Make Codebases Secure with OWASP Merab Tato Kutalia Android GDE @ Choco @TatoKutalia 

Secure Software ● managing access control ● data protection ● protection against vulnerabilities 

Secure Coding Standards 

What is the Secure Coding Standards? Secure coding standards are rules and guidelines used to prevent security vulnerabilities. Used effectively, these security standards prevent, detect, and eliminate errors that could compromise software security. 

Why we need to care? ● leaking user data ● reputation loss ● unsafe development processes 

What to do? ● Follow the standards and best practices from the programming language and platform developers ● JVM ● Android ● Apple/iOS 

What to do? ● Follow the standards and best practices from the programming language and platform developers ● JVM ● Android ● Apple/iOS ● OWASP Top 10 (Mobile) ● CVE - is a list of publicly disclosed cybersecurity vulnerabilities that is free to search, use, and incorporate into products and services ● CERT - Computer Emergency Readiness Team 

OWASP The Open Web Application Security Project ● Tools and Resources ● Community and Networking ● Education & Training 

OWASP Top 10 Mobile ● M1: Improper Platform Usage ● M2: Insecure Data Storage ● M3: Insecure Communication ● M4: Insecure Authentication ● M5: Insufficient Cryptography ● M6: Insecure Authorization ● M7: Client Code Quality ● M8: Code Tampering ● M9: Reverse Engineering ● M10: Extraneous Functionality 

The OWASP MASVS (Mobile Application Security Verification Standard) Industry standard for mobile app security. https://docs.google.com/spreadsheets/d/1MZIvJ5Aze-zpyzLvQZVwyzF0bKWRPfnEd7nqFeH2 PfA/edit#gid=997157040 https://github.com/OWASP/owasp-masvs 

OWASP Mobile Application Security Testing Guide (MASTG) Security standards for the modern mobile applications. tools and techniques. security checklist https://owasp.org/www-project-mobile-security-testing-guide/ https://github.com/OWASP/owasp-mstg 

OWASP dependency check Supported on all platforms Checks 3rd party libraries from our project into public database, assigns the score and generates the report. (including the transitive dependencies) Depending on our projects domain and platform we need to analyze the report may include false-positives* 

OWASP dependencyCheck Android 🐠 

Gradle setup ● project and app-level gradle 

Advanced setup 

Report 

CVSS=Common Vulnerability Scoring System 

Thanks