Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Make Codebases Secure with OWASP

Merab Tato Kutalia
April 27, 2022
Programming
0
170

Make Codebases Secure with OWASP

What are the guidelines we have to follow in order to bring more security to our apps and users? What is OWASP? What is OWASP Top 10, OWASP MSTG? What tools can we use to monitor and prevent issues even before we ship the application? How to apply those practices to CI/CD pipeline. All these questions will be covered in this talk

Merab Tato Kutalia

April 27, 2022
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
130
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.7k
Secure Coding Standards
tatocaster
0
130
ტანგო ანდროიდთან
tatocaster
0
180
Adopting Huawei Mobile Services
tatocaster
0
48
Android UI Testing & Challenges
tatocaster
1
68
Reverse & Inject - droidcon
tatocaster
3
240
mobile DevOps
tatocaster
1
83
Android Reverse Engineering and Analysis - OWASP Tbilisi
tatocaster
1
210

Other Decks in Programming

See All in Programming
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
920
Vue SFCのtemplateでTypeScriptの型を活用しよう
tsukkee
3
1.5k
Vaporモードを大規模サービスに最速導入して学びを共有する
kazukishimamoto
4
4.3k
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
240
カスタムしながら理解するGraphQL Connection
yanagii
1
1.2k
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
430
Vue3の一歩踏み込んだパフォーマンスチューニング2024
hal_spidernight
3
3.1k
Vue.js学習の振り返り
hiro_xre
2
130
Jakarta Concurrencyによる並行処理プログラミングの始め方 (JJUG CCC 2024 Fall)
tnagao7
1
230
カラム追加で増えるActiveRecordのメモリサイズ イメージできますか?
asayamakk
4
1.6k
GCCのプラグインを作る / I Made a GCC Plugin
shouth
1
150
CSC509 Lecture 09
javiergs
PRO
0
110

Featured

See All Featured
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Practical Orchestrator
shlominoach
186
10k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Making the Leap to Tech Lead
cromwellryan
132
8.9k
Typedesign – Prime Four
hannesfritz
39
2.4k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
328
21k
Art, The Web, and Tiny UX
lynnandtonic
296
20k
The Art of Programming - Codeland 2020
erikaheidi
51
13k
Done Done
chrislema
181
16k
Visualization
eitanlees
144
15k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k

Transcript

  1. Make Codebases Secure with OWASP Merab Tato Kutalia Android GDE

    @ Choco @TatoKutalia

  2. Secure Software • managing access control • data protection •

    protection against vulnerabilities

  3. Secure Coding Standards

  4. What is the Secure Coding Standards? Secure coding standards are

    rules and guidelines used to prevent security vulnerabilities. Used effectively, these security standards prevent, detect, and eliminate errors that could compromise software security.

  5. Why we need to care? • leaking user data •

    reputation loss • unsafe development processes

  6. What to do? • Follow the standards and best practices

    from the programming language and platform developers • JVM • Android • Apple/iOS

  7. What to do? • Follow the standards and best practices

    from the programming language and platform developers • JVM • Android • Apple/iOS • OWASP Top 10 (Mobile) • CVE - is a list of publicly disclosed cybersecurity vulnerabilities that is free to search, use, and incorporate into products and services • CERT - Computer Emergency Readiness Team

  8. OWASP The Open Web Application Security Project • Tools and

    Resources • Community and Networking • Education & Training

  9. OWASP Top 10 Mobile • M1: Improper Platform Usage •

    M2: Insecure Data Storage • M3: Insecure Communication • M4: Insecure Authentication • M5: Insufficient Cryptography • M6: Insecure Authorization • M7: Client Code Quality • M8: Code Tampering • M9: Reverse Engineering • M10: Extraneous Functionality

  10. The OWASP MASVS (Mobile Application Security Verification Standard) Industry standard

    for mobile app security. https://docs.google.com/spreadsheets/d/1MZIvJ5Aze-zpyzLvQZVwyzF0bKWRPfnEd7nqFeH2 PfA/edit#gid=997157040 https://github.com/OWASP/owasp-masvs

  11. OWASP Mobile Application Security Testing Guide (MASTG) Security standards for

    the modern mobile applications. tools and techniques. security checklist https://owasp.org/www-project-mobile-security-testing-guide/ https://github.com/OWASP/owasp-mstg

  12. OWASP dependency check Supported on all platforms Checks 3rd party

    libraries from our project into public database, assigns the score and generates the report. (including the transitive dependencies) Depending on our projects domain and platform we need to analyze the report may include false-positives*

  13. OWASP dependencyCheck Android 🐠

  14. Gradle setup • project and app-level gradle

  15. Advanced setup

  16. Report

  17. CVSS=Common Vulnerability Scoring System

  18. Thanks