[OWASP Poland Day] Security knowledge framework
0 likes798 views
This document outlines an agenda for a presentation on the OWASP Security Knowledge Framework (SKF). The presentation introduces SKF and its goals of integrating security into the software development life cycle. It discusses how SKF provides guidance to developers on secure coding practices. The presentation demonstrates SKF and shows how it can be used with continuous integration tools. It encourages developers to get involved in making SKF widely adopted to help strengthen security across development teams.
[OWASP Poland Day] Security knowledge framework
- 1. Glenn ten Cate Riccardo ten Cate 1 Project leaders & Authors of OWASP-SKF
- 2. Agenda • Why? • Software (AND Security) development life cycle 2 Evil and automated ownage 2
- 3. Agenda • Why? • Software (AND Security) development life cycle 3 Developer, you are the one 3
- 4. Agenda • Why? • Software (AND Security) development life cycle 4 Coding mistakes, déjà vu. 4
- 5. Agenda • Why? • Software (AND Security) development life cycle 5 Barely hanging on … 5
- 6. Agenda • Why? • Software (AND Security) development life cycle 6 But there is always an option! 6
- 7. Agenda • Why? • Software (AND Security) development life cycle 7 There are ways to learn! 7
- 8. • Worldwide not-for-profit charitable. • Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. 8
- 9. Agenda • Why? • Software (AND Security) development life cycle 9 Be responsible for your code. 9
- 10. Verify your code • ASVS lvl1 Opportunistic It adequately defends against application security vulnerabilities that are easy to discover. • ASVS lvl2 Standard It adequately defends against prevalent application security vulnerabilities whose existence poses moderate-to-serious risk. • ASVS lvl3 Advanced It adequately defends against all advanced application security vulnerabilities, and also demonstrates principles of good security design. 10
- 11. Agenda • Why? • Software (AND Security) development life cycle 11 And now the blind can see. 11
- 12. What is S.K.F • Guide to secure programming By adapting your design to security, not securing your design • Security awareness It informs you about threats even before you wrote a single line of code. • Clear and transparent Provides information applicable for your specific needs on the spot. 12
- 13. Demo 13
- 14. Agenda • Why? • Software (AND Security) development life cycle 14 You know this, you are ready. 14
- 15. SDLC MANUAL • OWASP-SKF • Software Development Life Cycle • Code review • SAST • DAST 15
- 16. SDLC CI • OWASP-SKF • Software Development Life Cycle • Travis CI • Coveralls CI • Scrutinizer CI • And more... 16
- 17. Agenda • Why? • Software (AND Security) development life cycle 17 GitHub • https://github.com/blabla1337/skf-flask 17
- 18. Agenda • Why? • Software (AND Security) development life cycle 18 GitHub • https://github.com/blabla1337/skf-flask 18
- 19. Agenda • Why? • Software (AND Security) development life cycle 19 You have the skills … 19
- 20. Agenda • Why? • Software (AND Security) development life cycle 20 … you are the one. 20
- 21. Getting involved? • OWASP https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework • Website www.secureby.design Together we can make it big, strong and helpful! 21
- 22. Agenda • Why? • Software (AND Security) development life cycle 22 You are only as strong as the weakest developer in your team. 22