Making security invisible by becoming the developer's best friends (Owasp AppSec Brazil Nov 2011)
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Making security invisible by becoming the developer's best friends (Owasp AppSec Brazil Nov 2011)

  • 1,186 views
Uploaded on

Hi, here is the presentation I delivered last week at OWASP's AppSec Brazil conference: OWASP Brazil - Making Security Invisible by Becoming the Developer's Best Friends ...

Hi, here is the presentation I delivered last week at OWASP's AppSec Brazil conference: OWASP Brazil - Making Security Invisible by Becoming the Developer's Best Friends

I think I was able to capture how security tends to be seen by developers, how it is currently a TAX on the SDL and how we need to move Application Security into the 'application visibility' space so that we add value to the entire SDL (and create a positive model where the developers want to engage with us)

After you read the presentation, check out this video which I recorded also in Brazil: A developer's rant about security professionals (he was one of the developers that was at the audience which really related to the problem of receiving security guidance from security 'consultants' that don't understand his app).

The demos showed how O2 allowed this world to exist :)

Let me know what you think of it.

(info also at my blog http://diniscruz.blogspot.com/2011/10/my-presentation-at-owasp-appsec-brazil.html)

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,186
On Slideshare
1,178
From Embeds
8
Number of Embeds
1

Actions

Shares
Downloads
23
Comments
0
Likes
0

Embeds 8

http://paper.li 8

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Transcript

  • 1. The OWASP Foundation http://www.owasp.orgMaking Security Invisible by Becoming the Developers Best Friends OWASP AppSec Latam 2011 (Brazil) Dinis Cruz dinis.cruz@owasp.org
  • 2. Dinis Cruz Long-time OWASP contributor OWASP O2 Platform (project) OWASP Seasons of Code OWASP Summits (2008 & 2011) OWASP Training Days OWASP Books Helped multiple chapters and conferences Multiple tools & research at OWASP .NETSetup Application Security Team at Global BankPerformed Security Reviews (White and Black box) on 100s of appsCredited for vulnerability on .NET Framework and vulnerability on Spring MVCWorked for OunceLabs (now IBM AppScan Source) and made it workDidn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting theOWASP O2 platform (and making my vision a reality)Currently at Security Innovation (Boston/Seattle company)
  • 3. Dinis @ Security Innovation Responsible for the TeamMentor product i.e. I’m shipping code SI is going to Commercially Support the OWASP O2 Platform with a focus on findings-automation and security-tools-integration SI is a strong OWASP Supporter Silver sponsor at AppSec USA published OWASP TeamMentor Library under CC (Creative Commons) published OWASP Top 10 e-learning course under CC helping the clarify the commercial relationship with OWASP’s ecosystem Sponsored me to come here 3
  • 4. OWASP is Amazing
  • 5. 5
  • 6. 6
  • 7. owasp band 7
  • 8. Don’t stop asking ‘why not?’ 8
  • 9. Don’t stop asking ‘why not?’ Try new ideas: 8
  • 10. Don’t stop asking ‘why not?’ Try new ideas: Barefoot walking/running 8
  • 11. Don’t stop asking ‘why not?’ Try new ideas: Barefoot walking/running 8
  • 12. Don’t stop asking ‘why not?’ Try new ideas: Barefoot walking/running 8
  • 13. I’m a developer
  • 14. YesI have shipped code 10
  • 15. O2 PLATFORM OWASP TeamMentor Security Innovation 11
  • 16. I’m going to speak as the developer of and a couple other apps: HacmeBank, JPetstore, Altoro Mutual 12
  • 17. for which securityIS NOT a priority 13
  • 18. it is important 14
  • 19. but not a priority 15
  • 20. In fact I want to security to be INVISIBLE (or transparent) 16
  • 21. As with every other developer,I don’t want my app to have security vulnerabilities 17
  • 22. So I’m happy to helpthe ‘security’ process... 18
  • 23. ... as long as theworkflow ‘works’ for me and my team 19
  • 24. and at the moment it doesn’t 20
  • 25. Dear Securityteams / vendors
  • 26. Understand this: 22
  • 27. Features andFunctionality Rule! 23
  • 28. You (security teams)are quite in the bottom of the food chain 24
  • 29. I’m smartIf I wasn’t smart I wouldn’t be working (& paid) as a developer 25
  • 30. If I’m not Smartdon’t tell that to my boss (specially NOT in a report format) 26
  • 31. If I’m not SmartMake me Smart! 27
  • 32. Since I’m smartMake me a HERO 28
  • 33. Actually In the real world the issue is usually not ‘smart’ but ‘experience on theAPIs/Framworks used’ 29
  • 34. Another important topic 30
  • 35. I’m not a security expert 31
  • 36. that is YOUR job 32
  • 37. if you want to talk about: jQuery, Javascript, MVC, Reflection, Hibernate, Struts, AoP, High performance Algorithms, Compression techniques, cache management, Agile, Pointers, Code Patterns, Authorisation Models, QA, User-acceptance-tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App Hosting/Clustering, etc.... 33
  • 38. that’s me 34
  • 39. Security 35
  • 40. That’s you 36
  • 41. (btw) I’m the onecreating value 37
  • 42. I’m the one making money, grabbing eyeballs, creating valueor whatever the business wants to call it 38
  • 43. YOU are a TAX As positioned today 39
  • 44. which is why I don’treally like to talk/deal with you 40
  • 45. Quiz Question:When was the last timethat developers where REALLY exited to talk with Security Teams? 41
