OWASP: O que ler

Transcript

1. OWASP Técnicas de programação segura

2. Objetivos • Confidencialidade • Integridade • Disponibilidade

3. Risco Um agente de ameaça interage com um sistema, o

   qual pode ter uma vulnerabilidade que pode ser explorada a fim de causar um impacto A threat agent interacts with a system, which may have a vulnerability that can be exploited in order to cause an impact

4. Exemplo Um ladrão de carro (agente de ameaça) vai a

   um estacionamento (sistema) procurando por portas destravadas (vulnerabilidade) e quando acha uma, ele abre a porta (exploração) e tomar o que estiver dentro (impacto) A car burglar (threat agent) goes through a parking lot checking cars (the system) for unlocked doors (the vulnerability) and when they find one, they open the door (the exploit) and take whatever is inside (the impact)

5. Exploits • Input validation • Output Encoding • Authentication and

   Password Management • Session Management • Access Control • Cryptographic Practics • Error Handling and Logging • Data Protection • Communication Security • System Configuration • Database security • File Management • Memory Management • General Coding Practices

6. OWASP Top 10 - 2017 • Injection • Broken Authentication

   • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control • Security Misconfiguration • Cross-Site Scripting (XSS) • Insecure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging & Monitoring

7. Identifying Vulnerabilities • Source Code Scanning • Automated Penetration Testing

   • Manual Penetration Testing • Secure Code Review
8. None
9. None

10. Secure Code Review

11. SCR: porque Secure code review is probably the single-most efective

    technique for identifying security bugs early in the system development lifecycle. When used together with automated and manual penetration testing, code review can signifcantly increase the cost efectiveness of an application security verifcation efort.

12. SCR: o que é Secure Code Review is an enhancement

    to the standard code review practice where the structure of the review process places security considerations, such as company security standards, at the forefront of the decision-making

13. SCR: como faz ?