Guide
Comprehensive guide for Web applications and Web services security
Code Review Guide
Comprehensive secure code review guide on the web
Testing Guide
Web Application penetration testing
ASVS
Application Security Verification Standard
OWASP provides some great documentation and guidelines on application security. Application Security Desk Reference is a basic reference material on application security terminology, developer guide is a great resource which teaches developers web application and web services security, Code review guide teaches how to do code review for security, Testing guide teaches how to do testing for security and ASVS provides standards for doing application security verification
ASVS
Testing Guide
Developer Guide
Code Review Guide
Application Security Desk Reference (ASDR)

30. OWASP Tools and Technology
Automated Security Verification
Vulnerability Scanners
Static Analysis Tools
Fuzzing
Manual Security Verification
Penetration Testing Tools
Code Review Tools
Security Architecture
ESAPI
Secure Coding
AppSec Libraries
ESAPI Reference Implementation
Guards and Filters
AppSec Management
Reporting Tools
AppSec Education
Flawed Apps
Learning Environments
Live CD
SiteGenerator
OWASP also provides some great tools and technologies for security verification, manual penetration testing, security architecture, secure coding and education

31. Live CD
Project that collects some of the best open source security projects in a single environment
Users can boot from Live CD and immediately start using all tools without any configuration
 Live CD collects best known open source security projects in a single environment

32. Netcats – original + GNU Firece Domain Scanner v1.0.3
OWASP Tools
OWASP WebScarab v
OWASP WebGoat v5.2
OWASP CAL9000 v2.0
OWASP JBroFuzz v1.2
OWASP DirBuster v0.12
OWASP SQLiX v1.0
OWASP WSFuzzer v1.9.4
OWASP Wapiti v2.0.0-beta
Paros Proxy v3.2.13
nmap & Zenmap v 4.76
Wireshark v1.0.5
tcpdump v4.0.0
Firefox addons
Burp Suite v1.2
Grendel Scan v1.0
Metasploit v3.2 (svn)
w3af + GUI svn r2161
Netcats – original + GNU
Nikto v2.03
Firece Domain Scanner v1.0.3
Maltego CE v2-210
Httprint v301
SQLBrute v1.0
Spike Proxy v
Rat Proxy v1.53-beta
These are the list of tools that comes in Live CD

33. Web Goat
A classic vulnerable application to teach developers security code flaws
Web Goat is a classic vulnerable application that teach developers about security code flaw

34. WebScarab – A Proxy Engine
A Proxy tool to intercept Http Request and
Http Response
Web Goat is a classic vulnerable application that teach developers about security code flaw

35. Software Assurance Maturity Model (SAMM)
The four Disciplines are high-level categories for activities
Three security Functions under each Discipline are the specific silos for improvement within an organization
As an organization how can we improve? How can we build security in software development? The Software Assurance Maturity Model (SAMM) is the answer. SAMM is an open framework from OWASP to help organizations implement a strategy for software security.
From each of the Business Functions, 3 Security Practices are defined
The Security Practices cover all areas relevant to software security assurance
Each one is a ‘silo’ for improvement
It will help in:
Evaluating existing software security practices
Building a balanced software security assurance program in well-defined iterations
Demonstrate concrete improvements to a security assurance program
Define and measure security-related activities
At the highest level, SAMM defines four critical Business Functions:
·  Governance
·  Construction
·  Verification and
·  Deployment
Each Business Function is the nuts-and-bolts of software development. For each Business Function, SAMM defines three Security Practices. So overall, there are twelve Security Practices that will help us build secure applications.
Alignment & Governance
Governance is centered on the processes and activities on how an organization manages overall software development activities. This includes cross cutting concerns on development and processes on organization level.
Education & Guidance Involves increasing security knowledge amongst personnel in software development through training and guidance on security topics relevant to individual job functions.
Standards and Compliance Involves setting up a security and compliance control and audit framework throughout an organization to achieve increased assurance in software under construction and in operation.
Strategic Planning: Involves the overall strategic direction of the software assurance program and instrumentation of processes and activities to collect metrics about an organization’s security posture.
Requirements & Design
In general, this will include product management, requirements gathering, high-level architecture specification, detailed design, and implementation.
Threat Modeling: involves accurately identifying and characterizing potential attacks on a software in order to better understand the risks and facilitate risk management.
Security Requirements: Security Requirements involves promoting the inclusion of security-related requirements during the software development process in order to specify correct functionality from inception.
Defensive Design: Secure Architecture involves bolstering the design process with activities to promote secure-by-default designs and control over technologies and frameworks upon which software is built.
Verification & Assessment
It is focused on the processes and activities how we check and test artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities.
Architecture Review: Design Review involves inspection of the artifacts created from the design process to ensure provision of adequate security mechanisms
Code Review: involves assessment of source code to aid vulnerability discovery and related mitigation activities as well as establish a baseline for secure coding expectations.
Security Testing: involves testing software in its runtime environment in order to both discover vulnerabilities and establish a minimum standard for software releases.
Deployment & Operations
Involves release management. This can involve shipping products to end users, deploying products to internal or external hosts, and normal operations of software in the runtime environment.
Vulnerability Management: involves establishing consistent processes for managing internal and external vulnerability reports to limit exposure and gather data to enhance the security assurance program.
Environment Hardening involves implementing controls for the operating environment like web server and application server hardening.
Operational Enablement involves identifying and capturing security-relevant information needed by an operator to properly configure, deploy, and run a software.
Alignment & Governance
Requirements & Design
Verification & Assessment
Deployment & Operations
Disciplines
Functions

