jkuemerle

Save vs. DEX - Building An Agile Security Process

Developers have been increasing the number and speed of their releases using Agile processes. In this session you will go on a quest to help integrate solid application security controls into Agile development processes to ensure that the developers are not just shipping more security bugs faster.

You will obtain an overview of multiple Agile development methodologies, learn the inflection points where security can be added into the processes and how to effectively ensure a secure codebase in a fast paced development environment.

Additionally, you will learn how to incorporate Agile principles into security processes to make your own teams more nimble and effective.

jkuemerle

### Keybase proof

I hereby claim:

  * I am jkuemerle on github.
  * I am jkuemerle (https://keybase.io/jkuemerle) on keybase.
  * I have a public key whose fingerprint is 7F0D 38B9 919B FA73 916C  32C4 94E6 C4A4 4071 9F3F

To claim this, I am signing this object:

jkuemerle

[EncryptedType]
public class EncTest {
	public string ID { get; set; }
	[EncryptedValue]
	public string SSN { get; set; }

	public string IntegrityValue() { return this.ID; }

	public EncTest() {
		this.ID = Guid.NewGuid().ToString();

jkuemerle

public static byte[] FillWithEntropy(this byte[] ToFill)
{
    var rng = new RNGCryptoServiceProvider();
    rng.GetBytes(ToFill);
    return ToFill;
}

jkuemerle

public string Encrypt(string Data, string KeyName, Func<string> IntegrityFunction)
{
	if (null != IntegrityFunction)
		Data = AddHMAC(Data, IntegrityFunction);
	var val = System.Text.UnicodeEncoding.Unicode.GetBytes(Data);
	using (var crypter = new System.Security.Cryptography.RijndaelManaged())
	{
		var iv = new byte[crypter.BlockSize / 8].FillWithEntropy();
		KeyInfo key = GetKeyInfo(KeyName, iv, crypter);
		byte[] encrypted;

jkuemerle

	echo "<HTML><HEAD><TITLE>Payment Confirmation</TITLE></HEAD><BODY>";
	
	try {
		$response = Stripe_Charge::create(array("amount" => $amount * 100, 
			"currency" => "usd", 
			"card" => $stripeToken, 
			"description" => "Purchase for: $name / $email")
		);
		$details = json_decode($response);
		$card = $details->card;

jkuemerle

<?php
	require_once("Stripe.php");

	Stripe::setApiKey('<secret key>');
	$name = htmlspecialchars($_POST["name"]);
	$address1 = htmlspecialchars($_POST["address1"]);
	$city = htmlspecialchars($_POST["city"]);
	$state = htmlspecialchars($_POST["state"]);
	$zip = htmlspecialchars($_POST["zip"]);
	$email = htmlspecialchars($_POST["email"]);

jkuemerle

<HTML><HEAD>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script>
<SCRIPT type="text/javascript" src="https://js.stripe.com/v1/"></SCRIPT>
<SCRIPT >
	Stripe.setPublishableKey('<Stripe Public Key Here>');

	function formSubmit() {
		if(validatePage() == true) {
			$('.submit-button').attr("disabled", "disabled");
			$("#processing").html("Processing credit card...");		

jkuemerle

using MbUnit.Framework;

namespace DataAccessTests {
    [TestFixture]
    public class CredentialTest
    {
        [Test]
        public void TestPasswordIsEncrypted() {
            var cr = new DataAccess.DTO.Credential();
            cr.Password = "Password1!";

jkuemerle

using System;
using System.Collections.Generic;
using System.Security.Cryptography;

using PostSharp.Aspects;
using PostSharp.Aspects.Dependencies;
using PostSharp.Aspects.Advices;

namespace DataAccess.Aspects {
    [Serializable]