Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP Nederland

Implementation of Security by DesignMartin KnoblochSogeti Nederland B.V.martin.knobloch@sogeti.nl+31-(0)6 52 32 76 79

2007-01-11

2OWASP

Presentation Objectives

What is…? Awareness! Task Force! Join Forces! Education! Get known! Finish line?

3OWASP

What is…?

What is…?Security By Design A Secure Application

Awareness! Task Force! Join Forces! Education! Get known! Finish line?

4OWASP

What is…

Security by DesignSecure Software

Development Initiative Applications designed to be

secure Design how to develop

secure applicationsEverything about

designing, developing, testing and implementing secure applications!

5OWASP

What is…

A Secure Application?How to design, develop a secure

application?How secure has an application to

be?How to prove the application meets

the customer expectations and needs of security?

50 current OWAP Projects 6 Release Quality Projects 15 Beta Status Projects 15 Alpha Status Projects

6OWASP

What is…?

Secure Development Life Cycle

7OWASP

What is…

A Secure Application..An application is secure if

the applications behaves as expected at all times!

8OWASP

Awareness!

What is… ? Awareness!

Who?Why?How?

Task Force! Join Forces! Education! Get known! Finish line?

9OWASP

Awareness!

Who?Colleagues

Development Staff– Architects / Designers– Developers– Tester

Sales / Business Management

Customer Architects Administrators Users

…each and everyone!

10OWASP

Awareness!

Why?Colleagues

Development Staff Sales / Business Management

Customer Architects Administrators Users

11OWASP

Awareness!

How?By recognition of their

interests, understanding and knowledge of security! Communicate on the level of their

knowledge Communicate in the scope of their

understanding Communicate in the context of

their interests

12OWASP

Awareness!

13OWASP

Task Force!

What is…? Awareness! Task Force!

It’s not a one-man-show

Join Forces! Education! Get known! Finish line?

14OWASP

Task Force!

It’s not a one-man-show JavaMicrosoftOracleSAPCMSC++UnifacePHP…Software Control

15OWASP

Task Force!

Proactive Security Strategy (PaSS)

16OWASP

Join Forces!

What is…? Awareness! Task Force! Join Forces!

Who else is busy with security?

Education! Get known! Finish line?

17OWASP

Join Forces!

Business Process

Networking

System Administration

Application Administration

18OWASP

Join Forces!

Company wide security initiatives

19OWASP

Educate!

What is…? Awareness! Task Force! Join Forces! Educate!

EducationCertification

Get known! Finish line?

20OWASP

Educate!

Presentations, Courses, Technical meetingsTo create awareness!

About Security Threats About Security Standards About Best Practices About Standards About …

21OWASP

Educate!

CertificationsGet certified

CISSP Symantec – SCSP MSCE Cisco ISS RSA

»OWASP Top Ten certification?!

22OWASP

Get known!

What is…? Awareness! Task Force! Join Forces! Education! Get known!

Make yourself heard!

Finish line?

23OWASP

Get known!

Write! Papers Newsletters Blogs

Talk! Presentations Meetings Lunch

Bother! Whenever there is a change!

24OWASP

Get known!

Make yourself notorious!

25OWASP

Finish line?

What is…? Awareness! Task Force! Join Forces! Get known! Education! Finish line?

When is the job done?

26OWASP

Finish line?

When is the job done?

…NEVER!