Overview
Learn how to enhance your Software Development Life Cycle (SDLC) using Common Attack Pattern Enumeration and Classification (CAPEC) and Common Weakness Enumeration (CWE) in this 35-minute conference talk by Ryan Stinson from KCG at LASCON 2012. Explore threat modeling techniques, examine CWE examples, and understand their relationships. Discover how to implement SDLC tools effectively across various stages, including requirements analysis, design considerations, development, and testing. Gain insights into application penetration testing, analyzing attack anatomy, and addressing common vulnerabilities such as input validation, error handling, SQL injection, and access control issues. Conclude with valuable lessons learned to improve your overall software security practices.
Syllabus
Introductions
CAPEC
Threat Modeling: Client-specific
CWE Example
Relationships
Putting SDLC Tools into Action
Requirements Analysis
Design Considerations
Development
Testing
Overview: Application Penetration Test
Anatomy of an attack
Input Validation: Proper handling of user input?
KCG Error Handling: Too Much Information
SQL Injection: Can I get to the data?
Full Compromise: There goes my data...
Access Control: How deep do I go?
Local File Inclusion
Lessons Learned
Taught by
LASCON