DOCSLIB.ORG

Code Review Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

CODE REVIEW GUIDE 2.0 RELEASE Project leaders: Larry Conklin and Gary Robinson Creative Commons (CC) Attribution Free Version at: https://www.owasp.org 1 1 Introduction Foreword Acknowledgements Introduction How To Use The Code Review Guide 3 5 6 8 2 Secure Code Review 9 Methodology 20 3 Technical Reference For Secure Code Review Appendix A1 Injection 43 Code Review Do’s And Dont’s 192 A2 Broken Authentication And Session Management 58 Code Review Checklist 196 A3 Cross-Site Scripting (XSS) 70 Threat Modeling Example 200 A4 Insecure Direct Object Reference 77 Code Crawling 206 A5 Security Misconfguration 82 A6 Sensitive Data Exposure 117 A7 Missing Function Level Access Control 133 A8 Cross-Site Request Forgery (CSRF) 139 A9 Using Components With Know Vulnerabilities 146 A10 Unvalidated Redirects And Forwards 149 4 HTML5 154 Same Origin Policy 158 Reviewing Logging Code 160 Error Handling 163 Reviewing Security Alerts 175 Review For Active Defence 178 Race Conditions 181 Bufer Overruns 183 Client Side JavaScript 188 2 1 Code Review Guide Foreword - By Eoin Keary 3 1 FOREWORD By Eoin Keary, Long Serving OWASP Global Board Member The OWASP Code Review guide was originally born from the OWASP Testing Guide. Initially code review was covered in the Testing Guide, as it seemed like a good idea at the time. Howev- er, the topic of security code review is too big and evolved into its own stand-alone guide. I started the Code Review Project in 2006. This current edition was started in April 2013 via the OWASP Project Reboot initia- tive and a grant from the United States Department of Home- land Security. The OWASP Code Review team consists of a small, but talented, group of volunteers who should really get out more often. The volunteers have experience and a drive for the best practices in secure code review in a variety of organizations, from small start-ups to some of the largest software development organi- zations in the world. It is common knowledge that more secure software can be pro- duced and developed in a more cost efective way when bugs are detected early on in the systems development lifecycle. Or- ganizations with a proper code review function integrated into the software development lifecycle (SDLC) produced remark- ably better code from a security standpoint. To put it simply “We can’t hack ourselves secure”. Attackers have more time to fnd vulnerabilities on a system than the time allocated to a defend- er. Hacking our way secure amounts to an uneven battlefeld, asymmetric warfare, and a losing battle. By necessity, this guide does not cover all programming lan- guages. It mainly focuses on C#/.NET and Java, but includes C/ C++, PHP and other languages where possible. However, the techniques advocated in the book can be easily adapted to al- most any code environment. Fortunately (or unfortunately), the security faws in web applications are remarkably consistent across programming languages. Eoin Keary, June 2017 4 Acknowledgements APPRECIATION TO UNITED STATES DEPARTMENT OF HOMELAND SECURITY OWASP community and Code Review Guide project leaders wish to expresses its deep ap- preciation to United States Department of Homeland Security for helping make this book possible by funds provided to OWASP thru a grant. OWASP continues be to the preeminent organization for free unbiased/unfretted application security. We have seen a disturbing rise in threats and attacks on community institutions thru appli- cation vulnerabilities, only by joining forces, and with unfretted information can we help turn back the tide these threats. The world now runs on software and that software needs to be trust worthy. Our deepest appreciation and thanks to DHS for helping and in sharing in this goal. FEEDBACK If you have any feedback for the OWASP Code Review team, and/or fnd any mistakes or improvements in this Code Review Guide please contact us at: [email protected] Acknowledgements 5 ACKNOWLEDGEMENTS Project Leaders Larry Conklin Gary Robinson VERSION 2.0, 2017 Content Contributors Michael Hidalgo David Li Larry Conklin Reviewers Lawrence J Timmins Gary Robinson Alison Shubert Kwok Cheng Johanna Curiel Fernando Galves Ken Prole Eoin Keary Sytze van Koningsveld David D’Amico Islam Azeddine Mennouchi Carolyn Cohen Robert Ferris Abbas Naderi Helen Gao Lenny Halseth Carlos Pantelides Jan Masztal Kenneth F. Belva VERSION 1.0, 2007 Project Leader Content Contributors Reviewers Eoin Keary Jenelle Chapman Jef Williams Andrew van der Stock Rahin Jina Paolo Perego David Lowry David Rook Dinis Cruz Jef Williams 6 Introduction - Contents INTRODUCTION Welcome to the second edition of the OWASP Code Review Guide Project. The second edition brings the successful OWASP Code Review Guide up to date with current threats and countermeasures. This ver- sion also includes new content refecting the OWASP communities’ experiences of secure code review best practices. CONTENTS The Second Edition of the Code Review Guide has been