  • 46. Yeah I can see the Queue from here.....(I think some developers would shoot Security teams if that was legal) 42
  • 47. Developers dirty secrets
  • 48. Here are a couple dirty secrets about ‘most’development projects 44
  • 49. The devs can’t visualise how their app works 45
  • 50. e nt) ag em m an (andThe devs can’t visualise how their app works 45
  • 51. The devs don’t understand how their app works 46
  • 52. e nt) ag em m an (andThe devs don’t understand how their app works 46
  • 53. nt) s) me yer ge bu na ma (and ( andThe devs don’t understand how their app works 46
  • 54. nt) s) me yer ge bu se rs) n a u d ma (and (a nd ( anThe devs don’t understand how their app works 46
  • 55. In practice what does this mean? 47
  • 56. it means that they can’tquickly answer questions like: 48
  • 57. what are the URLs? 49
  • 58. what data do youexpect to receive from the web? 50
  • 59. what data CAN besubmitted from the web 51
  • 60. what is the data-binding behaviour of the Frameworks used (case point MVC Frameworks) 52
  • 61. Where is my Data Validation layer 53
  • 62. Who and what connectsto the databases/assets 54
  • 63. Where are my assets? 55
  • 64. Where is theCredit Card data? 56
  • 65. What are the connectionsbetween the managed layers(C# & Java) and unmanaged layers (C/C++)? 57
  • 66. What happens at the Javascript layer? 58
  • 67. (easier question) What is the real CALL FLOW of a request(from the web to the backend and back to the web) 59
  • 68. (harder question) What is the real TAINT FLOW of a request(from the web to the backend and back to the web) 60
  • 69. (much harder question) What is the realTAINT (with CONTROL) FLOW of a request(from the web to the backend and back to the web) 61
  • 70. Bottom line:(*unless we have been attacked before) 62
  • 71. If it compiles Ship it!(I see this behaviour at a lot of dev shops) 63
  • 72. Bottom line:(*If we have been attacked before) 64
  • 73. If it compiles (and passes the ‘security tools’) Send it to the ‘Security Team’(who now have funds to hire their own staff) 65
  • 74. Dealing with Security
  • 75. I care about my users 67
  • 76. And exploitation ofsecurity vulnerabilities affects them 68
  • 77. So by-proxy I care about security 69
  • 78. But the current workflow betweendevelopers and security teams is.... 70
  • 79. F****d 71
  • 80. or more politically correct 72
  • 81. Highly inefficient 73
  • 82. and that is on companies WITHinternal security teams & awareness 74
  • 83. It is even worse for the rest 75
  • 84. We need a new paradigm 76
  • 85. One where ‘applicationsecurity’ ADDs value to the Business 77
  • 86. One where ‘ApplicationSecurity’ practices aredeeply embedded into the SDL 78
  • 87. One where ‘Application Security’ practices areinvisible/transparent to 99% of the parties involved(the 1% are the ones directly involved in security, such as security teams, devs,architects, CISO, etc...) 79
  • 88. but before we get tothe solution, lets set the stage.... 80
  • 89. As a developer , this isWhat I don’t want
  • 90. I dont want to:receive a PDF (or portal) with security findings 82
  • 91. I dont want to: receive a tool result with partial (or zero)context about my app 83
  • 92. I dont want to:spent time sorting out the False positives created by tools 84
  • 93. I dont want to:have tons of bugs filled into my bug tracking system 85
  • 94. I dont want to:receive non-automated findings (that will force me to spend time replicating the issue) 86
  • 95. I dont want to:receive no information on the impact of the ‘proposed fix’ the ‘blast ratio’ of a fix i.e. how much s*** will break 87
  • 96. I dont want to: be ‘lectured’ by a ‘security expert’ thatdoesn’t understand my application 88
  • 97. I dont want to:I don’t want to be told to ‘go to school’ usually framed as “we need to give ‘security education’ to developers” 89
  • 98. Got that? 90
  • 99. I don’t think that (even if they tried)‘security consultants’couldn’t OFEND more the developers than they do today 91
  • 100. What I want
  • 101. I want to know theimplications of the multiple APIs & frameworks used 93
  • 102. Ideally I should be ableto use those APIs is the most efficient way 94
  • 103. I want to know when I use those APIs andFrameworks incorrectly 95
  • 104. I want to understand my Application! 96
  • 105. Can YOU do that? 97
  • 106. Can you help me to understand my Application? 98
  • 107. because,as a developer 99
  • 108. if you can help me to understand my Application ... 100
  • 109. ... you add value to my world.... 101
  • 110. if you don’t help me to understand how my Application works 102
  • 111. you are a TAX that I have to Payor an INSURANCE that I have to Pay 103
  • 112. Did you noticed the lack of ‘security’ in the last slides? :) 104
  • 113. let’s try this again 105
  • 114. What I wantfrom a security point of view (in red)
  • 115. I want to know theSecurity implications of the multiple APIs & frameworks used 107
  • 116. Ideally i should only beable to use those APIs in a SECURE way 108
  • 117. I want to know when I use those APIs andFrameworks insecurely 109
  • 118. I want to understandthe security risk profile of my Application! 110
  • 119. Making Security Invisible by becoming thedeveloper’s best friend
  • 120. So how was I able to do what I wanted (from both a security anddeveloper point of view) 112
  • 121. using theOWASP O2 Platform 113
  • 122. DEMO TIME..... 114
  • 123. Any questions?
  • 124. Thanks 116