The OWASP Foundation                                  http://www.owasp.orgMaking Security Invisible by Becoming the Develo...
Dinis Cruz                                     Long-time OWASP contributor                                     OWASP O2 Pl...
Dinis @ Security Innovation Responsible for the TeamMentor product  i.e. I’m shipping code SI is going to Commercially Sup...
OWASP is Amazing
5
6
owasp band        7
Don’t stop asking ‘why not?’                           8
Don’t stop asking ‘why not?’ Try new ideas:                           8
Don’t stop asking ‘why not?’ Try new ideas:     Barefoot walking/running                                8
Don’t stop asking ‘why not?’ Try new ideas:     Barefoot walking/running                                8
Don’t stop asking ‘why not?’ Try new ideas:     Barefoot walking/running                                8
I’m a developer
YesI have shipped code                      10
O2 PLATFORM       OWASP TeamMentor  Security Innovation                        11
I’m going to speak as   the developer of         and a couple other apps:     HacmeBank, JPetstore, Altoro Mutual         ...
for which securityIS NOT a priority                     13
it is important                  14
but not a priority                     15
In fact I want to security to be   INVISIBLE     (or transparent)                        16
As with every other       developer,I don’t want my app to     have security     vulnerabilities                         17
So I’m happy to helpthe ‘security’ process...                            18
... as long as theworkflow ‘works’ for me      and my team                          19
and at the moment it       doesn’t                       20
Dear Securityteams / vendors
Understand this:                   22
Features andFunctionality    Rule!                23
You (security teams)are quite in the bottom   of the food chain                          24
I’m smartIf I wasn’t smart I wouldn’t be working (& paid) as a developer                                                  ...
If I’m not Smartdon’t tell that to my boss    (specially NOT in a report format)                                         26
If I’m not SmartMake me Smart!                   27
Since I’m smartMake me a HERO                  28
Actually In the real world the  issue is usually not      ‘smart’ but  ‘experience on theAPIs/Framworks used’             ...
Another important topic                          30
I’m not a security     expert                     31
that is YOUR job                   32
if you want to talk about: jQuery, Javascript, MVC, Reflection, Hibernate, Struts,    AoP, High performance Algorithms, Co...
that’s me            34
Security           35
That’s you             36
(btw) I’m the onecreating value                 37
I’m the one     making money,    grabbing eyeballs,      creating valueor whatever the business wants to call it          ...
YOU are a TAX  As positioned today                        39
which is why I don’treally like to talk/deal        with you                           40
Quiz Question:When was the last timethat developers where REALLY exited to talk with Security Teams?                      ...
Yeah I can see the  Queue from here.....(I think some developers would shoot Security            teams if that was legal) ...
Developers dirty    secrets
Here are a couple dirty secrets about ‘most’development projects                          44
The devs can’t visualise how their app works                           45
e nt)                    ag em                m an         (andThe devs can’t visualise how their app works               ...
The devs don’t understand   how their app works                            46
e nt)                   ag em               m an        (andThe devs don’t understand   how their app works               ...
nt) s)                       me yer                     ge bu                  na                ma (and        (   andThe...
nt) s)                         me yer                       ge bu          se rs)                   n a              u    ...
In practice what does     this mean?                        47
it means that they can’tquickly answer questions like:                                 48
what are the URLs?                     49
what data do youexpect to receive from      the web?                         50
what data CAN besubmitted from the web                         51
what is the data-binding   behaviour of the  Frameworks used    (case point MVC Frameworks)                               ...
Where is my Data Validation layer                    53
Who and what connectsto the databases/assets                          54
Where are my assets?                       55
Where is theCredit Card data?                    56
What are the connectionsbetween the managed layers(C# & Java) and unmanaged     layers (C/C++)?                           ...
