Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Make Codebases Secure with OWASP

Make Codebases Secure with OWASP

What are the guidelines we have to follow in order to bring more security to our apps and users? What is OWASP? What is OWASP Top 10, OWASP MSTG? What tools can we use to monitor and prevent issues even before we ship the application? How to apply those practices to CI/CD pipeline. All these questions will be covered in this talk

Merab Tato Kutalia

April 27, 2022
Tweet

More Decks by Merab Tato Kutalia

Other Decks in Programming

Transcript

  1. What is the Secure Coding Standards? Secure coding standards are

    rules and guidelines used to prevent security vulnerabilities. Used effectively, these security standards prevent, detect, and eliminate errors that could compromise software security.
  2. Why we need to care? • leaking user data •

    reputation loss • unsafe development processes
  3. What to do? • Follow the standards and best practices

    from the programming language and platform developers • JVM • Android • Apple/iOS
  4. What to do? • Follow the standards and best practices

    from the programming language and platform developers • JVM • Android • Apple/iOS • OWASP Top 10 (Mobile) • CVE - is a list of publicly disclosed cybersecurity vulnerabilities that is free to search, use, and incorporate into products and services • CERT - Computer Emergency Readiness Team
  5. OWASP The Open Web Application Security Project • Tools and

    Resources • Community and Networking • Education & Training
  6. OWASP Top 10 Mobile • M1: Improper Platform Usage •

    M2: Insecure Data Storage • M3: Insecure Communication • M4: Insecure Authentication • M5: Insufficient Cryptography • M6: Insecure Authorization • M7: Client Code Quality • M8: Code Tampering • M9: Reverse Engineering • M10: Extraneous Functionality
  7. The OWASP MASVS (Mobile Application Security Verification Standard) Industry standard

    for mobile app security. https://docs.google.com/spreadsheets/d/1MZIvJ5Aze-zpyzLvQZVwyzF0bKWRPfnEd7nqFeH2 PfA/edit#gid=997157040 https://github.com/OWASP/owasp-masvs
  8. OWASP Mobile Application Security Testing Guide (MASTG) Security standards for

    the modern mobile applications. tools and techniques. security checklist https://owasp.org/www-project-mobile-security-testing-guide/ https://github.com/OWASP/owasp-mstg
  9. OWASP dependency check Supported on all platforms Checks 3rd party

    libraries from our project into public database, assigns the score and generates the report. (including the transitive dependencies) Depending on our projects domain and platform we need to analyze the report may include false-positives*