Secure Software Development

Transcript

1. Secure Software Development Jorge Gaona (@pollirrata) Enterprise Architect @ Tiempo

   Development Client Solutions Architect @ e-nnovare

2. What´s security? • Protecting data and information from unauthorized access

   • Ensuring access to authorized entities • Trusting your data is what you think it is

3. Impact Security Availability Privacy Reliability Safety Compliance

4. Characteristics Confidentiality Integrity Availability Authentication Authorization Non- repudiation supported by

5. Mb + Pb > Ocp + OcmPaPc • Mb is

   the monetary benefit for the attacker. • Pb is the psychological benefit for the attacker. • Ocp is the cost of committing the crime. • Ocm is the monetary costs of conviction for the attacker. • Pa is the probability of being apprehended and arrested. • Pc is the probability of conviction for the attacker.

6. Ratio Emojis: https://commons.wikimedia.org 10 80 10 %

7. Risks Avoidance Acceptance Mitigation Transfer Residual

8. User Attack Surface • Amount of code • Number of

   inputs • Number of services • Number of open communication ports • Is your user stupid? (errors, social engineering, phishing) • Is your user evil? Application Attack Surface

9. Tactics

10. OWASP ASVS Provides developers with a list of requirements for

    secure development.
11. None
12. None

13. ASVS Example

14. Strategy

15. Can software kill us? https://www.mymovievault.com/img/backdrop/3htQsZfX1cbtevy7osGJDZVOQfE.jpg