developed to advise software developers and management on the best practices in secure code review, and how it can be used within a secure soft- ware development life-cycle (S-SDLC). The guide begins with sections that introduce the reader to secure code review and how it can be introduced into a company’s S-SDLC. It then concentrates on specifc technical subjects and provides examples of what a reviewer should look for when reviewing technical code. Specifcally the guide covers: Overview This section introduces the reader to secure code review and the advantages it can bring to a devel- opment organization. It gives an overview of secure code review techniques and describes how code review compares other techniques for analyzing secure code. Methodology The methodology section goes into more detail on how to integrate secure review techniques into de- velopment organizations S-SDLC and how the personnel reviewing the code can ensure they have the correct context to conduct an efective review. Topics include applying risk based intelligence to securi- ty code reviews, using threat modelling to understand the application being reviewed, and understand- ing how external business drivers can afect the need for secure code review. How to use 7 HOW TO USE THE CODE REVIEW GUIDE The contents and the structure of the book have been carefully designed. Further, all the contributed chapters have been judi- ciously edited and integrated into a unifying framework that provides uniformity in structure and style. This book is written to satisfy three diferent perspectives. 1. Management teams who wish to understand the reasons of why code reviews are needed and why they are included in best practices in developing secure enterprise software for todays organizations. Senior management should thoroughly read sec- tions one and two of this book. Management needs to consider the following items if doing secure coding is going to be part of the organizations software development lifecycle: • Does organization project estimation allot time for code reviews? • Does management have the capability to track the relevant metrics of code review and static analysis for each project and programmer? • Management needs to decide when in the project life cycle will that code reviews should be done in the project lifecycle and what changes to existing projects require review of previously completed code reviews. 2. Software leads who want to give manfully feedback to peers in code review with ample empirical artifacts as what to look for in helping create secure enterprise software for their organizations. They should consider: •As a peer code reviewer, to use this book you frst decided on the type of code review do you want to accomplish. Lets spend a few minutes going over each type of code review to help in deciding how this book can be assistance to you. • API/design code reviews. Use this book to understand how architecture designs can lead to security vulnerabilities. Also if the API is a third party API what security controls are in place in the code to prevent security vulnerabilities. • Maintainability code reviews. These types of code reviews are more towards the organizations internal best coding practices. This book does cover code metrics, which can help the code reviewer, better understand what code to look at for security vul- nerabilities if a section of code is overly complex. • Integration code reviews. Again these types of code reviews are more towards the organizations internal coding policies. Is the code being integrated into the project fully vetted by IT management and approved? Many security vulnerabilities are now being implemented by using open source libraries whichh may bring in dependencies that are not secure. • Testing code reviews. Agile and Test Driven design where programmer creates unit tests to prove code methods works as the programmer intended. This code is not a guide for testing software. The code reviewer may want to pay attention to unit test cases to make sure all methods have appropriate exceptions; code fails in a safe way. If possible each security control in code has the appropriate unit test cases. 3. Secure code reviewer who wants an updated guide on how secure code reviews are integrated in to the organizations secure software development lifecycle. This book will also work as a reference guide for the code review as code is in the review process. This book provides a complete source of information needed by the code reviewer. It should be read frst as a story about code reviews and seconds as a desktop reference guide. 8 2 Secure Code Review 9 SECURE CODE REVIEW Technical Reference For Secure Code Review Here the guide drills down into common vulnerabilities and technical controls, including XSS, SQL injection, session tracking, authentication, authorization, logging, and information leakage, giving code examples in various languages to guide the reviewer.
Recommended publications
  • Vulnerability Assessment and Secure Coding Practices for Middleware Part 1

