T1 03 OWASP ASVS - Panagiotis Yialouris

I the stories about Piscotty opcion the arrow was benefiance level 3 basically project of the most photos of you and how about the traditional directly based on the 406 and their security consultant a penetration tester also doing a mobile we don't get to the process and yeah x I would want to be here today as well a bit but prefers about the movie so yeah

so let's block secret project is about

what we're good and recently hour to finish from a source ecology project last year it was a based on the diversity is vs pain full version to the cousin protein basically what was about focusing on my European Union surface which is with the country stuck here java ones instead tasty fruit maybe 21 and less bringing a final scopus have more than 900,000 side let's go hold on yeah not the biggest the most part a sealing us to keep you busy for us so what would about the project challenges that particular challenges are the word patience project and the first of all at least me it was a complexity business upon file system as you probably know if

if you have some experience with a premium systems there are particularly good regulation in the menu throughout the system so for the holiday relating user like us and it's really hard and really difficult to monitor that and the tribe all those business processes systems they will say as you can see probably not all this is this part a secret keys still in order to expect many findings and folks and Mozart where you know to some receive this guy also and another challenge it was the project post a photo like 10 years ago any securities alignments a guideline storms without any view of the application in texarkana so I think this is only not to expect the little one to

pick exactly 10 which makes many findings to be present so the people better posture on the what would have seen their terms of finding about the thirty four categories as identified in the final report a weights and six were high cause of severe sense seven and more greater so in public at the cwe 25 there were such a twenty20 categories of cwe personal project and five and also calculated from rose that we're such as we passed or pay a majority of the controls were faith so we can see that a lot of requirements not met and make for those late so I this part my duty apply and see and later on this top we break down and similar attic and mine

was like all of you SI article to make a final code review so that the dinner dinner process at the most fun it was about the security requirements of first time in order to define what the level should be and then agree on a framework head to be reviewed a in the next step and it was the realization of a threat model of the obligation elusive value in order to get last if this and put them into the process for overview there were shots automated upset automated my grocer forgive you meaning that the worlds of whose commercially available product and also a 100 you today and development department and also the graduation night according to CBS s

person to a fourth products for else or a kingdom on the findings assessed will be here a dress course a on the HBS and probably most of you have heard a lot and somewhere an abbreviation stands for education security verification Thunder this framework developed by us in our people who process on a security verification and provide guidelines and in order to review a PK modern applications by name in terms of security so I worried about the 80s does it provides a set of security no drones and that will be utilized us and the security requirements generic sealed environment across a brother so in this manner a popsicle it and development team say I may be to provide the important level of

security and confidence for a commonly known problems we usually have to face our computations today and mostly a SBS focusing on the following following the degrees of em are also related to angle is a presenting they almost 39 so there are different rows across this across this river east in order to elaborate in a security level and blah blah a great requirements on different set of different levels and the different and different different security requirements that and lately that was an update on the 80s was a kamikaze thing and there was a registration up like the latest where the last category onward service configuration I also added to the paper categories on the on the previous paper

so terms of levels and we can say that the paper provides fans and the first level he said level required for applications to be assessed and usually a everyone indicates proposed requirements that would be a be processed the SS or my comedy the tune assessment and usually a level one reflect control tube in place and focusing on attacks of low effort and it's like more an opportunistic level of duty a provided and the number two is the most other level it provides an adequate level of your friends across the system the one is actually about it's all day this is the business application with some sensitive functionality side and also the controls up I place a there

city folks posting on a some most hateful attacks and techniques and also some hi hey I highly popular tools on on the on the security of the security picture today after the level 33 the process for this product level 3 provides a great date level of a verification there are somebody very pervasive and very date security controls should be taken should be verified and usually this framework where this level of the framework applies to some mission systems and they figure it's sort of military applications and in general three supplied to anyway where the failure of the system will be offering major boss so if you really want you to go go through a security assessment and

