Holistic InfoSec IoT Physical People Mobile Cloud VPS Network Web App Web App for Web Developers 

No content

5: Identify Risks? 

5: Identify Risks? 

5: Identify Risks? 

5: Identify Risks? 

5: Identify Risks? Defence in Depth 

5: Identify Risks? Security Thinking Up-front 

5: Identify Risks? 

5: Identify Risks? 

Requirements or design defect found via Product Backlog Item (PBI) collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via traditional external Penetration Testing 

Requirements or design defect found via Product Backlog Item (PBI) collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via Security Test Driven Development (STDD) 

5: Identify Risks? 

5: Identify Risks? But increasing quality has to be expensive right? 

5: Identify Risks? Nope! 

5: Identify Risks? Test condition workshop... 

5: Identify Risks? Test condition workshop... Given When Then There are no items in the shopping cart Customer clicks “Purchase” button for a book which is in stock 1 x book is added to shopping cart. Book is held - preventing selling it twice. “ Customer clicks “Purchase” button for a book which is not in stock Dialog with “Out of stock” message is displayed and offering customer option of putting book on back order. 

5: Identify Risks? Given When Then There are no items in the shopping cart User tries to downgrade TLS and the HSTS header is not sent by the server User should be redirected (response 301 status code) to the HTTPS site from the server “ User tries to downgrade TLS and the HSTS header is sent by the server User should be redirected to the HTTPS site from the browser (no HTTP traffic for sslstrip to tamper with) Test condition workshop... 

5: Identify Risks? Injection TLS Downgrade D-DOS? Easy to execute. Tricky to mitigate People in need of education 

5: Identify Risks? Q/A $ 

5: Identify Risks? 

5: Identify Risks? 

5: Identify Risks? People App IoT Mobile VPS Network Cloud Physical 

5: Identify Risks? Injection TLS Downgrade D-DOS? Easy to execute. Tricky to mitigate People in need of education Buffer Overflows 

5: Identify Risks? IoT Physical People Mobile Cloud VPS Network Web App 

1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 

5: Identify Risks? https://github.com/binarymist/ HolisticInfoSec-For-WebDevelopers/ wiki 

1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 

5: Identify Risks? 1: Asset Identification 

1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 

5: Identify Risks? 2: Identify Risks 

5: Identify Risks? 2: Identify Risks Dependency 

5: Identify Risks? 2: Identify Risks Likelihood Threat Agent Factors ● Skill level ● Motive ● Opportunity ● Size 

5: Identify Risks? 2: Identify Risks Likelihood Vulnerability Factors ● Ease of discovery ● Ease of exploit ● Awareness ● Intrusion detection 

5: Identify Risks? 2: Identify Risks Impact Technical Factors ● Loss of confidentiality ● Loss of integrity ● Loss of availability ● Loss of accountability 

5: Identify Risks? 2: Identify Risks Impact Business Factors ● Financial damage ● Reputation damage ● Non-compliance ● Privacy violation 

5: Identify Risks? 2: Identify Risks Risk = Likelihood * Impact 

2: Identify Risks 

1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 

No content

3: Countermeasures Break Your System 

1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 

● Avoid Commercial ● Use Public-Domain 4: Risks that solution causes 

4: Risks that solution causes New Mitigated 

1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 

5: Costs and Trade-offs Establish Value Loss of Convenience 

5: Costs and Trade-offs 

1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What risks does solution cause? 5: Costs and Trade-offs 

5: Identify Risks? IoT Physical People Mobile Cloud VPS Network Web App 

5: Identify Risks? IoT Physical People Mobile Cloud VPS Network Web App 

5: Identify Risks? IoT Physical People Mobile Cloud VPS Network Web App 

5: Identify Risks? IoT Physical People Mobile Cloud VPS Network Web App 

5: Identify Risks? IoT Physical People Mobile Cloud VPS Network Web App 

5: Identify Risks? IoT Physical People Mobile Cloud VPS Network Web App 

5: Identify Risks? IoT Physical People Mobile Cloud VPS Network Web App 

5: Identify Risks? IoT Physical People Mobile Cloud VPS Network Web App 

Staying on Top 5: Costs and Trade-offs 

No content