    Vulnerability Assessment and Secure Coding Practices for Middleware Part 1

    Vulnerability Assessment and Secure Coding Practices for Middleware Part 1 James A. Kupsch Computer Sciences Department University of Wisconsin © 2007-2008, James A. K1upsch. All rights reserved. Tutorial Objectives • Show how to perform the basics of a vulnerability assessment • Create more people doing vulnerability assessments • Show how different types of vulnerabilities arise in a system • Teach coding techniques that can prevent certain types of vulnerabilities • Make your software more secure 2 Roadmap • Part 1: Vulnerability Assessment Process – Introduction – Evaluation process – Architectural analysis – Computer process – Communication channels – Resource analysis – Privilege analysis – Data Flow Diagrams – Component analysis – Vulnerability Discovery Activities • Part 2: Secure Coding Practices 3 Security Problems Are Real Everyone with a computer knows this. If you’re not seeing vulnerability reports and fixes for a piece of software, it doesn’t mean that it is secure. It probably means the opposite; they aren’t looking or aren’t telling. The grid community has been largely lucky (security through obscurity). 4 Many Avenues of Attack We’re looking for attacks that exploit inherent weakness in your system. Internet Firewall: www server Attack web using www protocols Compromised host Internal bad guy 5 Impact of Vulnerabilities FBI estimates computer security incidents cost U.S. businesses $67 billion in 2005 [CNETnews.com] Number of reported vulnerabilities each year is increasing [CERT stats] 8000 6000 4000 2000 0 1994 1998
  • Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)

    Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)

    OPERATING SYSTEMS AND VIRTUALISATION SECURITY KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Herbert Bos – Vrije Universiteit Amsterdam EDITOR: Andrew Martin – Oxford University REVIEWERS: Chris Dalton – Hewlett Packard David Lie – University of Toronto Gernot Heiser – University of New South Wales Mathias Payer – École Polytechnique Fédérale de Lausanne © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Operating Systems and Virtualisation Security Herbert Bos Vrije Universiteit Amsterdam April 2019 INTRODUCTION In this knowledge area, we introduce the principles, primitives and practices for ensuring security at the operating system and hypervisor levels. We shall see that the challenges related to operating system security have evolved over the past few decades, even if the principles have stayed mostly the same. For instance, when few people had their own computers and most computing was done on multiuser (often mainframe-based) computer systems with limited connectivity, security was mostly focused on isolating users or classes of users from each other1.
  • A Solution to Php Code Injection Attacks and Web

    A Solution to Php Code Injection Attacks and Web

    INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS Vol.2 Issue.9, Pg.: 24-31 September 2014 www.ijrcar.com INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS ISSN 2320-7345 A SOLUTION TO PHP CODE INJECTION ATTACKS AND WEB VULNERABILITIES Venkatesh Yerram1, Dr G.Venkat Rami Reddy2 ¹Computer Networks and Information Security, [email protected] ²Computer Science Engineering, 2nd [email protected] JNTU Hyderabad, India Abstract Over the decade web applications are grown rapidly. This leads to cyber crimes. Attacker injects various scripts to malfunction the web application. Attacker injects these scripts to text box of vulnerable web application from various compounds such as search bar, feedback form, login form etc and later which is executed by the server. Sometimes attacker modifies the URL to execute a successful attack. This execution of system calls and API on web server by attacker can damage the file system and or leaks information of web server. PHP is a server side scripting language, dynamic features and functionalities are controlled through the PHP language. Hence, the use of PHP language results in high possibility of successful execution of code injection attacks. The aim of this paper is first to understand the code web application vulnerability related to PHP code injection attack, the scenario has been developed. Secondly defeat the attack and fast incident determination from the developed domain dictionary. This proposed system is helpful for cyber forensics expert to gather and analyze the evidence effectively Keywords: Code Injection, vulnerabilities, Attack, cyber forensics 1. INTRODUCTION The web environment is growing rapidly day by day, the cyber crimes also increasing rapidly.
  • Microsoft Security Update for January 2020 Fixes 49 Security Vulnerabilities

