Scaling Web Security - Tools,
Processes and Techniques to Enable
Security At Scale
About Me
michael.coates@owasp.org
“The global cost of cybercrime is greater than
the combined effect on the global economy of
trafficking in marijuana, hero...
Reality
Data Loss & Breaches
Verizon Data Breach Report 2013datalossdb.org/statistics
Data Loss & Breaches
Verizon Data Breach Report 2013datalossdb.org/statistics
The Supposed Security Program
• “Security is everyone’s job…”
• “Security training is the answer…”
• “It’s easy, just use ...
Two Facts about Security Programs
1) Fixing a single security bug:
1) Fixing a single security bug:
Easy
1) Fixing a single security bug:
Easy (generally)
2) Ensuring no critical bugs are introduced to
software
2) Ensuring no critical bugs are introduced to
software
• While moving fast
2) Ensuring no critical bugs are introduced to
software
• While moving fast
• With minimal impact to developers
2) Ensuring no critical bugs are introduced to
software
• While moving fast
• With minimal impact to developers
• Within a...
2) Ensuring no critical bugs are introduced to
software
• While moving fast
• With minimal impact to developers
• Within a...
2) Ensuring no critical bugs are introduced to
software
• While moving fast
• With minimal impact to developers
• Within a...
The Goal
• Eliminate all possible security bugs?
• Keep company out of the headlines?
• Protect data?
• Ensure uptime?
• T...
RETHINKING SECURITY PROGRAMS
Eliminate the Security Professional
You can’t solve security by throwing
bodies at the problem
Security Professionals
– Expensive
– Hard to find
– Competition...
Humans Don’t Scale Well
Security Throughout SDLC
Development
• Developer Training
• Coding Guidelines
– Cheat Sheets
– Concise, Usable
owasp.org/index.php/Cheat_Sheets
Development
• Security Libraries & Services
– Abstract away internals of security code
– Standardized security libraries
•...
Automation
• Dynamic security
analysis built for
developers
– Report what can be
found >95% accuracy
– Skip issues where
a...
Automation
• Static / Dynamic Analysis
– Careful – security resource may be required
– Can scale if homogenous environment...
QA
• Security validation within QA
• Functional testing of forms + basic sec tests
• Follow patterns of current QA
– Pass ...
Organizational Strategy
• Embedding security
inside dev team
– team effort to ship
– real time collaboration
– eliminates ...
Organizational Strategy
• Scaling via Security Champions
• Primary Role: Developer
Secondary: Security
• Scales Effectivel...
Post Release - Bounty Programs!
• Engage Security Community
https://bugcrowd.com/list-of-bug-bounty-programs/
Post Release – Defend That App
• Detect and repel common
attacks
– Web Application Firewall
• Detect and repel custom
atta...
Post Release – Defend That App
• Scale!
– Attack blocking?
Automated only
– No human analysis in
critical path.
How to Use Security Expertise
• Security strategy, risk programs, architecture &
design
• Tackle new problems, determine h...
Key Points
• Security is not just an activity conducted by a
single team
• A strategic security program gains incremental
...
Thanks
@_mwc
michael.coates@owasp.org
security101@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/security101
Upcoming SlideShare
Loading in …5
×

2013 michael coates-javaone

9,373 views
9,256 views

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,373
On SlideShare
0
From Embeds
0
Number of Embeds
1,306
Actions
Shares
0
Downloads
17
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

2013 michael coates-javaone

  1. 1. Scaling Web Security - Tools, Processes and Techniques to Enable Security At Scale
  2. 2. About Me michael.coates@owasp.org
  3. 3. “The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” theregister.co.uk Sept 7, 2011
  4. 4. Reality
  5. 5. Data Loss & Breaches Verizon Data Breach Report 2013datalossdb.org/statistics
  6. 6. Data Loss & Breaches Verizon Data Breach Report 2013datalossdb.org/statistics
  7. 7. The Supposed Security Program • “Security is everyone’s job…” • “Security training is the answer…” • “It’s easy, just use encoding…” • “Companies that care about security wouldn’t have those vulnerabilities…”
  8. 8. Two Facts about Security Programs
  9. 9. 1) Fixing a single security bug:
  10. 10. 1) Fixing a single security bug: Easy
  11. 11. 1) Fixing a single security bug: Easy (generally)
  12. 12. 2) Ensuring no critical bugs are introduced to software
  13. 13. 2) Ensuring no critical bugs are introduced to software • While moving fast
  14. 14. 2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers
  15. 15. 2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model
  16. 16. 2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code
  17. 17. 2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code
  18. 18. The Goal • Eliminate all possible security bugs? • Keep company out of the headlines? • Protect data? • Ensure uptime? • The real goal – manage risk
  19. 19. RETHINKING SECURITY PROGRAMS Eliminate the Security Professional
  20. 20. You can’t solve security by throwing bodies at the problem Security Professionals – Expensive – Hard to find – Competition for employment
  21. 21. Humans Don’t Scale Well
  22. 22. Security Throughout SDLC
  23. 23. Development • Developer Training • Coding Guidelines – Cheat Sheets – Concise, Usable owasp.org/index.php/Cheat_Sheets
  24. 24. Development • Security Libraries & Services – Abstract away internals of security code – Standardized security libraries • OWASP ESAPI – an example of what you should build within your organization – Web services for security
  25. 25. Automation • Dynamic security analysis built for developers – Report what can be found >95% accuracy – Skip issues where accuracy is low – Accurate Tool > Tool which requires security team wiki.mozilla.org/Security/Projects/Minion
  26. 26. Automation • Static / Dynamic Analysis – Careful – security resource may be required – Can scale if homogenous environment • Security X as a Service – Yes! The Future!
  27. 27. QA • Security validation within QA • Functional testing of forms + basic sec tests • Follow patterns of current QA – Pass / Fail – Self contained testing – no need for security evaluation “><script>alert(‘problem’)</script>
  28. 28. Organizational Strategy • Embedding security inside dev team – team effort to ship – real time collaboration – eliminates “us” vs “them” – build alliance Dev Team Dev Team Dev Team
  29. 29. Organizational Strategy • Scaling via Security Champions • Primary Role: Developer Secondary: Security • Scales Effectively • Liaison to security team Dev Team Dev Team
  30. 30. Post Release - Bounty Programs! • Engage Security Community https://bugcrowd.com/list-of-bug-bounty-programs/
  31. 31. Post Release – Defend That App • Detect and repel common attacks – Web Application Firewall • Detect and repel custom attacks at business layer – Integrated application defense – OWASP AppSensor owasp.org/index.php/OWASP_AppSensor_Project crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf
  32. 32. Post Release – Defend That App • Scale! – Attack blocking? Automated only – No human analysis in critical path.
  33. 33. How to Use Security Expertise • Security strategy, risk programs, architecture & design • Tackle new problems, determine how to automate them • Build scalable security resources & services
  34. 34. Key Points • Security is not just an activity conducted by a single team • A strategic security program gains incremental wins at every step • Build everything for scaling • Automate first, human SMEs only when required
  35. 35. Thanks @_mwc michael.coates@owasp.org security101@lists.owasp.org https://lists.owasp.org/mailman/listinfo/security101

×