What happens at the Javascript layer?                      58
(easier question)       What is the real        CALL FLOW        of a request(from the web to the backend and back to the ...
(harder question)         What is the real          TAINT FLOW          of a request(from the web to the backend and back ...
(much harder question)      What is the realTAINT (with CONTROL) FLOW        of a request(from the web to the backend and ...
Bottom line:(*unless we have been attacked before)                                         62
If it compiles            Ship it!(I see this behaviour at a lot of dev shops)                                            ...
Bottom line:(*If we have been attacked before)                                     64
If it compiles      (and passes the ‘security tools’)    Send it to the   ‘Security Team’(who now have funds to hire their...
Dealing with  Security
I care about my users                        67
And exploitation ofsecurity vulnerabilities    affects them                           68
So by-proxy I care  about security                     69
But the current  workflow betweendevelopers and security      teams is....                          70
F****d         71
or more politically     correct                      72
Highly inefficient                     73
and that is on   companies WITHinternal security teams     & awareness                          74
It is even worse for the           rest                           75
We need a new  paradigm                76
One where ‘applicationsecurity’ ADDs value to     the Business                          77
One where ‘ApplicationSecurity’ practices aredeeply embedded into       the SDL                          78
One where ‘Application Security’ practices areinvisible/transparent to  99% of the parties         involved(the 1% are the...
but before we get tothe solution, lets set the        stage....                             80
As a developer , this isWhat I don’t want
I dont want to:receive a PDF (or portal)  with security findings                            82
I dont want to: receive a tool result with partial (or zero)context about my app                           83
I dont want to:spent time sorting out  the False positives   created by tools                           84
I dont want to:have tons of bugs filled into my bug tracking        system                           85
I dont want to:receive non-automated        findings    (that will force me to spend     time replicating the issue)      ...
I dont want to:receive no information on the impact of the     ‘proposed fix’         the ‘blast ratio’ of a fix    i.e. h...
I dont want to:   be ‘lectured’ by a ‘security expert’ thatdoesn’t understand my      application                         ...
I dont want to:I don’t want to be told   to ‘go to school’           usually framed as “we need to give ‘security educatio...
Got that?            90
I don’t think that     (even if they tried)‘security consultants’couldn’t OFEND more the developers than    they do today ...
What I want
I want to know theimplications of the  multiple APIs & frameworks used                      93
Ideally I should be ableto use those APIs is the   most efficient way                           94
I want to know when I  use those APIs andFrameworks incorrectly                         95
I want to understand   my Application!                       96
Can YOU do that?                   97
Can you help me to  understand my   Application?                     98
because,as a developer                 99
if you can help me to    understand my     Application ...                        100
... you add value to my        world....                          101
if you don’t help me to  understand how my    Application works                          102
you are a TAX that I     have to Payor an INSURANCE that I      have to Pay                         103
Did you noticed the lack of ‘security’ in the last         slides?            :)                             104
let’s try this again                       105
What I wantfrom a security point of view (in red)
I want to know theSecurity implications of  the multiple APIs &   frameworks used                           107
Ideally i should only beable to use those APIs   in a SECURE way                           108
I want to know when I  use those APIs andFrameworks insecurely                        109
I want to understandthe security risk profile   of my Application!                            110
Making Security       Invisible  by becoming thedeveloper’s best friend
So how was I able to do what I wanted (from  both a security anddeveloper point of view)                           112
using theOWASP O2 Platform                    113
DEMO TIME.....                 114
Any questions?
Thanks         116
Upcoming SlideShare
Loading in...5
×

