Making security invisible by becoming the developer's best friends (Owasp AppSec Brazil Nov 2011)

The OWASP Foundation http://www.owasp.orgMaking Security Invisible by Becoming the Developers Best Friends OWASP AppSec Latam 2011 (Brazil) Dinis Cruz dinis.cruz@owasp.org

Dinis Cruz Long-time OWASP contributor OWASP O2 Platform (project) OWASP Seasons of Code OWASP Summits (2008 & 2011) OWASP Training Days OWASP Books Helped multiple chapters and conferences Multiple tools & research at OWASP .NETSetup Application Security Team at Global BankPerformed Security Reviews (White and Black box) on 100s of appsCredited for vulnerability on .NET Framework and vulnerability on Spring MVCWorked for OunceLabs (now IBM AppScan Source) and made it workDidn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting theOWASP O2 platform (and making my vision a reality)Currently at Security Innovation (Boston/Seattle company)

Dinis @ Security Innovation Responsible for the TeamMentor product i.e. I’m shipping code SI is going to Commercially Support the OWASP O2 Platform with a focus on findings-automation and security-tools-integration SI is a strong OWASP Supporter Silver sponsor at AppSec USA published OWASP TeamMentor Library under CC (Creative Commons) published OWASP Top 10 e-learning course under CC helping the clarify the commercial relationship with OWASP’s ecosystem Sponsored me to come here 3

OWASP is Amazing

owasp band 7

Don’t stop asking ‘why not?’ 8

Don’t stop asking ‘why not?’ Try new ideas: 8

Don’t stop asking ‘why not?’ Try new ideas: Barefoot walking/running 8

I’m a developer

YesI have shipped code 10

O2 PLATFORM OWASP TeamMentor Security Innovation 11

I’m going to speak as the developer of and a couple other apps: HacmeBank, JPetstore, Altoro Mutual 12

for which securityIS NOT a priority 13

it is important 14

but not a priority 15

In fact I want to security to be INVISIBLE (or transparent) 16

As with every other developer,I don’t want my app to have security vulnerabilities 17

So I’m happy to helpthe ‘security’ process... 18

... as long as theworkflow ‘works’ for me and my team 19

and at the moment it doesn’t 20

Dear Securityteams / vendors

Understand this: 22

Features andFunctionality Rule! 23

You (security teams)are quite in the bottom of the food chain 24

I’m smartIf I wasn’t smart I wouldn’t be working (& paid) as a developer 25

If I’m not Smartdon’t tell that to my boss (specially NOT in a report format) 26

If I’m not SmartMake me Smart! 27

Since I’m smartMake me a HERO 28

Actually In the real world the issue is usually not ‘smart’ but ‘experience on theAPIs/Framworks used’ 29

Another important topic 30

I’m not a security expert 31

that is YOUR job 32

if you want to talk about: jQuery, Javascript, MVC, Reflection, Hibernate, Struts, AoP, High performance Algorithms, Compression techniques, cache management, Agile, Pointers, Code Patterns, Authorisation Models, QA, User-acceptance-tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App Hosting/Clustering, etc.... 33

that’s me 34

Security 35

That’s you 36

(btw) I’m the onecreating value 37

I’m the one making money, grabbing eyeballs, creating valueor whatever the business wants to call it 38

YOU are a TAX As positioned today 39

which is why I don’treally like to talk/deal with you 40

Quiz Question:When was the last timethat developers where REALLY exited to talk with Security Teams? 41

Yeah I can see the Queue from here.....(I think some developers would shoot Security teams if that was legal) 42

Developers dirty secrets

Here are a couple dirty secrets about ‘most’development projects 44

The devs can’t visualise how their app works 45

e nt) ag em m an (andThe devs can’t visualise how their app works 45

The devs don’t understand how their app works 46

e nt) ag em m an (andThe devs don’t understand how their app works 46

nt) s) me yer ge bu na ma (and ( andThe devs don’t understand how their app works 46

nt) s) me yer ge bu se rs) n a u d ma (and (a nd ( anThe devs don’t understand how their app works 46