cultivate a few of the system install and you should prefer the people that have to say there is a very exhaustive a list of requirements in order to be met and so penetration testing is not is not enough in order to assess all the requirements of the framework in dublin in the service of others then consultants so they considered the design the architecture the fit model and security configuration as well and those of the back and workshops and a diffusion doughnuts with the development team it doesn't make sure that everything is gratified and all the controls are assessed properly in this manner a promotion documentation is also a result under consideration and they will be a requirement the support of you

and it takes us problem due to take place on that yeah what was the road is like a foot model it was about the identified crucially from crucial information for this organ CIA losses the sofa love you brother I whether we are requested in the thread model document it's about the programmatic parts of the initiation such as the director assistant accommodation and different components and different subsystems driven the mood are also identified rate and assets and verify the trust level across the system errors and process the business process actually a in the data flow diagrams a bit information in the matter of faith entry points and a lower court assistant from the from the user a moot I back to the DA about

the database and there are also based on the host based in Portland marking the air my Kickstarter backers there are also does boundaries that defined the cruiser bloated and dr. blow so we ready to know from my from resource FN the component play Republic City dog drastic at the first part of day of the static code analysis there were some samples of commercial to utilize for that yeah it's some difficult work life and I know the support of you finds an added value to the commercial tools so they are constrictors they apply the process way as a system so what we can gain from from this from this part of the process is to have a big picture in the big

picture of the security posture and based on the report of a on the continent story we can know more or less what we should expect for the for the moment process to become later and based on the thought that we have received from the admin tools we can consider a automation we say if able to present some to give a good sum up on a massive massive instances off very easy and some low-hanging fruit instead which source which reflected to below if you face findings such as things like that regarding the XML schemes excellent work schemes were completion planet asia or how codependency and appreciated api and its various it's this part of the process is very very well facilitated by

the new commission to and that's what about it this time itself i am in an estimation of file photo findings and of the project we can say that the prequel DVD ten percent of the total finding however 0m not attempt a world of possibility and hydrogen and some blue box off of the twisted drop the process as you say they would know there were no isolated high CBD categories identified also we we knew that the business logic on the abilities a weren't about to be presented or be the team advances by the two across and also this is important part of the process of there isn't any automatic doors as you probably know most of them provide a huge amount of

qualities so we been so fair of the effort estimation a anybody to the good luck center during were except expected a ten percent of X ipod and the strength of that spend time just make sure that everything will be different and not because positive and the automation findings will be verified and I'm going to go back there we identified the process grossest project and was to the automation report actually displayed our focus from specifically wannabe parts of the system and I'm generally were several tiny deported however a youth department in Ojai my disguise you put 40 hey well enough that our very own folks from a they seized when a baby start a where identified late as you use

among review some pieces that altered what was missed a magnitude so for example in the first case you see somewhere I know just a little bit without also bishop and amanda is to you in some days peace across the Baltic a heavy use of thing over the nation and the second case I opposes a bit late and also somewhat puzzled in my functionality that was they were there great respond with plain text to the user and public safety body SBS little bit Marcus so as high for the last part of the process here we describe what they and what would have done over for the minor review and how the person was volume in order to provide results and

automation and integrate of the findings for the debate wait yeah what looks like to go through static static manual review of the code in the 73 it more or less like a mosaic investigation more time to collect the part space on the bottom you say so you try to do that in a in a my own my own perspective you will be able to it in one aspect or you will be able to utilize an external information specifically days of original windows not and also in this manner there are also required a workshop so it's interviews and a heavy heavy assistance and collaboration I will be developing team of the project in order to verify findings and they drive hi

opencl potential issues I presented in different phases of the project as for the sauce for the execution there is a proper interstates are day as we said they're here a very complex regulation and the complex roots of light in the business of the system so the first part is a true performer but they might have had to perform a study on the on the business concepts of life in the system so make sure that would clearly understand everything we see and later in the predator home and make our effort more efficient in terms of assessing the phone across the system there is also a second part of that enforcing of the area on the documentation of the project