Making security invisible by becoming the developer's best friends (Owasp AppSec Brazil Nov 2011)

1,091

Published on

Hi, here is the presentation I delivered last week at OWASP's AppSec Brazil conference: OWASP Brazil - Making Security Invisible by Becoming the Developer's Best Friends

I think I was able to capture how security tends to be seen by developers, how it is currently a TAX on the SDL and how we need to move Application Security into the 'application visibility' space so that we add value to the entire SDL (and create a positive model where the developers want to engage with us)

After you read the presentation, check out this video which I recorded also in Brazil: A developer's rant about security professionals (he was one of the developers that was at the audience which really related to the problem of receiving security guidance from security 'consultants' that don't understand his app).

The demos showed how O2 allowed this world to exist :)

Let me know what you think of it.

(info also at my blog http://diniscruz.blogspot.com/2011/10/my-presentation-at-owasp-appsec-brazil.html)

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,091
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Making security invisible by becoming the developer's best friends (Owasp AppSec Brazil Nov 2011)

    1. 1. The OWASP Foundation http://www.owasp.orgMaking Security Invisible by Becoming the Developers Best Friends OWASP AppSec Latam 2011 (Brazil) Dinis Cruz dinis.cruz@owasp.org
    2. 2. Dinis Cruz Long-time OWASP contributor OWASP O2 Platform (project) OWASP Seasons of Code OWASP Summits (2008 & 2011) OWASP Training Days OWASP Books Helped multiple chapters and conferences Multiple tools & research at OWASP .NETSetup Application Security Team at Global BankPerformed Security Reviews (White and Black box) on 100s of appsCredited for vulnerability on .NET Framework and vulnerability on Spring MVCWorked for OunceLabs (now IBM AppScan Source) and made it workDidn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting theOWASP O2 platform (and making my vision a reality)Currently at Security Innovation (Boston/Seattle company)
    3. 3. Dinis @ Security Innovation Responsible for the TeamMentor product i.e. I’m shipping code SI is going to Commercially Support the OWASP O2 Platform with a focus on findings-automation and security-tools-integration SI is a strong OWASP Supporter Silver sponsor at AppSec USA published OWASP TeamMentor Library under CC (Creative Commons) published OWASP Top 10 e-learning course under CC helping the clarify the commercial relationship with OWASP’s ecosystem Sponsored me to come here 3
    4. 4. OWASP is Amazing
    5. 5. 5
    6. 6. 6
    7. 7. owasp band 7
    8. 8. Don’t stop asking ‘why not?’ 8
    9. 9. Don’t stop asking ‘why not?’ Try new ideas: 8
    10. 10. Don’t stop asking ‘why not?’ Try new ideas: Barefoot walking/running 8
    11. 11. Don’t stop asking ‘why not?’ Try new ideas: Barefoot walking/running 8
    12. 12. Don’t stop asking ‘why not?’ Try new ideas: Barefoot walking/running 8
    13. 13. I’m a developer
    14. 14. YesI have shipped code 10
    15. 15. O2 PLATFORM OWASP TeamMentor Security Innovation 11
    16. 16. I’m going to speak as the developer of and a couple other apps: HacmeBank, JPetstore, Altoro Mutual 12
    17. 17. for which securityIS NOT a priority 13
    18. 18. it is important 14
    19. 19. but not a priority 15
    20. 20. In fact I want to security to be INVISIBLE (or transparent) 16
    21. 21. As with every other developer,I don’t want my app to have security vulnerabilities 17
    22. 22. So I’m happy to helpthe ‘security’ process... 18
    23. 23. ... as long as theworkflow ‘works’ for me and my team 19
    24. 24. and at the moment it doesn’t 20
    25. 25. Dear Securityteams / vendors
    26. 26. Understand this: 22
    27. 27. Features andFunctionality Rule! 23
    28. 28. You (security teams)are quite in the bottom of the food chain 24
    29. 29. I’m smartIf I wasn’t smart I wouldn’t be working (& paid) as a developer 25
    30. 30. If I’m not Smartdon’t tell that to my boss (specially NOT in a report format) 26
    31. 31. If I’m not SmartMake me Smart! 27
    32. 32. Since I’m smartMake me a HERO 28
    33. 33. Actually In the real world the issue is usually not ‘smart’ but ‘experience on theAPIs/Framworks used’ 29
    34. 34. Another important topic 30
    35. 35. I’m not a security expert 31
    36. 36. that is YOUR job 32
    37. 37. if you want to talk about: jQuery, Javascript, MVC, Reflection, Hibernate, Struts, AoP, High performance Algorithms, Compression techniques, cache management, Agile, Pointers, Code Patterns, Authorisation Models, QA, User-acceptance-tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App Hosting/Clustering, etc.... 33
    38. 38. that’s me 34
    39. 39. Security 35
    40. 40. That’s you 36
    41. 41. (btw) I’m the onecreating value 37
    42. 42. I’m the one making money, grabbing eyeballs, creating valueor whatever the business wants to call it 38
    43. 43. YOU are a TAX As positioned today 39
    44. 44. which is why I don’treally like to talk/deal with you 40
    45. 45. Quiz Question:When was the last timethat developers where REALLY exited to talk with Security Teams? 41
    46. 46. Yeah I can see the Queue from here.....(I think some developers would shoot Security teams if that was legal) 42
    47. 47. Developers dirty secrets
    48. 48. Here are a couple dirty secrets about ‘most’development projects 44
    49. 49. The devs can’t visualise how their app works 45
