Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t...
Transcript of Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t...
![Page 1: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/1.jpg)
Security, a part of QA
![Page 2: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/2.jpg)
In custom software, if you haven’t properly tested it, it probably doesn’t work.This goes for both functional and nonfunctional requirements.
Worse yet if you don’t even know what ‘it’ is supposed to be.
My claim
![Page 3: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/3.jpg)
Who is this then?
Boy Baukema Security Specialist @ Ibuildings.nl
![Page 4: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/4.jpg)
Security what?
Senior Engineer+ interest in WebAppSec+ 4 hours a week R&D+ internal training & consultancy+ internal & external auditing
![Page 5: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/5.jpg)
Okay, and you do this where?
Ibuildings.nlweb & mobile, 20+ devs, mostly PHP
![Page 6: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/6.jpg)
You
developer, manager, executive
pentester, security consultant, ?
![Page 7: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/7.jpg)
The plan
1. The journey2. The holy grail3. Riding off into the sunset
![Page 8: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/8.jpg)
What is security anyway?
![Page 9: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/9.jpg)
![Page 10: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/10.jpg)
A assignment
Make security something I can sell,give managers a knob to turn
![Page 11: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/11.jpg)
OWASP ASVS
Open Web Application Security Project
Application Security Verification Standard
![Page 12: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/12.jpg)
Level 1 Level 2 Level 3
Chapter 1 Requirement 1.1 Requirement 1.2 Requirement 1.3
X XXX
XXX
Chapter 2 Requirement 2.1...
X
![Page 13: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/13.jpg)
ASVS Levels (2013)
Level 0 - Bullshit compliance level (0)Level 1 - Opportunistic (47)Level 2 - Standard (136)Level 3 - Advanced (164)
![Page 14: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/14.jpg)
V1. AuthenticationV2. Session ManagementV3. Access ControlV4. Input ValidationV5. Cryptography (at Rest)V6. Error Handling and LoggingV7. Data Protection
V8. Communication SecurityV9. HTTP SecurityV10. Malicious ControlsV11. Business LogicV12. Files and ResourcesV13. Mobile
ASVS Chapters
![Page 15: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/15.jpg)
An example
V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links.(level 1, 2 & 3)
![Page 16: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/16.jpg)
So how does this tie into QA?
![Page 17: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/17.jpg)
First attempt
V2.7 Verify that the strength of any authentication credentials are sufficient to withstand attacks that are typical of the threats in the deployed environment.(OWASP ASVS 2009 Level 2)
![Page 18: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/18.jpg)
AASVS, Scanners & A Report Generator
![Page 19: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/19.jpg)
Enter ASVS 2013 (Beta)
Release any day now!
![Page 20: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/20.jpg)
+ is for effort
… scope of the verification may go beyond the application’s custom-built code and include external components. Achieving a verification level under such scrutiny can be represented by annotating a “+” symbol to the verification level.
![Page 21: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/21.jpg)
OWASP AASVS 2013
![Page 22: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/22.jpg)
A plan for the future
![Page 23: Security, a part of QA - OWASP€¦ · Security, a part of QA. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and](https://reader034.fdocuments.in/reader034/viewer/2022051918/600a3840b568bc2e2e0dcdf9/html5/thumbnails/23.jpg)
OWASP SAMM