out on a piece of paper, the further left you go, the earlier you are in the System Development Life Cycle. @SheHacksPurple ’Shifting Left’ means the security team wants to be invited to the party earlier. Requirements Design Code Testing Release
for Microsoft, an application security evangelist, trainer, public speaker, ethical hacker, OWASP Ottawa chapter leader, OWASP DevSlop project leader, effective altruist, software developer since the late 90’s. I have been paid to be geeky for over 20 years! Goal: to change the way we make software so that the easiest way to do something is also the most secure way. @SheHacksPurple
out on a piece of paper, the further left you go, the earlier you are in the System Development Life Cycle. @SheHacksPurple It will cost you less and you will do a better job if you consider security in every phase of the SDLC. Requirements Design Code Testing Release
and Assessments • Threat Modeling • Secure Code Reviews (Static Code Analysis) • Penetration Tests (PenTests) • This applies to both Custom Apps and COTS
a web proxy security scanner to test their web applications • It sits between your browser and the internet • It will automate tests for you, tell you what to fix, and, if it's a good one, HOW to fix the issues • There are paid and free options available • Don't use a scanner on an app you don't have permission to test, it's illegal @SheHacksPurple
have permission from your boss before you start, there may be policies against it (ask the security team too!) • Be considerate, scanners can hog resources • Be careful, scanners can be destructive • Back up your data before hand • This is an activity that requires some learning before you can start, to ensure you don't cause any damage or tick anyone off • Inform security when you start and finish
cases, and ways to defend against them • Basically a brainstorming session with programmers and security to figure out how someone may try to abuse your app • Search you code for these threats • Thinking like an adversary can not only uncover potential issues, it can be fun and educational.
a static code analyzer, but this can also be done manually • Search for your threat models • Even the most expensive tool produces many false positives, the 'work' in this exercise is figuring out what is a real issue and what is not • OWASP Dependancy check • You can find more than just security bugs
secure coding practices • There are many quality online resources, free and paid, as well as courses and conferences • Check online for the best and most secure way to do things, before you start coding • Become the security expert on your dev team, and help the rest of your team learn @SheHacksPurple