    Microsoft Security Update for January 2020 Fixes 49 Security Vulnerabilities

    Microsoft Security Update for January 2020 Fixes 49 Security Vulnerabilities Overview Microsoft released the January security update on Tuesday, fixing 49 security issues ranging from simple spoofing attacks to remote code execution, discovered in products like .NET Framework, Apps, ASP.NET, Common Log File System Driver, Microsoft Dynamics, Microsoft Graphics Component, Microsoft Office, Microsoft Scripting Engine, Microsoft Windows, Microsoft Windows Search Component, Windows Hyper-V, Windows Media, Windows RDP, Windows Subsystem for Linux, and Windows Update Stack. Of the vulnerabilities fixed by Microsoft's this monthly update, a total of eight critical vulnerabilities exist in the .NET Framework, ASP.NET, Microsoft Scripting Engine, and Windows RDP. In addition, there are 41 important vulnerabilities. Critical Vulnerabilities The following are eight critical vulnerabilities covered in this update. @NSFOUS 2020 http://www.nsfocus.com Windows RDP CVE-2020-0609、CVE-2020-0610 These two remote code execution vulnerabilities in the Windows Remote Desktop Gateway (RD Gateway) could be exploited by unauthenticated attackers. If the two vulnerabilities are exploited successfully, arbitrary code may be executed on the target system, allowing the attacker to install the program, view, change or delete data, or create a new account with full user rights. To exploit this vulnerability, an attacker needs to send a specially crafted request to the RD gateway of the target system via RDP. This update addresses these issues by correcting the way the RD gateway handles connection requests. For more details about the vulnerabilities and download updates, please refer to Microsoft's official security advisories: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610 CVE-2020-0611 This is a remote code execution vulnerability in Windows Remote Desktop clients.
  • Host-Based Code Injection Attacks: a Popular Technique Used by Malware

    Host-Based Code Injection Attacks: a Popular Technique Used by Malware

    Host-Based Code Injection Attacks: A Popular Technique Used By Malware Thomas Barabosch Elmar Gerhards-Padilla Fraunhofer FKIE Fraunhofer FKIE Friedrich-Ebert-Allee 144 Friedrich-Ebert-Allee 144 53113 Bonn, Germany 53113 Bonn, Germany [email protected] [email protected] c 2014 IEEE. Personal use of this material is per- implemented with different goals in mind, they share one mitted. Permission from IEEE must be obtained for all common feature: they all inject code locally into foreign other uses, in any current or future media, including process spaces. One reason for this behaviour is detection reprinting/republishing this material for advertising or avoidance. However, code injections are not limited to tar- promotional purposes, creating new collective works, for geted malware. Mass-malware also uses code injections in resale or redistribution to servers or lists, or reuse of any order to stay under the radar (ZeroAccess, ZeusP2P or Con- copyrighted component of this work in other works. ficker). Detection avoidance is not the only advantage of us- ing code injections from a malware author’s point of view. Abstract Further reasons for using code injections are interception of critical information, privilege escalation or manipulation of Common goals of malware authors are detection avoid- security products. ance and gathering of critical information. There exist The above mentioned examples are all malware fami- numerous techniques that help these actors to reach their lies for Microsoft Windows. However, code injections are goals. One especially popular technique is the Host-Based platform-independent. In fact all established multitasking Code Injection Attack (HBCIA).
  • Rogue Automation: Vulnerable and Malicious Code in Industrial

    Rogue Automation: Vulnerable and Malicious Code in Industrial

    In partnership with Rogue Automation Vulnerable and Malicious Code in Industrial Programming Federico Maggi Marcello Pogliani Trend Micro Research Politecnico di Milano Rogue Automation Vulnerable and Malicious Code in Industrial Programming Published by TREND MICRO LEGAL DISCLAIMER Trend Micro Research The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most Written by current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and Federico Maggi nothing herein should be construed otherwise. Trend Micro reserves the right to modify Trend Micro Research the contents of this document at any time without prior notice. Marcello Pogliani Translations of any material into other languages are intended solely as a convenience. Politecnico di Milano Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and With contributions from have no legal effect for compliance or enforcement purposes. Martino Vittone, Although Trend Micro uses reasonable efforts to include accurate and up-to-date Davide Quarta, information herein, Trend Micro makes no warranties or representations of any kind as to Stefano Zanero its accuracy, currency, or completeness. You agree that access to and use of and reliance Politecnico di Milano on this document and the content thereof is at your own risk.
  • Configure .NET Code-Access Security

