Seguridad en el Ciclo de Vida de Desarrollo OWASP Uruguay Chapter Seguridad en el Ciclo de Vida de Desarrollo Thx to organizers Mauro Flores OWASP Global Industry Committee OWASP Uruguay Chapter Leader mauro.flores@owasp.org @mauro_fcib

Agenda Introducción al OWASP Seguridad en el SDLC Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

OWASP ??!!!!! OWASP -Open Web Application Application Security Project Comunidad abierta y sin fines de lucro Organización de voluntarios Soportada a través de patrocinios Promueve el desarrollo de software seguro de aplicaciones Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

OWASP ??!!!!! Proporcionar recursos gratuitos para la comunidad Becas pasa el desarrollo de nuevos proyectos Posibilidad de utilizar las herramientas y colaboradores disponibles para generar nuevos proyectos Becas de Investigación OWASP otorga becas a investigadores de la seguridad en aplicaciones para desarrollar herramientas, guías, publicaciones, etc. Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

Licencias Approach == “OPEN” Todos los documentos, estándares y herramientas se distribuyen en base a licencias open-source GFDL GPL BSD License Creative Commons Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

Capítulos Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

OWASP … OWASP PCI Project OWASP Mobile Security Project OWASP Cloud Security Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

Portal OWASP Wiki : www.owasp.org

Seguridad en el SDLC Feel free to ask questions. Thank you!

SDLC Comprehesive, Lightweight Application Security Process (CLASP) Metodologías para la incorporación de la seguridad en el SDLC Comprehesive, Lightweight Application Security Process (CLASP) Software Assurance Maturity Model (SAMM) Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

CLASP Organización: 5 Vistas 7 roles asociados al SDLC Gerente de Proyecto Arquitecto Especificador de Requerimientos Diseñador Implementador (equipos de desarrollo) Tester Auditor de Seguridad 24 Actividades a desarrollar 104 fallas de seguridad agrupadas en 5 categorías Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

CLASP Consequences of unresolved Vulnerabilities Risk Assessment Defino cuales de los 7 roles participarán de mi proyecto Concepts View(I) Milestone: Understand how CLASP process components interact and how to apply II through V. Role-Based View (II) Milestone: Create roles required by security-related project and utilize them in III, IV and V Activity-Implementation View (IV) Milestone: Perform subset of 24 security-related CLASP activities selected in III Activity-Assessment View (III) Milestone: Assess 24 security-related CLASP activities for suitability in IV Implementation Costs Activity Applicability Risk of Inaction Risk Assessment Vulnerability View (V) Milestone: Integrate solutions to problem types into III and IV Consequences of unresolved Vulnerabilities Problem Types 104 problems types are sub-sumed under 5 high-level Categories Exposures Periods (by SDLC phases) Avoidance & Mitigation Techniques A & M Periods (by SDLC phases) Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Defino cuales de las 24 actividades ejecutaré

CLASP Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

OpenSAMM Los recursos de SAMM ayudarán a: Evaluar las prácticas de seguridad existentes Construir un programa de seguridad en iteraciones bien definidas Demostrar mejoras concretas en el aseguramiento de Software Definir y medir las actividades relacionadas con seguridad Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

OpenSAMM Funciones de Negocio Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Funciones de Negocio

OpenSAMM Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

OpenSAMM Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

OpenSAMM Por cada nivel SAMM define: Objetivos Actividades Resultados Umbrales de satisfacción Coste Personal Niveles relacionados Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

OWASP == ‘Secure SDLC’ Validar requerimientos de seguridad ASVS Top 10 ZAP OWASP Swingset Testing Guide Code review Mantra ESAPI WAF Code Crawler Validar requerimientos de seguridad Establecer requerimientos de Seguridad Testing de Seguridad WAF/XML firewalls Análisis de Riesgo Revisión de Código Política Concientización Entrenamiento Controles Open Web Application Security Project (OWASP) is a not-for-profit worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative, open way. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Plan Construir Test Implementar SDLC Prácticas de desarrollo Seguro

Mauro Flores mauro.flores@owasp.org OWASP Uruguay Chapter Leader Feel free to ask questions. Thank you! Mauro Flores OWASP Uruguay Chapter Leader OWASP Global Industry Committee mauro.flores@owasp.org Twitter: @mauro_fcib