Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Make Codebases Secure with OWASP

Merab Tato Kutalia
April 27, 2022
Programming
0
150

Make Codebases Secure with OWASP

What are the guidelines we have to follow in order to bring more security to our apps and users? What is OWASP? What is OWASP Top 10, OWASP MSTG? What tools can we use to monitor and prevent issues even before we ship the application? How to apply those practices to CI/CD pipeline. All these questions will be covered in this talk

Merab Tato Kutalia

April 27, 2022
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
110
Migrate to Gradle version catalog and convention plugins
tatocaster
2
1.6k
Secure Coding Standards
tatocaster
0
120
ტანგო ანდროიდთან
tatocaster
0
140
Adopting Huawei Mobile Services
tatocaster
0
35
Android UI Testing & Challenges
tatocaster
0
54
Reverse & Inject - droidcon
tatocaster
3
200
mobile DevOps
tatocaster
1
77
Android Reverse Engineering and Analysis - OWASP Tbilisi
tatocaster
1
180

Other Decks in Programming

See All in Programming
Elm Form Validation
bkuhlmann
0
510
エンターテイメント業界で利用されるAWS
demuyan
0
210
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
370
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
370
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
910
Build Apps for iOS, Android & Desktop in 100% Kotlin With Compose Multiplatform (mDevCamp 2024)
zsmb
0
320
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
320
ゆるい個人開発のススメ
kuroppe1819
10
990
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
250
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
230
Rubyでたのしむクリエイティブコーディング/Enjoy Creative coding with Ruby
chobishiba
1
180

Featured

See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Become a Pro
speakerdeck
PRO
11
4.5k
Building Your Own Lightsaber
phodgson
99
5.7k
Thoughts on Productivity
jonyablonski
58
3.8k
Writing Fast Ruby
sferik
621
60k
Navigating Team Friction
lara
178
13k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
RailsConf 2023
tenderlove
4
540
How to name files
jennybc
65
93k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k

Transcript

  1. Make Codebases Secure with OWASP Merab Tato Kutalia Android GDE

    @ Choco @TatoKutalia

  2. Secure Software • managing access control • data protection •

    protection against vulnerabilities

  3. Secure Coding Standards

  4. What is the Secure Coding Standards? Secure coding standards are

    rules and guidelines used to prevent security vulnerabilities. Used effectively, these security standards prevent, detect, and eliminate errors that could compromise software security.

  5. Why we need to care? • leaking user data •

    reputation loss • unsafe development processes

  6. What to do? • Follow the standards and best practices

    from the programming language and platform developers • JVM • Android • Apple/iOS

  7. What to do? • Follow the standards and best practices

    from the programming language and platform developers • JVM • Android • Apple/iOS • OWASP Top 10 (Mobile) • CVE - is a list of publicly disclosed cybersecurity vulnerabilities that is free to search, use, and incorporate into products and services • CERT - Computer Emergency Readiness Team

  8. OWASP The Open Web Application Security Project • Tools and

    Resources • Community and Networking • Education & Training

  9. OWASP Top 10 Mobile • M1: Improper Platform Usage •

    M2: Insecure Data Storage • M3: Insecure Communication • M4: Insecure Authentication • M5: Insufficient Cryptography • M6: Insecure Authorization • M7: Client Code Quality • M8: Code Tampering • M9: Reverse Engineering • M10: Extraneous Functionality

  10. The OWASP MASVS (Mobile Application Security Verification Standard) Industry standard

    for mobile app security. https://docs.google.com/spreadsheets/d/1MZIvJ5Aze-zpyzLvQZVwyzF0bKWRPfnEd7nqFeH2 PfA/edit#gid=997157040 https://github.com/OWASP/owasp-masvs

  11. OWASP Mobile Application Security Testing Guide (MASTG) Security standards for

    the modern mobile applications. tools and techniques. security checklist https://owasp.org/www-project-mobile-security-testing-guide/ https://github.com/OWASP/owasp-mstg

  12. OWASP dependency check Supported on all platforms Checks 3rd party

    libraries from our project into public database, assigns the score and generates the report. (including the transitive dependencies) Depending on our projects domain and platform we need to analyze the report may include false-positives*

  13. OWASP dependencyCheck Android 🐠

  14. Gradle setup • project and app-level gradle

  15. Advanced setup

  16. Report

  17. CVSS=Common Vulnerability Scoring System

  18. Thanks