thanks to swisscom - owasp · 2020-01-17 · 1. introduction 2. phases purpose possible candidates...
TRANSCRIPT
Thanks to Swisscom
wwwswisscomcom Swisscom_de
The OWASP Foundation httpswwwowasporg
S-SDLC ndash Ready for Clouds
Robert Schneider
robertschneiderowasporg
Robert Schneider
ICT Security Officer Swisscom IT Services
robertschneiderowasporg
schattenbaum_ch
wwwschattenbaumch
wwwowaspch
Table of Contents
1 Introduction
2 Phases
Purpose
Possible candidates
Pitfalls
3 Wrap up
4 Questions amp Open discussion
4
Disclaimer
This talk is not going to be about
SDLC basics (Waterfall Agile SW Development Sprints hellip)
Checks for malicious behaviour (additional features to assure this)
5
Introduction
What are we building
6
7
8
9
IDE Unit Testing
Vuln Scan
Code Review
SCM
CI
Introduction
What do we have to keep in mind
Wide range of coding language support
CI Jenkins Bamboo hellip
SCM GIT SVN hellip
Traceability (Logging)
Multiuser amp -tenant
10
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
The OWASP Foundation httpswwwowasporg
S-SDLC ndash Ready for Clouds
Robert Schneider
robertschneiderowasporg
Robert Schneider
ICT Security Officer Swisscom IT Services
robertschneiderowasporg
schattenbaum_ch
wwwschattenbaumch
wwwowaspch
Table of Contents
1 Introduction
2 Phases
Purpose
Possible candidates
Pitfalls
3 Wrap up
4 Questions amp Open discussion
4
Disclaimer
This talk is not going to be about
SDLC basics (Waterfall Agile SW Development Sprints hellip)
Checks for malicious behaviour (additional features to assure this)
5
Introduction
What are we building
6
7
8
9
IDE Unit Testing
Vuln Scan
Code Review
SCM
CI
Introduction
What do we have to keep in mind
Wide range of coding language support
CI Jenkins Bamboo hellip
SCM GIT SVN hellip
Traceability (Logging)
Multiuser amp -tenant
10
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Robert Schneider
ICT Security Officer Swisscom IT Services
robertschneiderowasporg
schattenbaum_ch
wwwschattenbaumch
wwwowaspch
Table of Contents
1 Introduction
2 Phases
Purpose
Possible candidates
Pitfalls
3 Wrap up
4 Questions amp Open discussion
4
Disclaimer
This talk is not going to be about
SDLC basics (Waterfall Agile SW Development Sprints hellip)
Checks for malicious behaviour (additional features to assure this)
5
Introduction
What are we building
6
7
8
9
IDE Unit Testing
Vuln Scan
Code Review
SCM
CI
Introduction
What do we have to keep in mind
Wide range of coding language support
CI Jenkins Bamboo hellip
SCM GIT SVN hellip
Traceability (Logging)
Multiuser amp -tenant
10
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Table of Contents
1 Introduction
2 Phases
Purpose
Possible candidates
Pitfalls
3 Wrap up
4 Questions amp Open discussion
4
Disclaimer
This talk is not going to be about
SDLC basics (Waterfall Agile SW Development Sprints hellip)
Checks for malicious behaviour (additional features to assure this)
5
Introduction
What are we building
6
7
8
9
IDE Unit Testing
Vuln Scan
Code Review
SCM
CI
Introduction
What do we have to keep in mind
Wide range of coding language support
CI Jenkins Bamboo hellip
SCM GIT SVN hellip
Traceability (Logging)
Multiuser amp -tenant
10
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Disclaimer
This talk is not going to be about
SDLC basics (Waterfall Agile SW Development Sprints hellip)
Checks for malicious behaviour (additional features to assure this)
5
Introduction
What are we building
6
7
8
9
IDE Unit Testing
Vuln Scan
Code Review
SCM
CI
Introduction
What do we have to keep in mind
Wide range of coding language support
CI Jenkins Bamboo hellip
SCM GIT SVN hellip
Traceability (Logging)
Multiuser amp -tenant
10
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Introduction
What are we building
6
7
8
9
IDE Unit Testing
Vuln Scan
Code Review
SCM
CI
Introduction
What do we have to keep in mind
Wide range of coding language support
CI Jenkins Bamboo hellip
SCM GIT SVN hellip
Traceability (Logging)
Multiuser amp -tenant
10
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
7
8
9
IDE Unit Testing
Vuln Scan
Code Review
SCM
CI
Introduction
What do we have to keep in mind
Wide range of coding language support
CI Jenkins Bamboo hellip
SCM GIT SVN hellip
Traceability (Logging)
Multiuser amp -tenant
10
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
8
9
IDE Unit Testing
Vuln Scan
Code Review
SCM
CI
Introduction
What do we have to keep in mind
Wide range of coding language support
CI Jenkins Bamboo hellip
SCM GIT SVN hellip
Traceability (Logging)
Multiuser amp -tenant
10
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
9
IDE Unit Testing
Vuln Scan
Code Review
SCM
CI
Introduction
What do we have to keep in mind
Wide range of coding language support
CI Jenkins Bamboo hellip
SCM GIT SVN hellip
Traceability (Logging)
Multiuser amp -tenant
10
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Introduction
What do we have to keep in mind
Wide range of coding language support
CI Jenkins Bamboo hellip
SCM GIT SVN hellip
Traceability (Logging)
Multiuser amp -tenant
10
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Introduction
What do we want to achieve
As much automation as possible
Developers are integrated in automated monitoring
As few additional effort for developers as possible
Early detection of software flaws
11
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
12
IDE
LampS
IP Scan Vuln Scan
Code Review
SCM
CI Unit Testing
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Introduction
This should help us to achieve
A secure cloud
13
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Phases
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
14
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
INTELLECTUAL PROPERTY SCAN
15
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
IP Scan
Who is using Open Source Software (OSS)
