rmcsoft, profile picture
Uploaded byrmcsoft
63 views

TechTalks | Software Security 101: What Every Startup Needs to Know to Protect Their Business

The document outlines essential steps and typical mistakes in application UX and front-end design, focusing on software security practices. It details common vulnerabilities across various components such as client, web, app, and data tiers, alongside issues related to team collaboration tools and third-party software. Resources for understanding vulnerabilities and breaches are also provided for further reference.

Download to read offline
Brought to you by ❖Next event: May 2018 (TBD) ❖Application UX and Front-End Design
SOFTWARE SECURITY 101 ❖ sponsored by: Srinivasan Vanamali, Olympus Infotech Bilal Soylu, Xcobee Kate Kliebert, Kliebert Law Ben Wilson, deliverypath Meet the panel of experts
From An Idea to The Killer App ❖Idea ❖Validate it with Business Partners, potential clients, colleagues & friends ❖Define the Requirements ❖Develop the App ❖Ready to go!
Typical Application Architectural Components:
Typical Mistakes: Client Tier ❖Issues in separation of Public / Private areas of the application ❖Some of the application resources that meant to be private get exposed to the public ❖Authorization - issues in user rights ❖The user roles get messed up - wrong type of users get access to the resources that they should not to ❖Securing Credentials ❖User credentials are stored & passed as CLEAR TEXT
Typical Mistakes: Web Tier ❖Data gets transferred through the INTERNET - unprotected area ❖The connection is not encrypted ➢HTTP instead of HTTPS is used ➢Old and vulnerable versions of SSL/TLS are used ❖Other Vulnerabilities
Typical Mistakes: Web Tier❖No breaches monitoring for the software installed on the servers ❖Common Software Vulnerabilities get overlooked ❖The Server Software is not updated promptly after the vulnerabilities get discovered ❖I.e. 9 pages of vulnerabilities for Apache on the screenshot:
Typical Mistakes: App Tier ❖Source Code Management ❖Public repositories instead of private ❖Access rights to the source code are not managed ❖Developers do not have clear understanding on what project they are working on ❖Vulnerability in the code ❖Not following the best practices ❖Not following “Security by design” pattern ❖Not storing API keys securely ❖Breaches in the third-party components and libraries
Typical Mistakes: Data Tier ❖Non-securing sensitive data (PII - personal identifiable information: Name, Address, Date of Birth, SSN, etc) ❖Storing data when you do not need to (i.e. credit card data - very often!) ❖Not following the Regulatory Compliance when needed: ❖PCI (credit card data) ❖HIPAA (medical data) ❖GDPR (when operating in EU) ❖etc ❖Not following right coding standards when communicating with database ❖SQL injections possibility ❖Physical Server Security ❖Other vulnerabilities
Typical Mistakes: Team Collaboration Tools ❖Use of public team collaboration tools by unexperienced users ❖Not enough training for the employees ❖Accidentally sharing information that is not supposed to (i.e. everyone with the link can open the google doc or DropBox document) ❖The users who are not employees any more still have access ❖etc
Typical Mistakes: Third-Party Software ❖Opting for free software without checking for security breaches & examining the code thoroughly ❖Not validating the vendors of third-party software (i.e. when choosing payment processing gateway - is credit card data going to be safe with that vendor?)
Resources ❖Common Vulnerabilities and Exposures ➢https://cve.mitre.org/ ➢https://nvd.nist.gov/ ❖https://www.us-cert.gov/ ❖https://www.xcoobee.com/breach-cost-calculator/ ❖https://www.csoonline.com/article/2130877/data-breach/the-biggest-data- breaches-of-the-21st-century.html

More Related Content

PPTX
Redrawing the Cyber Defense Frontier
byJoe Hage
 
PPTX
Hem second presentation
byHemprasad Badgujar
 
PPTX
Cyber security
byPeter Henley
 
PDF
Resiliency-Part One -11-3-2015
byDr Robert D. Childs
 
PDF
IT Security Guest Lecture
byMurthinty
 
PDF
GHFCU_CAlberston_Recommendation-Letter
byReginald E. Smith II
 
PDF
Notifs update
byJim Fenton
 
PDF
Resiliency-Part Two -11-3-2015 copy
byDr Robert D. Childs
 
Redrawing the Cyber Defense Frontier
byJoe Hage
 
Hem second presentation
byHemprasad Badgujar
 
Cyber security
byPeter Henley
 
Resiliency-Part One -11-3-2015
byDr Robert D. Childs
 
IT Security Guest Lecture
byMurthinty
 
GHFCU_CAlberston_Recommendation-Letter
byReginald E. Smith II
 
Notifs update
byJim Fenton
 
Resiliency-Part Two -11-3-2015 copy
byDr Robert D. Childs
 

What's hot

PDF
Goans-Helms-IT Security at Georgia Tech Library
byNational Information Standards Organization (NISO)
 