36. Software Assurance Maturity Model (SAMM)
Check out this one...
Lets take the example of Education & guidance. We can have 3 levels of objectives and activities

37. SAMM Conducting assessments
SAMM includes assessment worksheets for each Security Practice
SAMM includes assessment worksheets for each Security Practice based on the levels.

38. SAMM Creating Scorecards
We can gap analysis and create on going metrics. This a sample chart which shows metrics for before and after for each business functions.
Gap analysis
Capturing scores from detailed assessments versus expected performance levels
Demonstrating improvement
Capturing scores from before and after an iteration of assurance program build-out
Ongoing measurement
Capturing scores over consistent time frames for an assurance program that is already in place

39. Process perspective: Build Security in the SDLC
The question is how can we build security in our SDLC process? How can we map SAMM to an organization SDLC process? Here is a proposed design of how we can have a secure SDLC in an organization. At preliminary requirement phase we also have a high level Risk assessment. In project requirements phase we clearly define security requirements. In design phase we add Threat modeling, Security architecture review and high level security test planning. In development phase we add peer code review, static and dynamic code review and security unit tests. We also need to make sure people who are doing code review are also trained to do code review. In QA testing phase we add security tests, functional tests, risk driven tests, system tests, white box tests and black box tests.
Black-box test design treats the system as a "black-box", so it doesn't explicitly use knowledge of the internal structure. Black-box test design is usually described as focusing on testing functional requirements.
White-box test design allows one to peek inside the "box", and it focuses specifically on using internal knowledge of the software to guide the selection of test data.
In security configuration and deployment phase we have secure configuration and secure deployment. In Secure operations phase we have incident management and patch management. Last but not the least we have on going training, awareness, metrics and measurements.

41. Threat Modeling-An approach for analyzing the security
Data movement across a trust boundary (such as from the Internet to the web tier, or from the business logic to the database server), needs to be carefully analyzed, whereas data that flows within the same trust level does not need as much scrutiny.

42. Threat Categorization - Stride
Threats can be systematically identified in the application in a structured and repeatable manner
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege

43. Threat Categorization (cont)
Types
Examples
Security Control
Spoofing
Illegally access and use another user's credentials
Authentication
Tampering
Maliciously change/modify persistent data, such as data in a database
Integrity
Repudiation
Perform illegal operations that lacks the ability to trace
Non-Repudiation
Information disclosure
Read a file that one was not granted access to, or read data in transit
Confidentiality
Denial of service
Deny access to valid users, such as making a web server temporarily unavailable or unusable
Availability
Elevation of privilege
Gain unauthorized access or compromise a system
Authorization