16
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
IP Scan
What OSS components do you use
In which version
17
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
IP Scan
Are you sure that you know them all
Even snippets
18
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
IP Scan
Has Security approved the use of them
Legal as well
19
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
IP Scan
Are you allowed to contribute your work
If yes
What are you allowed to contribute
back to the community
How are you allowed to do that
20
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
IP Scan
Is one of the used components vulnerable to a CVE
21
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Possible candidates
Palamida
Open Logic
Black Duck
22
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
WWWOHLOHNET
23
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Pitfalls
Processes of different operation units do not merge as easy as you would like them to
You may need additional employees
Do you allow the tool to connect to the internet and transmit data
What do you do after you know your problems
24
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
CODE REVIEW
25
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Code Review
Detect software flaws as early as possible
Even some bad coding practices
26
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Code Review
Long-term benefits
Developers get to know what actually to look for and
Know how to prevent these flaws from the beginning
27
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Code Review
Time amp budget saving
28
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Possible candidates
Sonatype
HP Fortify
Defensecode ThunderScan
Checkmarx
See also wwwowasporg
29
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Pitfalls
Training needed
False Positives amp Negatives
Developers do not see the tool as an improvement
Management does not see the long-term benefits
30
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
WHAT ABOUT BINARIES
31
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Binaries
Veracode
Big players are using it
Placed in the USA
Your data does not stay at ldquohomerdquo
32
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
VULNERABILITY SCANNING
33
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Vulnerability Scanning
Is the ready-to-deploy application still vulnerable
34
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Vulnerability Scanning
This phase is comparable to an automated Penetration test
35
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
36
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Vulnerability Scanning
Pre-deployment
Again checking for OWASP Top 10 and
Even the flaws we have not been able to test for during phase 2
37
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Possible candidates
WhiteHat Security Sentinel
Quotium Seeker
HP WebInspect
Defensecode Web Security Scanner
Cenzic Hailstorm
Burp Suite Pro
Acunetix
38
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
WebSockets
Burp Suite Pro (v1521)
39
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Pitfalls
Training needed
False Positives amp Negatives
ldquoAutomatedrdquo deployment of applications needed (Sandbox)
Fixing times
40
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
STRESS amp LOAD TESTING
41
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
S amp L Testing
How does it scale
Will the software ldquoruinrdquo us when we start using it in the cloud
42
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Possible candidates
Proxy Sniffer
OpenSTA
Loadrunner
JMeter
43
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Pitfalls
Automation probably impossible due to the need of user scripts
You may miss an important use case and therefore get an inaccurate feedback
Testing environment
Testing data
44
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
WRAP UP
45
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Wrap up
To be ready for clouds you do not need something completely new according to the S-SDLC
However you have to be aware that your software may not get accepted on every cloud as easy as you might think
46
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Wrap up
In a first step try to find the one phase that improves your S-SDLC the most
1 Intellectual Property Scan
2 Code Review
3 Vulnerability Scanning
4 Stress amp Load Testing
47
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Wrap up
Intellectual Property Scan Benefits
Know what OSS you are using and
Know their Licenses
48
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Wrap up
Code Review Benefits
Detect software flaws as early as possible
Even some bad coding practices
49
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Wrap up
Vulnerability Scanning Benefits
Know if the ready-to-deploy application is still vulnerable
50
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Wrap up
Stress amp Load Testing Benefits
Know how the application scales
51
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Recommendation
Dev amp Sec Code Review
Legal IP Scan
Security Vulnerability Scanning
Operation Stress amp Load Testing
52
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
Wrap up
Try to help and not to annoy by adapting the S-SDLC
You need feedback for improvements
53
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
QUESTIONS amp OPEN DISCUSSION
54
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
55
Keep up to date
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus
56
Want to support OWASP
Become member annual donation of
$50 Individual
$5000 Corporate
enables the support of OWASP projects mailing lists conferences podcasts grants and global strategic focus