PDF
Carver IT Security for Librarians
byNational Information Standards Organization (NISO)
 
PDF
State of-the-internet-web-security-threat-advisory-blackshades-rat-presentation
byState of the Internet
 
PPTX
Information security - what is going on 2016
byTomppa Kuusi (formerly Järvinen)
 
PDF
Basic of Information Security
byPotato
 
PPTX
Nhs dealing with cyber threat
byShikoh Khan
 
PDF
Shadow it risks & control managing the unknown unknowns in the deep &...
byPriyanka Aash
 
PPTX
Identity theft and data responsibilities
byPeter Henley
 
PDF
Seclud it polesc_sjuly7
bySergio Loureiro
 
PDF
Carver-IT Security for Librarians
byNational Information Standards Organization (NISO)
 
PDF
Ayala mar23
byNational Information Standards Organization (NISO)
 
DOCX
MG Resume 2017
byManuel Gutierrez
 
Goans-Helms-IT Security at Georgia Tech Library
byNational Information Standards Organization (NISO)
 
Carver IT Security for Librarians
byNational Information Standards Organization (NISO)
 
State of-the-internet-web-security-threat-advisory-blackshades-rat-presentation
byState of the Internet
 
Information security - what is going on 2016
byTomppa Kuusi (formerly Järvinen)
 
Basic of Information Security
byPotato
 
Nhs dealing with cyber threat
byShikoh Khan
 
Shadow it risks & control managing the unknown unknowns in the deep &...
byPriyanka Aash
 
Identity theft and data responsibilities
byPeter Henley
 
Seclud it polesc_sjuly7
bySergio Loureiro
 
Carver-IT Security for Librarians
byNational Information Standards Organization (NISO)
 
Ayala mar23
byNational Information Standards Organization (NISO)
 
MG Resume 2017
byManuel Gutierrez
 

Similar to TechTalks | Software Security 101: What Every Startup Needs to Know to Protect Their Business

PDF
Application Security - Your Success Depends on it
byWSO2
 
PPTX
Information security software security presentation.pptx
bysalutiontechnology
 
PPTX
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PPT
Secure SDLC for Software
byShreeraj Shah
 
PPT
Application Security
byflorinc
 
PDF
Data security in the age of GDPR – most common data security problems
byExove
 
PDF
GitHub: Secure Software Development for Financial Services
byDebbie A. Everson
 
PPTX
Web Application Security.pptx
byGenic Solutions
 
PDF
Defensive programing 101
byNiall Merrigan
 
PPTX
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
PDF
HOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdf
byasiyahanif9977
 
PDF
HOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdf
byasiyahanif9977
 
PPT
Software Security in the Real World
byMark Curphey
 
PDF
Injecting simplicity not SQL RSA Europe 2010
bySecurity Ninja
 
PDF
SecurityBSides London - Agnitio: it's static analysis but not as we know it
bySecurity Ninja
 
PDF
Designing Secure APIs
bySteven Chen
 
PDF
The API Primer (OWASP AppSec Europe, May 2015)
byGreg Patton
 
PDF
Prevent Security Breaches Before They Happen - ScaleFocus Security Conference...
byScaleFocus
 
PPTX
Top 10 security risks for mobile backend developers
byJiri Danihelka
 
Application Security - Your Success Depends on it
byWSO2
 
Information security software security presentation.pptx
bysalutiontechnology
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
bySecurity Innovation
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
Secure SDLC for Software
byShreeraj Shah
 
Application Security
byflorinc
 
Data security in the age of GDPR – most common data security problems
byExove
 
GitHub: Secure Software Development for Financial Services
byDebbie A. Everson
 
Web Application Security.pptx
byGenic Solutions
 
Defensive programing 101
byNiall Merrigan
 
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
HOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdf
byasiyahanif9977
 
HOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdf
byasiyahanif9977
 
Software Security in the Real World
byMark Curphey
 
Injecting simplicity not SQL RSA Europe 2010
bySecurity Ninja
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
bySecurity Ninja
 
Designing Secure APIs
bySteven Chen
 
The API Primer (OWASP AppSec Europe, May 2015)
byGreg Patton
 
Prevent Security Breaches Before They Happen - ScaleFocus Security Conference...
byScaleFocus
 
Top 10 security risks for mobile backend developers
byJiri Danihelka
 

Recently uploaded

PDF
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PDF
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PDF
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 
PDF
Staying Ahead of the Curve - Roaming Just Got Easier
bypanagenda
 
PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
PDF
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
PDF
How UK Employers Are Simplifying Entry-Level Hiring with Day One Jobs
byDay One Talent Solutions Ltd
 
PDF
API Days Australia - API Management in the AI Era
byNilesh Gule
 
PPTX
Practical tips for keeping your C# code base clean
byDennis Doomen
 
PDF
Unlocking Access: Enriching Public Services with Location Intelligence.pdf
byPrecisely
 