and has quite a special focus on that is the use case diagrams and a classical ones diagram so we need to have your days in order to make sure that we follow one is provided by a user how about yoga classes say on wiki classes designed by the season and they take this head two steps a as I'm introduction to go through offers the project in a poorly Tate Modern also it's a good practice to go through coding standards and practices of life a this is Admiral day discussing rare and only practices and approaches of life and implementing and also considered a sensitivity Muffy if any ask another security a 20 friends and that sensitivity and a security and defence

are quite important for the level 36 main controls of the framework and allow you may from this scenario and mopping and this kind of identification and for today before starting any doing anything actually it is very important to go through the rugged specific guidelines and also investigate the functionality of the technology start and involved in the project so if you go through a people to the rest of the project and it is said it is a way very very good choice for her step and collect all the necessary party libraries and dependencies of the project and performs an investigation to see how it starts from an from another perspective so to deliver anything that is apart from an ability for hun and

also we said it's a it's also good practice to utilize the static analysis tools available across the Baltic and this is it will be done in the first asus so what we say to get their security posture of the application and then can start to we can start to utilize a diagram as a representative method model in order to iterate for the echo be safe and identified in reports were the were the healthy pursuit start a review and finally as many projects like that are quite complex it in terms of business and functionality it's a good practice practice to prioritize the DFT since bowl and paradise l4d2 complexity and just to make sure that you have

mental and the entrance in the project and would be able to start with some more more feasible and more more simply a cases and to review this is also this is also important because you probably would be probably working with a different teacher of development for example some teams will do the front end some other some other game and will be responsible for the back end so it's say if you were here in words a more than more than one person to person to people you know and they focus a functionality in order to assign a figure auditors to particular development each quarter the collaboration in an email as part of a RT natural so for the irises you can

utilize data then in development environment so in this matter has um a summary is able to using the navigation area and identify critical relationship stuff to make sure that the flow is a problem and also how to fight classes a performance exhausted by inspection of peyer's of the impulse and or include depends on the kind of all that you have to do you so this is an important part of the process I mean if if you're not sure about the red coat applied and the dead in the Arctic of their life inside the project and also the different parameters and different between five names can be utilized for example what we have identify these every taste be

focusing on anything anything results they swayed whatever you do the same and they're so since would have seen that like two or three times were starting to see that everything everywhere in there is a JSP and so did happen and there were also also attended and a regular physical abilities that could be also utilized for Ricky identified findings across the world and an approach also for a monitor his BS requiring subway was to paresky fight so the technology stack for example with the stars for fake XML or the web.xml in order to perform concentrating for male age requirement cisco and even a better answer for yourself the first great thing and also money purification for the for the postal code

review process say there are also open around workshops with the development team doesn't make sure that everything is covered and a every is verified and anything that is not very like a reporter and it does not beat meet the 80s requirement and this is an issue for the report and this is versus bit recommended in the level three it's also good practice to maintain the security security picture of the system by continuously monitoring coming the asus in terms of dates and if i start the user hate implement bug fixing and further these requirements also what was identified in this in this part of the process it is that a previously identified vulnerabilities of a major

corporation school wednesday propagating in a next release and through the code review of the development thing so to compute on that and say that the ages level three years a good indicator in order to have a good security picture of the system and this would be done through as to the source code review was a very recent testing activities a re y and then most of the controls a of the level 3 are no penetration testing artifacts also the security combination can provide a useful information for political tea or the security review this is mostly diagrams detective of a model another day another with the confusion of that the project will start a and it is a good practice

to deliver sense of the given a notice my issues plausibly development team in order to perform scoring rate and to support your leg can you let me get another position since I you would be learning even more the system brought the project and the first of the security is better and easier when integrated in every begin manner this is mostly related to 11 30 phase yes because this is a level 3 requires very with a passive and ready to take garage most of the controls wait a graphics project will be very difficult being romantic or a some of them even impossible just because they would have considered before hand during the design and requirements pace of development so this

is it