Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Make Codebases Secure with OWASP

Merab Tato Kutalia
April 27, 2022
Programming
0
180

Make Codebases Secure with OWASP

What are the guidelines we have to follow in order to bring more security to our apps and users? What is OWASP? What is OWASP Top 10, OWASP MSTG? What tools can we use to monitor and prevent issues even before we ship the application? How to apply those practices to CI/CD pipeline. All these questions will be covered in this talk

Merab Tato Kutalia

April 27, 2022
Tweet

More Decks by Merab Tato Kutalia

See All by Merab Tato Kutalia
What's new in Android 14?
tatocaster
0
130
Migrate to Gradle version catalog and convention plugins
tatocaster
3
1.7k
Secure Coding Standards
tatocaster
0
130
ტანგო ანდროიდთან
tatocaster
0
190
Adopting Huawei Mobile Services
tatocaster
0
48
Android UI Testing & Challenges
tatocaster
1
68
Reverse & Inject - droidcon
tatocaster
3
250
mobile DevOps
tatocaster
1
83
Android Reverse Engineering and Analysis - OWASP Tbilisi
tatocaster
1
210

Other Decks in Programming

See All in Programming
Jakarta EE meets AI
ivargrimstad
0
200
Pinia Colada が実現するスマートな非同期処理
naokihaba
4
230
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
340
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
190
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330
Jakarta EE meets AI
ivargrimstad
0
590
RubyLSPのマルチバイト文字対応
notfounds
0
120
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540
subpath importsで始めるモック生活
10tera
0
310

Featured

See All Featured
Typedesign – Prime Four
hannesfritz
40
2.4k
Agile that works and the tools we love
rasmusluckow
327
21k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
Rails Girls Zürich Keynote
gr2m
94
13k
Scaling GitHub
holman
458
140k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Embracing the Ebb and Flow
colly
84
4.5k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
900
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k

Transcript

  1. Make Codebases Secure with OWASP Merab Tato Kutalia Android GDE

    @ Choco @TatoKutalia

  2. Secure Software • managing access control • data protection •

    protection against vulnerabilities

  3. Secure Coding Standards

  4. What is the Secure Coding Standards? Secure coding standards are

    rules and guidelines used to prevent security vulnerabilities. Used effectively, these security standards prevent, detect, and eliminate errors that could compromise software security.

  5. Why we need to care? • leaking user data •

    reputation loss • unsafe development processes

  6. What to do? • Follow the standards and best practices

    from the programming language and platform developers • JVM • Android • Apple/iOS

  7. What to do? • Follow the standards and best practices

    from the programming language and platform developers • JVM • Android • Apple/iOS • OWASP Top 10 (Mobile) • CVE - is a list of publicly disclosed cybersecurity vulnerabilities that is free to search, use, and incorporate into products and services • CERT - Computer Emergency Readiness Team

  8. OWASP The Open Web Application Security Project • Tools and

    Resources • Community and Networking • Education & Training

  9. OWASP Top 10 Mobile • M1: Improper Platform Usage •

    M2: Insecure Data Storage • M3: Insecure Communication • M4: Insecure Authentication • M5: Insufficient Cryptography • M6: Insecure Authorization • M7: Client Code Quality • M8: Code Tampering • M9: Reverse Engineering • M10: Extraneous Functionality

  10. The OWASP MASVS (Mobile Application Security Verification Standard) Industry standard

    for mobile app security. https://docs.google.com/spreadsheets/d/1MZIvJ5Aze-zpyzLvQZVwyzF0bKWRPfnEd7nqFeH2 PfA/edit#gid=997157040 https://github.com/OWASP/owasp-masvs

  11. OWASP Mobile Application Security Testing Guide (MASTG) Security standards for

    the modern mobile applications. tools and techniques. security checklist https://owasp.org/www-project-mobile-security-testing-guide/ https://github.com/OWASP/owasp-mstg

  12. OWASP dependency check Supported on all platforms Checks 3rd party

    libraries from our project into public database, assigns the score and generates the report. (including the transitive dependencies) Depending on our projects domain and platform we need to analyze the report may include false-positives*

  13. OWASP dependencyCheck Android 🐠

  14. Gradle setup • project and app-level gradle

  15. Advanced setup

  16. Report

  17. CVSS=Common Vulnerability Scoring System

  18. Thanks