    Configure .NET Code-Access Security

    © 2002 Visual Studio Magazine Fawcette Technical Publications Issue VSM November 2002 Section Black Belt column Main file name VS0211BBt2.rtf Listing file name -- Sidebar file name -- Table file name VS0211BBtb1.rtf Screen capture file names VS0211BBfX.bmp Infographic/illustration file names VS0211BBf1,2.bmp Photos or book scans ISBN 0596003471 Special instructions for Art dept. Editor LT Status TE’d3 Spellchecked (set Language to English U.S.) * PM review Character count 15,093 + 1,162 online table Package length 3.5 (I think, due to no inline code/listings) ToC blurb Learn how to safely grant assemblies permissions to perform operations with external entities such as the file system, registry, UIs, and more. ONLINE SLUGS Name of Magazine VSM November 2002 Name of feature/column/department Black Belt column 180-character blurb Learn how to safely grant assemblies permissions to perform operations with external entities such as the file system, registry, UIs, and more. 90-character blurb Learn how to safely grant assemblies permissions to perform operations with external entities. 90-character blurb describing download NA Locator+ code for article VS0211BB_T Photo (for columnists) location On file TITLE TAG & METATAGS <title> Visual Studio Magazine – Black Belt - Secure Access to Your .NET Code Configure .NET Code-Access Security </title> <!-- Start META Tags --> <meta name="Category" content=" .NET "> <meta name="Subcategory" content=" C#, Visual Basic .NET "> <meta name="Keywords" content=" .NET, C#, Visual Basic .NET, security permission, security evidence, security policy, permission sets, evidence, security, security permission stack walk, custom permission set, code group "> [[ Please check these and add/subtract as you see fit .]] <meta name="DESCRIPTION" content=" Learn how to grant assemblies permissions to perform operations with external entities such as the file system, registry, UIs, and more.
  • Download Resume

    Download Resume

    Oji Udezue http://www.linkedin.com/in/ojiudezue . +1 425-829-9520 SUMMARY: EXPERIENCED PRODUCT, DESIGN & TECHNOLOGY EXECUTIVE I’m a product-led growth expert. A multi-disciplinary tech exec with strong product, design and engineering leadership skills. I have had stints in marketing and sales which provide a well - rounded experience of key business functions. In addition, I have startup experience and a track record advising several great startups. I have a talent for new product strategy and the practical leadership to innovate and execute with conviction. I am passionate about early stage product development and entrepreneurship in organizations. My strongest skill sets are product vision, lean product management; strategy & planning, people management and talent development. Professional Experience CALENDLY VP of Product (2018 – Present) Lead Technology, Product, Design and Content Strategy • Under my tenure, Calendly is sustaining 100% year on year growth in ARR and MAU • Drive key engineering investments and a high-performance engineering culture • Set product vision, mission and goals for business • Drive ongoing, high velocity innovation • Manage overall user experience and delivery of value to customers • Manage team health, product craft excellence and talent acquisition • Drive clear and actionable business metrics and management of business to those metrics • Drive acquisition strategy; review and approve potential acquisition deals • Manage growth program and virality initiatives to increase audience share ATLASSIAN Head
  • Parasoft Dottest REDUCE the RISK of .NET DEVELOPMENT

    Parasoft Dottest REDUCE the RISK of .NET DEVELOPMENT

    Parasoft dotTEST REDUCE THE RISK OF .NET DEVELOPMENT TRY IT https://software.parasoft.com/dottest Complement your existing Visual Studio tools with deep static INCREASE analysis and advanced PROGRAMMING EFFICIENCY: coverage. An automated, non-invasive solution that the related code, and distributed to his or her scans the application codebase to iden- IDE with direct links to the problematic code • Identify runtime bugs without tify issues before they become produc- and a description of how to fix it. executing your software tion problems, Parasoft dotTEST inte- grates into the Parasoft portfolio, helping When you send the results of dotTEST’s stat- • Automate unit and component you achieve compliance in safety-critical ic analysis, coverage, and test traceability testing for instant verification and industries. into Parasoft’s reporting and analytics plat- regression testing form (DTP), they integrate with results from Parasoft dotTEST automates a broad Parasoft Jtest and Parasoft C/C++test, allow- • Automate code analysis for range of software quality practices, in- ing you to test your entire codebase and mit- compliance cluding static code analysis, unit testing, igate risks. code review, and coverage analysis, en- abling organizations to reduce risks and boost efficiency. Tests can be run directly from Visual Stu- dio or as part of an automated process. To promote rapid remediation, each problem detected is prioritized based on configur- able severity assignments, automatical- ly assigned to the developer who wrote It snaps right into Visual Studio as though it were part of the product and it greatly reduces errors by enforcing all your favorite rules. We have stuck to the MS Guidelines and we had to do almost no work at all to have dotTEST automate our code analysis and generate the grunt work part of the unit tests so that we could focus our attention on real test-driven development.
  • Parasoft Static Application Security Testing (SAST) for .Net - C/C++ - Java Platform