PDF
OpenObserve as a replacement for Elasticsearch
byAlireza Kamrani
 
PPTX
Healthcare BI - Turning Raw Data into Actionable Insights.pptx
byDash Technologies Inc
 
PDF
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
PDF
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF
PDF Security Intelligence Platform | Cybersecurity Project by Ashish Patil
byAshishPatil495087
 
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
AI Demands More: Help Ensure Network Readiness With ThousandEyes
byThousandEyes
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 
Staying Ahead of the Curve - Roaming Just Got Easier
bypanagenda
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
Igalia and WebKit: Status update and plans (2025)
byIgalia
 
How UK Employers Are Simplifying Entry-Level Hiring with Day One Jobs
byDay One Talent Solutions Ltd
 
API Days Australia - API Management in the AI Era
byNilesh Gule
 
Practical tips for keeping your C# code base clean
byDennis Doomen
 
Unlocking Access: Enriching Public Services with Location Intelligence.pdf
byPrecisely
 
OpenObserve as a replacement for Elasticsearch
byAlireza Kamrani
 
Healthcare BI - Turning Raw Data into Actionable Insights.pptx
byDash Technologies Inc
 
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF Security Intelligence Platform | Cybersecurity Project by Ashish Patil
byAshishPatil495087
 

TechTalks | Software Security 101: What Every Startup Needs to Know to Protect Their Business

  • 1.
    Brought to youby ❖Next event: May 2018 (TBD) ❖Application UX and Front-End Design
  • 2.
    SOFTWARE SECURITY 101 ❖sponsored by: Srinivasan Vanamali, Olympus Infotech Bilal Soylu, Xcobee Kate Kliebert, Kliebert Law Ben Wilson, deliverypath Meet the panel of experts
  • 3.
    From An Ideato The Killer App ❖Idea ❖Validate it with Business Partners, potential clients, colleagues & friends ❖Define the Requirements ❖Develop the App ❖Ready to go!
  • 4.
  • 5.
    Typical Mistakes: ClientTier ❖Issues in separation of Public / Private areas of the application ❖Some of the application resources that meant to be private get exposed to the public ❖Authorization - issues in user rights ❖The user roles get messed up - wrong type of users get access to the resources that they should not to ❖Securing Credentials ❖User credentials are stored & passed as CLEAR TEXT
  • 6.
    Typical Mistakes: WebTier ❖Data gets transferred through the INTERNET - unprotected area ❖The connection is not encrypted ➢HTTP instead of HTTPS is used ➢Old and vulnerable versions of SSL/TLS are used ❖Other Vulnerabilities
  • 7.
    Typical Mistakes: WebTier❖No breaches monitoring for the software installed on the servers ❖Common Software Vulnerabilities get overlooked ❖The Server Software is not updated promptly after the vulnerabilities get discovered ❖I.e. 9 pages of vulnerabilities for Apache on the screenshot:
  • 8.
    Typical Mistakes: AppTier ❖Source Code Management ❖Public repositories instead of private ❖Access rights to the source code are not managed ❖Developers do not have clear understanding on what project they are working on ❖Vulnerability in the code ❖Not following the best practices ❖Not following “Security by design” pattern ❖Not storing API keys securely ❖Breaches in the third-party components and libraries
  • 9.
    Typical Mistakes: DataTier ❖Non-securing sensitive data (PII - personal identifiable information: Name, Address, Date of Birth, SSN, etc) ❖Storing data when you do not need to (i.e. credit card data - very often!) ❖Not following the Regulatory Compliance when needed: ❖PCI (credit card data) ❖HIPAA (medical data) ❖GDPR (when operating in EU) ❖etc ❖Not following right coding standards when communicating with database ❖SQL injections possibility ❖Physical Server Security ❖Other vulnerabilities
  • 10.
    Typical Mistakes: TeamCollaboration Tools ❖Use of public team collaboration tools by unexperienced users ❖Not enough training for the employees ❖Accidentally sharing information that is not supposed to (i.e. everyone with the link can open the google doc or DropBox document) ❖The users who are not employees any more still have access ❖etc
  • 11.
    Typical Mistakes: Third-PartySoftware ❖Opting for free software without checking for security breaches & examining the code thoroughly ❖Not validating the vendors of third-party software (i.e. when choosing payment processing gateway - is credit card data going to be safe with that vendor?)
  • 12.
    Resources ❖Common Vulnerabilities andExposures ➢https://cve.mitre.org/ ➢https://nvd.nist.gov/ ❖https://www.us-cert.gov/ ❖https://www.xcoobee.com/breach-cost-calculator/ ❖https://www.csoonline.com/article/2130877/data-breach/the-biggest-data- breaches-of-the-21st-century.html