Explore a comprehensive security test plan for software development in this 45-minute conference talk from BSides Columbus Ohio 2015. Learn about layered security mechanisms, positive security models, and the principle of least privilege. Discover how to implement OAuth, session management, access control, and cryptography. Examine the four levels of security testing, from OS to verification requirements. Gain insights into handling input risks, error logging, data protection, and HTTP security. Understand the importance of malicious controls, business logic, and mobile security considerations. Conclude with a five-step process for immediate implementation of security testing in your software projects.
Overview
Syllabus
Intro
Bill Sempf
Adrian
ASDs
OAuth
Does it provide a standard
The focus of this talk
Layered security mechanisms
Positive security model
Application should fail securely
Least privilege
Separation of duties
Security by obscurity
Input is a risk
How do we bake this in
There are four levels
OS vs Level 0
Opportunistic Level
Standard Level
Verification Requirements
OAuth Requirements
Session Management
Access Control
Cryptography
Error Handling Logging
Data Protection
Communication
HTTP Security
Malicious Controls
Business Logic
File Upload
Mobile
Whats next
Five step process
AB Immediate needs