45. Training topics Security Scanning of Web Applications OWASP Top 10
Threat Modeling
Source code Review for Security
Code Scanning for Security
PCI DSS and PA-DSS certification
Security issues in various UI frameworks
Web Server and Application server hardening
Click Jacking
Phishing Attack
OWASP Live CD Tools project
Identify and test security issues for QA
Web Services Security
Security for Internationalized software
Security awareness and training is the key to building secure applications.
1.1  OWASP Top 10
This will include identifying critical issues and remediation. A discussion on Enterprise security API’s by OWASP
Cross Site Scripting
Injection Flaws
Malicious File Execution
Insecure Direct Object Reference
Cross Site Request Forgery (CSRF)
Information Leakage and Improper Error Handling
Broken Authentication and Session Management
Insecure Cryptographic Storage
Insecure Communications
Failure to Restrict URL Access
1.2 Vulnerability Scanning
Open Source Tools
W3AF by OWASP
Paros Proxy by OWASP
Commercial Tools
Web Inspect by HP
IBM Rational App Scan
Threat Modeling
Threat modeling is essentially a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through security glasses. Threat modeling enables informed decision-making about application security risk. In addition to producing a model, typical threat modeling efforts also produce a prioritized list of security improvements to the concept, requirements, design, or implementation. Threat Modeling is a technique that we can use to identify ATVS (attacks, threats, vulnerabilities and safeguards) that could affect web applications. Threat Modeling helps in designing application securely from a confidentiality, integrity, availability, authentication, authorization and auditing perspective. It is an essential activity to be undertaken during the design stage of SDLC and helps mitigate and minimize overall risk.
Discuss Microsoft SDL (Security Development Lifecycle) Threat Modeling tool. Following is an outline of a generic methodology for Threat Modeling:
o        Assessment Scope
o        System Modeling
o        Identify Threats
o        Identify Vulnerabilities
o        Examining the Threat History
o        Evaluation or Impact on the Business
o        Developing a Security Threat Response Plan
Source code Review for Security
Code review is probably the single-most effective technique for identifying security flaws. Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places.
Security code review is a method of assuring application developers are following secure development techniques.
Tools can be used to perform this task but they always need human verification. Tools do not understand context, which is the keystone of security code review. Tools are good at assessing large amounts of code and pointing out possible issues but a person needs to verify every single result to determine if it is a real issue, if it is actually exploitable, and calculate the risk to the enterprise.
Human reviewers are also necessary to fill in for the significant blind spots where automated tools simply cannot check.
Code Scanning for Security
A discussion on source code scanning which does static analysis of the code and find vulnerabilities. Explore commercial and open source code scanning tool.
PCI DSS and PA - DSS certification
A continued discussion on PCI and PA-DSS requirements for successful auditing.
Identification and remediation of security issues in Adobe Flex applications
A discussion on Security scanning for Flex application. Explore open source and commercial tools for security scanning for Flex application. Go over security issues in Flex application and remediation.
Web Server and Application server hardening
Web server and application server configurations play a key role in the security of a web application. These servers are responsible for serving content and invoking applications that generate content. In addition, many application servers provide a number of services that web applications can use, including data storage, directory services, mail, messaging, and more. Failure to manage the proper configuration of servers can lead to a wide variety of security problems.
o        Unpatched security flaws in the server software
o        Server software flaws or misconfigurations that permit directory listing and directory traversal attacks
o        Unnecessary default, backup, or sample files, including scripts, applications, configuration files, and web pages
o        Improper file and directory permissions
o        Unnecessary services enabled, including content management and remote administration
o        Default accounts with their default passwords
o        Administrative or debugging functions that are enabled or accessible
o        Overly informative error messages
o        Misconfigured SSL certificates and encryption settings
o        Use of self-signed certificates to achieve authentication and man-in-the-middle protection
o        Use of default certificates
o        Improper authentication with external systems Click Jacking
Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple (often transparent) layers so when a user clicks on an area of the web page they are inadvertently clicking on a button or link on another page.
Using the same technique, keystrokes can also be hijacked, so a user believes they are typing in their password to their or their bank account, but in reality they are typing into an invisible frame, possibly controlled by the attacker.
Phishing Attack
Phishing attacks are one of the highest visibility problems for banking and e-commerce sites, with the potential to destroy a customer’s livelihood and credit rating. Phishing is misrepresentation where the criminal uses social engineering to appear as a trusted identity. They leverage the trust to gain valuable information; usually details of accounts, or enough information to open accounts, obtain loans, or buy goods through e-commerce sites.
Up to 5% of users seem to be lured into these attacks, so it can be quite profitable for scammers – many of whom send millions of scam s a day.
Identify and test security issues for QA (Targeted to QA group)
A discussion on how to test Web applications Security by the QA group. A demo of different tools to facilitate testing and identifying security issues.
OWASP Live CD Tools project
A discussion on OWASP Live CD security tools project. How to use these tools to identify security issues
Web Services Security
This will include a discussion on Web Services vulnerabilities, WS Security and security scanning for Web Services.
Security for Internationalized software
This will include discussion targeting special security issues in internationalized applications and the additional threat that this might expose us, as an example allowing Spanish or Chinese characters into the system and the challenge this might pose to the system.

46. ???
Since no customer is complaining, why an organization needs to fix security vulnerabilities in their applications?
Compliance
In case of security breech
Fines
Reputation Loss - Priceless

47. ???
What do we do if application is already in production and it has missed that phase of security?
What do we do if our application is already in production and it has missed that phase of security?
It's never too late and never too early. It is a continuous process...
Penetration testing and security code review is the key.
We must fix security leaks and vulnerabilities.
It's never too late and never too early. It is a continuous process...
Penetration testing and security code review is the key.
We must fix security leaks and vulnerabilities.

48. ??? Security Code Review Value of mentoring is enormous
What will help?
Leverage OWASP
Security Code Review
Value of mentoring is enormous
Application scanning and code scanning using static analysis tools
Web application security part of the SDLC process
Secure code development training
Train QA to find security issues in the application
What can we do in our organization that will help?
Leverage OWASP
Security Code Review is very important
Value of mentoring is enormous
Application scanning and code scanning using static analysis tools will find lots of issues
Web application security part of the SDLC process
Secure code development training is important
Train QA to find security issues in the application

49. Make Security part of the SDLC process
If you cannot remember anything we discussed so far just remember one thing: “Make security part of the SDLC process”
As an organization we will significantly reduce risk of our applications being attacked and compromised by attackers! Be Safe!