    Parasoft Static Application Security Testing (SAST) for .Net - C/C++ - Java Platform

    Parasoft Static Application Security Testing (SAST) for .Net - C/C++ - Java Platform Parasoft® dotTEST™ /Jtest (for Java) / C/C++test is an integrated Development Testing solution for automating a broad range of testing best practices proven to improve development team productivity and software quality. dotTEST / Java Test / C/C++ Test also seamlessly integrates with Parasoft SOAtest as an option, which enables end-to-end functional and load testing for complex distributed applications and transactions. Capabilities Overview STATIC ANALYSIS ● Broad support for languages and standards: Security | C/C++ | Java | .NET | FDA | Safety-critical ● Static analysis tool industry leader since 1994 ● Simple out-of-the-box integration into your SDLC ● Prevent and expose defects via multiple analysis techniques ● Find and fix issues rapidly, with minimal disruption ● Integrated with Parasoft's suite of development testing capabilities, including unit testing, code coverage analysis, and code review CODE COVERAGE ANALYSIS ● Track coverage during unit test execution and the data merge with coverage captured during functional and manual testing in Parasoft Development Testing Platform to measure true test coverage. ● Integrate with coverage data with static analysis violations, unit testing results, and other testing practices in Parasoft Development Testing Platform for a complete view of the risk associated with your application ● Achieve test traceability to understand the impact of change, focus testing activities based on risk, and meet compliance
  • Atlassian, a Devops Leader, Partners with Protiviti to Deliver Cutting-Edge IT Controls Across Its Environment

    Atlassian, a Devops Leader, Partners with Protiviti to Deliver Cutting-Edge IT Controls Across Its Environment

    CLIENT STORY Atlassian, a DevOps leader, partners with Protiviti to deliver cutting-edge IT controls across its environment Technology companies compete on their ability to quickly develop, deliver and update quality systems and software. This need for speed has led solution providers to abandon the traditional “waterfall” software development Keys to Success methodology in favor of Agile and DevOps, a faster and more collaborative approach that ultimately aims to enable faster time to market and a more reliable product. However, many organizations have struggled to apply Change requested traditional IT control frameworks within an Agile/DevOps environment, and the Embed control activities into Agile two are often misconceived as being incompatible. processes without compromising speed of delivery Atlassian, a global software development company responsible for creating Change envisioned team collaboration and productivity tools — including Jira, Confluence, Trello, Stride and BitBucket, among others — recognizes that trust is Combine Protiviti’s IT, risk and increasingly at the forefront of customer adoption considerations, and that compliance expertise with Atlassian’s key to demonstrating trustworthiness is being transparent with compliance. culture of innovation to design In addition, when it listed on the NASDAQ market in the United States in best-in-class controls in a DevOps December 2015, Atlassian needed to be in a position to demonstrate effective environment controls to its investors. Change achieved Embedded, automated controls
  • Web Application Vulnerabilities and Insecure Software Root Causes: the OWASP Top 10

    Web Application Vulnerabilities and Insecure Software Root Causes: the OWASP Top 10

    Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications Marco Morana OWASP OWASP Cincinnati Chapter, November 2010 Meeting Copyright © 2010 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org What is OWASP? OWASP 2 Agenda For Today’s Presentation 1. The Evolution of Web 2.0 2. Web 2.0 Vulnerability Analysis 3. Building Secure Web 2.0 Applications 4. Web 2.0 Risk Management OWASP 3 The Evolution of the Internet to Web 2.0 OWASP 4 General Web 2.0 Background Can be defined as: “Web applications that facilitate interactive information sharing and collaboration, interoperability, and user-centered design on the World Wide Web” … the main characteristics of web 2.0 are: 1. Encourage user’s participation and collaboration through a virtual community of social networks/sites. Users can and add and update their own content, examples include Twitter and social networks such as Facebook, Myspace, LinkedIn, YouTube 2. Transcend from the technology/frameworks used AJAX, Adobe AIR, Flash, Flex, Dojo, Google Gears and others 3. Combine and aggregate data and functionality from different applications and systems, example include “mashups” as aggregators of client functionality provided by different in-house developed and/or third party services (e.g. web services, SaaS) OWASP 5 Web 2.0 As Evolution of Human Knowledge Source http://digigogy.blogspot.com/2009/02/digital-blooms-visual.html