    50. 50. e nt) ag em m an (andThe devs can’t visualise how their app works 45
    51. 51. The devs don’t understand how their app works 46
    52. 52. e nt) ag em m an (andThe devs don’t understand how their app works 46
    53. 53. nt) s) me yer ge bu na ma (and ( andThe devs don’t understand how their app works 46
    54. 54. nt) s) me yer ge bu se rs) n a u d ma (and (a nd ( anThe devs don’t understand how their app works 46
    55. 55. In practice what does this mean? 47
    56. 56. it means that they can’tquickly answer questions like: 48
    57. 57. what are the URLs? 49
    58. 58. what data do youexpect to receive from the web? 50
    59. 59. what data CAN besubmitted from the web 51
    60. 60. what is the data-binding behaviour of the Frameworks used (case point MVC Frameworks) 52
    61. 61. Where is my Data Validation layer 53
    62. 62. Who and what connectsto the databases/assets 54
    63. 63. Where are my assets? 55
    64. 64. Where is theCredit Card data? 56
    65. 65. What are the connectionsbetween the managed layers(C# & Java) and unmanaged layers (C/C++)? 57
    66. 66. What happens at the Javascript layer? 58
    67. 67. (easier question) What is the real CALL FLOW of a request(from the web to the backend and back to the web) 59
    68. 68. (harder question) What is the real TAINT FLOW of a request(from the web to the backend and back to the web) 60
    69. 69. (much harder question) What is the realTAINT (with CONTROL) FLOW of a request(from the web to the backend and back to the web) 61
    70. 70. Bottom line:(*unless we have been attacked before) 62
    71. 71. If it compiles Ship it!(I see this behaviour at a lot of dev shops) 63
    72. 72. Bottom line:(*If we have been attacked before) 64
    73. 73. If it compiles (and passes the ‘security tools’) Send it to the ‘Security Team’(who now have funds to hire their own staff) 65
    74. 74. Dealing with Security
    75. 75. I care about my users 67
    76. 76. And exploitation ofsecurity vulnerabilities affects them 68
    77. 77. So by-proxy I care about security 69
    78. 78. But the current workflow betweendevelopers and security teams is.... 70
    79. 79. F****d 71
    80. 80. or more politically correct 72
    81. 81. Highly inefficient 73
    82. 82. and that is on companies WITHinternal security teams & awareness 74
    83. 83. It is even worse for the rest 75
    84. 84. We need a new paradigm 76
    85. 85. One where ‘applicationsecurity’ ADDs value to the Business 77
    86. 86. One where ‘ApplicationSecurity’ practices aredeeply embedded into the SDL 78
    87. 87. One where ‘Application Security’ practices areinvisible/transparent to 99% of the parties involved(the 1% are the ones directly involved in security, such as security teams, devs,architects, CISO, etc...) 79
    88. 88. but before we get tothe solution, lets set the stage.... 80
    89. 89. As a developer , this isWhat I don’t want
    90. 90. I dont want to:receive a PDF (or portal) with security findings 82
    91. 91. I dont want to: receive a tool result with partial (or zero)context about my app 83
    92. 92. I dont want to:spent time sorting out the False positives created by tools 84
    93. 93. I dont want to:have tons of bugs filled into my bug tracking system 85
    94. 94. I dont want to:receive non-automated findings (that will force me to spend time replicating the issue) 86
    95. 95. I dont want to:receive no information on the impact of the ‘proposed fix’ the ‘blast ratio’ of a fix i.e. how much s*** will break 87
    96. 96. I dont want to: be ‘lectured’ by a ‘security expert’ thatdoesn’t understand my application 88
    97. 97. I dont want to:I don’t want to be told to ‘go to school’ usually framed as “we need to give ‘security education’ to developers” 89
    98. 98. Got that? 90
    99. 99. I don’t think that (even if they tried)‘security consultants’couldn’t OFEND more the developers than they do today 91
    100. 100. What I want
    101. 101. I want to know theimplications of the multiple APIs & frameworks used 93
    102. 102. Ideally I should be ableto use those APIs is the most efficient way 94
    103. 103. I want to know when I use those APIs andFrameworks incorrectly 95
    104. 104. I want to understand my Application! 96
    105. 105. Can YOU do that? 97
    106. 106. Can you help me to understand my Application? 98
    107. 107. because,as a developer 99
    108. 108. if you can help me to understand my Application ... 100
    109. 109. ... you add value to my world.... 101
    110. 110. if you don’t help me to understand how my Application works 102
    111. 111. you are a TAX that I have to Payor an INSURANCE that I have to Pay 103
    112. 112. Did you noticed the lack of ‘security’ in the last slides? :) 104
    113. 113. let’s try this again 105
    114. 114. What I wantfrom a security point of view (in red)
    115. 115. I want to know theSecurity implications of the multiple APIs & frameworks used 107
    116. 116. Ideally i should only beable to use those APIs in a SECURE way 108
    117. 117. I want to know when I use those APIs andFrameworks insecurely 109
    118. 118. I want to understandthe security risk profile of my Application! 110
    119. 119. Making Security Invisible by becoming thedeveloper’s best friend
    120. 120. So how was I able to do what I wanted (from both a security anddeveloper point of view) 112
    121. 121. using theOWASP O2 Platform 113
    122. 122. DEMO TIME..... 114
    123. 123. Any questions?
    124. 124. Thanks 116
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×