Scribd
Upload
19 views21 pages

SDLC

The document outlines key concepts in secure coding and the Software Development Life Cycle (SDLC), including methodologies like Waterfall and Agile, as well as the importance of version control and DevOps practices. It highlights common application security threats, particularly SQL Injection and Cross-Site Scripting (XSS), and emphasizes the need for input validation and the use of Web Application Firewalls (WAF) to protect against these vulnerabilities. The document also includes lab sessions focused on identifying attacks and monitoring alerts in WAF.

Uploaded by

jjones4649
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
19 views21 pages

SDLC

The document outlines key concepts in secure coding and the Software Development Life Cycle (SDLC), including methodologies like Waterfall and Agile, as well as the importance of version control and DevOps practices. It highlights common application security threats, particularly SQL Injection and Cross-Site Scripting (XSS), and emphasizes the need for input validation and the use of Web Application Firewalls (WAF) to protect against these vulnerabilities. The document also includes lab sessions focused on identifying attacks and monitoring alerts in WAF.

Uploaded by

jjones4649
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 21

Secure Coding/SDLC

Module – 06
Day - 12

Instructor - Bappe Sarker


Agenda
• SDLC
• SQL Injection
• Session attack, Cookie stealing and manipulation
• XSS & CSRF
• Input validation
• Web Application Firewall

• Lab-4: IoC of various kind of attack and vulnerability


• Lab-5: Alert monitoring in WAF
Software Development Lifecycle (SDLC)
• SDLC or the Software
Development Life Cycle is a
process that produces software
with the highest quality and
lowest cost in the shortest time
possible. SDLC provides a
well-structured flow of phases
that help an organization to
quickly produce high-quality
software which is well-tested
and ready for production use.
SDLC Approaches
• It is important to focus on a development methodology that fits with the project's needs. There are
approaches that focus more on customer engagement throughout the project life cycle. Some
approaches allow the customer to have a clear vision of the finished system at the beginning of the
process and allow the development to be completed within strict budgets, while other approaches
lend themselves to prototyping. Whatever your approach, it must align with the customers'
requirements.

Water fall Model


Agile Model
Waterfall Model
• The waterfall has been a mainstay of systems development for many years. It is a very rigid
approach with little customer involvement after the requirements phase. This modeldepends upon
comprehensive documentation in the early stages
Agile Model
• The Agile methodology is based on plenty of customer engagement. The customer is involved not
just in the requirements phase. It is estimated that around 80% of all current development programs
use this methodology. When using the Agile method, the entire project is divided into small
incremental builds.
Version Control
• Version control is of paramount importance. When considering Continuous Integration/ Continuous
Delivery (CI/CD), it is important to document build revisions and incorporate this into the change
management plan when considering blackout plans.
DevOps
• A DevOps pipeline ensures that the development and operations teams adopt a set of best practices.
A DevOps pipeline will ensure that the building, testing, and deployment of software into the
operations environment is streamlined. There are several components of a DevOps pipeline as you
can see in the following sub-sections.
DevSecOps
• DevSecOps is a tactical trifecta that connects three disciplines: development, security, and
operations. The goal is to seamlessly integrate security into your continuous integration and
continuous delivery (CI/CD) pipeline in both pre-production (dev/test/staging) and production (ops)
environments. Let’s take a look at each discipline and the role it plays in delivering better, more
secure software faster.
Application Attacks & Threats
Application Security Threats
There are numerous security threats that affect software applications. Nonetheless,
the Top 10 list of the Open Web Application Security Project (OWASP) ans SANS
Top 25 aggregates the most common and severe application threats to impact
production applications.
OWASP Top 10
The OWASP Top 10 is a standard awareness document for developers and web
application security.
SQL Injection
Structured Query Language (SQL*) Injection is a code injection technique used to
modify or retrieve data from SQL databases. By inserting specialized SQL statements
into an entry field, an attacker is able to execute commands that allow for the
retrieval of data from the database, the destruction of sensitive data, or other
manipulative behaviors
SQL Injection Prevention

• Filter database inputs: Detect and filter out malicious code from user
inputs.
• Restrict database code: Prevent unintended database queries and
exploration by limiting database procedures and code.
• Restrict database access: Prevent unauthorized data access, exfiltration, or
deletion through access control restrictions.
• Maintain applications and databases: Keep databases fully patched and
updated. Upgrade when possible.
Cross Site Scripting (XSS)
Cross site scripting (XSS) is a common attack vector that injects malicious code into
a vulnerable web application. XSS differs from other web attack vectors (e.g., SQL
injections), in that it does not directly target the application itself. Instead, the users
of the web application are the ones at risk.
Input Validation
• Input validation refers to the process of scrutinizing and filtering data entered into a
system, ensuring its adherence to predefined rules and constraints.

• Consider it as an inspector for the information we put into computer programs or


websites. Its main job is to make sure that the things we type or send to these
systems are safe and won’t cause any problems.

Two Types of Validation


Client Side Validation
Server Side Validation
Web Application Firewall (WAF)
A web application firewall (WAF) protects web applications from a variety of application layer attacks
such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others. Attacks to
apps are the leading cause of breaches they are the gateway to your valuable data. With the right WAF
in place, you can block the array of attacks that aim to exfiltration that data by compromising your
systems.
Lab-5: Alert monitoring in WAF
Lab-4: IoC of various kind of attack and vulnerability
Any Question?
Thank You

You might also like