Download - Dpc14 security as part of Quality Assurance
![Page 1: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/1.jpg)
Security, a part of QA
![Page 2: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/2.jpg)
In custom software, if you haven’t properly tested it, it probably doesn’t work.This goes for both functional and nonfunctional requirements.
Worse yet if you don’t even know what ‘it’ is supposed to be.
My claim
![Page 3: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/3.jpg)
Who is this then?
Boy Baukema Security Specialist @ Ibuildings.nl
![Page 4: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/4.jpg)
Security what?
Senior Engineer+ interest in WebAppSec+ 4 hours a week R&D+ internal training & consultancy+ internal & external auditing
![Page 5: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/5.jpg)
Okay, and you do this where?
Ibuildings.nlweb & mobile, 20+ devs, mostly PHP
![Page 6: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/6.jpg)
You
developer, manager, executive
pentester, security consultant, ?
![Page 7: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/7.jpg)
The plan
1. The journey2. The holy grail3. Riding off into the sunset
![Page 8: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/8.jpg)
What is security anyway?
![Page 9: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/9.jpg)
![Page 10: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/10.jpg)
A assignment
Make security something I can sell,give managers a knob to turn
![Page 11: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/11.jpg)
OWASP ASVS
Open Web Application Security Project
Application Security Verification Standard
![Page 12: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/12.jpg)
Level 1 Level 2 Level 3
Chapter 1 Requirement 1.1 Requirement 1.2 Requirement 1.3
X XXX
XXX
Chapter 2 Requirement 2.1...
X
![Page 13: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/13.jpg)
ASVS Levels (2013)
Level 0 - Bullshit compliance level (0)Level 1 - Opportunistic (47)Level 2 - Standard (136)Level 3 - Advanced (164)
![Page 14: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/14.jpg)
V1. AuthenticationV2. Session ManagementV3. Access ControlV4. Input ValidationV5. Cryptography (at Rest)V6. Error Handling and LoggingV7. Data Protection
V8. Communication SecurityV9. HTTP SecurityV10. Malicious ControlsV11. Business LogicV12. Files and ResourcesV13. Mobile
ASVS Chapters
![Page 15: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/15.jpg)
An example
V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links.(level 1, 2 & 3)
![Page 16: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/16.jpg)
So how does this tie into QA?
![Page 17: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/17.jpg)
First attempt
V2.7 Verify that the strength of any authentication credentials are sufficient to withstand attacks that are typical of the threats in the deployed environment.(OWASP ASVS 2009 Level 2)
![Page 18: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/18.jpg)
AASVS, Scanners & A Report Generator
![Page 19: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/19.jpg)
Enter ASVS 2013 (Beta)
Release any day now!
![Page 20: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/20.jpg)
+ is for effort
… scope of the verification may go beyond the application’s custom-built code and include external components. Achieving a verification level under such scrutiny can be represented by annotating a “+” symbol to the verification level.
![Page 21: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/21.jpg)
OWASP AASVS 2013
![Page 22: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/22.jpg)
A plan for the future
![Page 23: Dpc14 security as part of Quality Assurance](https://reader033.vdocuments.net/reader033/viewer/2022051816/545c76f3af7959be0e8b47de/html5/thumbnails/23.jpg)
OWASP SAMM