In practice what does this mean? 47

it means that they can’tquickly answer questions like: 48

what are the URLs? 49

what data do youexpect to receive from the web? 50

what data CAN besubmitted from the web 51

what is the data-binding behaviour of the Frameworks used (case point MVC Frameworks) 52

Where is my Data Validation layer 53

Who and what connectsto the databases/assets 54

Where are my assets? 55

Where is theCredit Card data? 56

What are the connectionsbetween the managed layers(C# & Java) and unmanaged layers (C/C++)? 57

What happens at the Javascript layer? 58

(easier question) What is the real CALL FLOW of a request(from the web to the backend and back to the web) 59

(harder question) What is the real TAINT FLOW of a request(from the web to the backend and back to the web) 60

(much harder question) What is the realTAINT (with CONTROL) FLOW of a request(from the web to the backend and back to the web) 61

Bottom line:(*unless we have been attacked before) 62

If it compiles Ship it!(I see this behaviour at a lot of dev shops) 63

Bottom line:(*If we have been attacked before) 64

If it compiles (and passes the ‘security tools’) Send it to the ‘Security Team’(who now have funds to hire their own staff) 65

Dealing with Security

I care about my users 67

And exploitation ofsecurity vulnerabilities affects them 68

So by-proxy I care about security 69

But the current workflow betweendevelopers and security teams is.... 70

F****d 71

or more politically correct 72

Highly inefficient 73

and that is on companies WITHinternal security teams & awareness 74

It is even worse for the rest 75

We need a new paradigm 76

One where ‘applicationsecurity’ ADDs value to the Business 77

One where ‘ApplicationSecurity’ practices aredeeply embedded into the SDL 78

One where ‘Application Security’ practices areinvisible/transparent to 99% of the parties involved(the 1% are the ones directly involved in security, such as security teams, devs,architects, CISO, etc...) 79

but before we get tothe solution, lets set the stage.... 80

As a developer , this isWhat I don’t want

I dont want to:receive a PDF (or portal) with security findings 82

I dont want to: receive a tool result with partial (or zero)context about my app 83

I dont want to:spent time sorting out the False positives created by tools 84

I dont want to:have tons of bugs filled into my bug tracking system 85

I dont want to:receive non-automated findings (that will force me to spend time replicating the issue) 86

I dont want to:receive no information on the impact of the ‘proposed fix’ the ‘blast ratio’ of a fix i.e. how much s*** will break 87

I dont want to: be ‘lectured’ by a ‘security expert’ thatdoesn’t understand my application 88

I dont want to:I don’t want to be told to ‘go to school’ usually framed as “we need to give ‘security education’ to developers” 89

Got that? 90

I don’t think that (even if they tried)‘security consultants’couldn’t OFEND more the developers than they do today 91

What I want

I want to know theimplications of the multiple APIs & frameworks used 93

Ideally I should be ableto use those APIs is the most efficient way 94

I want to know when I use those APIs andFrameworks incorrectly 95

I want to understand my Application! 96

Can YOU do that? 97

Can you help me to understand my Application? 98

because,as a developer 99

if you can help me to understand my Application ... 100

... you add value to my world.... 101

if you don’t help me to understand how my Application works 102

you are a TAX that I have to Payor an INSURANCE that I have to Pay 103

Did you noticed the lack of ‘security’ in the last slides? :) 104

let’s try this again 105

What I wantfrom a security point of view (in red)

I want to know theSecurity implications of the multiple APIs & frameworks used 107

Ideally i should only beable to use those APIs in a SECURE way 108

I want to know when I use those APIs andFrameworks insecurely 109

I want to understandthe security risk profile of my Application! 110

Making Security Invisible by becoming thedeveloper’s best friend

So how was I able to do what I wanted (from both a security anddeveloper point of view) 112

using theOWASP O2 Platform 113

DEMO TIME..... 114

Any questions?

Thanks 116

Making security invisible by becoming the developer's best friends (Owasp AppSec Brazil Nov 2011)

by Dinis Cruz on Oct 19, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 8

Statistics

Making security invisible by becoming the developer’s best friends (Owasp AppSec Brazil Nov 2011) — Presentation Transcript