Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Making security invisible by becoming the developer's best friends (Owasp AppSec Brazil Nov 2011)

1,572 views

Published on

Hi, here is the presentation I delivered last week at OWASP's AppSec Brazil conference: OWASP Brazil - Making Security Invisible by Becoming the Developer's Best Friends

I think I was able to capture how security tends to be seen by developers, how it is currently a TAX on the SDL and how we need to move Application Security into the 'application visibility' space so that we add value to the entire SDL (and create a positive model where the developers want to engage with us)

After you read the presentation, check out this video which I recorded also in Brazil: A developer's rant about security professionals (he was one of the developers that was at the audience which really related to the problem of receiving security guidance from security 'consultants' that don't understand his app).

The demos showed how O2 allowed this world to exist :)

Let me know what you think of it.

(info also at my blog http://diniscruz.blogspot.com/2011/10/my-presentation-at-owasp-appsec-brazil.html)

Published in: Technology, News & Politics
  • Be the first to comment

Making security invisible by becoming the developer's best friends (Owasp AppSec Brazil Nov 2011)

  1. 1. The OWASP Foundation http://www.owasp.orgMaking Security Invisible by Becoming the Developers Best Friends OWASP AppSec Latam 2011 (Brazil) Dinis Cruz dinis.cruz@owasp.org
  2. 2. Dinis Cruz Long-time OWASP contributor OWASP O2 Platform (project) OWASP Seasons of Code OWASP Summits (2008 & 2011) OWASP Training Days OWASP Books Helped multiple chapters and conferences Multiple tools & research at OWASP .NETSetup Application Security Team at Global BankPerformed Security Reviews (White and Black box) on 100s of appsCredited for vulnerability on .NET Framework and vulnerability on Spring MVCWorked for OunceLabs (now IBM AppScan Source) and made it workDidn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting theOWASP O2 platform (and making my vision a reality)Currently at Security Innovation (Boston/Seattle company)
  3. 3. Dinis @ Security Innovation Responsible for the TeamMentor product i.e. I’m shipping code SI is going to Commercially Support the OWASP O2 Platform with a focus on findings-automation and security-tools-integration SI is a strong OWASP Supporter Silver sponsor at AppSec USA published OWASP TeamMentor Library under CC (Creative Commons) published OWASP Top 10 e-learning course under CC helping the clarify the commercial relationship with OWASP’s ecosystem Sponsored me to come here 3
  4. 4. OWASP is Amazing
  5. 5. 5
  6. 6. 6
  7. 7. owasp band 7
  8. 8. Don’t stop asking ‘why not?’ 8
  9. 9. Don’t stop asking ‘why not?’ Try new ideas: 8
  10. 10. Don’t stop asking ‘why not?’ Try new ideas: Barefoot walking/running 8
  11. 11. Don’t stop asking ‘why not?’ Try new ideas: Barefoot walking/running 8
  12. 12. Don’t stop asking ‘why not?’ Try new ideas: Barefoot walking/running 8
  13. 13. I’m a developer
  14. 14. YesI have shipped code 10
  15. 15. O2 PLATFORM OWASP TeamMentor Security Innovation 11
  16. 16. I’m going to speak as the developer of and a couple other apps: HacmeBank, JPetstore, Altoro Mutual 12
  17. 17. for which securityIS NOT a priority 13
  18. 18. it is important 14
  19. 19. but not a priority 15
  20. 20. In fact I want to security to be INVISIBLE (or transparent) 16
  21. 21. As with every other developer,I don’t want my app to have security vulnerabilities 17
  22. 22. So I’m happy to helpthe ‘security’ process... 18
  23. 23. ... as long as theworkflow ‘works’ for me and my team 19
  24. 24. and at the moment it doesn’t 20
  25. 25. Dear Securityteams / vendors
  26. 26. Understand this: 22
  27. 27. Features andFunctionality Rule! 23
  28. 28. You (security teams)are quite in the bottom of the food chain 24
  29. 29. I’m smartIf I wasn’t smart I wouldn’t be working (& paid) as a developer 25
  30. 30. If I’m not Smartdon’t tell that to my boss (specially NOT in a report format) 26
  31. 31. If I’m not SmartMake me Smart! 27
  32. 32. Since I’m smartMake me a HERO 28
  33. 33. Actually In the real world the issue is usually not ‘smart’ but ‘experience on theAPIs/Framworks used’ 29
  34. 34. Another important topic 30
  35. 35. I’m not a security expert 31
  36. 36. that is YOUR job 32
  37. 37. if you want to talk about: jQuery, Javascript, MVC, Reflection, Hibernate, Struts, AoP, High performance Algorithms, Compression techniques, cache management, Agile, Pointers, Code Patterns, Authorisation Models, QA, User-acceptance-tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App Hosting/Clustering, etc.... 33
  38. 38. that’s me 34
  39. 39. Security 35
  40. 40. That’s you 36
  41. 41. (btw) I’m the onecreating value 37
  42. 42. I’m the one making money, grabbing eyeballs, creating valueor whatever the business wants to call it 38
  43. 43. YOU are a TAX As positioned today 39
  44. 44. which is why I don’treally like to talk/deal with you 40
  45. 45. Quiz Question:When was the last timethat developers where REALLY exited to talk with Security Teams? 41
  46. 46. Yeah I can see the Queue from here.....(I think some developers would shoot Security teams if that was legal) 42
  47. 47. Developers dirty secrets
  48. 48. Here are a couple dirty secrets about ‘most’development projects 44
  49. 49. The devs can’t visualise how their app works 45
  50. 50. e nt) ag em m an (andThe devs can’t visualise how their app works 45
  51. 51. The devs don’t understand how their app works 46
  52. 52. e nt) ag em m an (andThe devs don’t understand how their app works 46
  53. 53. nt) s) me yer ge bu na ma (and ( andThe devs don’t understand how their app works 46
  54. 54. nt) s) me yer ge bu se rs) n a u d ma (and (a nd ( anThe devs don’t understand how their app works 46
  55. 55. In practice what does this mean? 47
  56. 56. it means that they can’tquickly answer questions like: 48
  57. 57. what are the URLs? 49
  58. 58. what data do youexpect to receive from the web? 50
  59. 59. what data CAN besubmitted from the web 51
  60. 60. what is the data-binding behaviour of the Frameworks used (case point MVC Frameworks) 52
  61. 61. Where is my Data Validation layer 53
  62. 62. Who and what connectsto the databases/assets 54
  63. 63. Where are my assets? 55
  64. 64. Where is theCredit Card data? 56
  65. 65. What are the connectionsbetween the managed layers(C# & Java) and unmanaged layers (C/C++)? 57
  66. 66. What happens at the Javascript layer? 58
  67. 67. (easier question) What is the real CALL FLOW of a request(from the web to the backend and back to the web) 59
  68. 68. (harder question) What is the real TAINT FLOW of a request(from the web to the backend and back to the web) 60
  69. 69. (much harder question) What is the realTAINT (with CONTROL) FLOW of a request(from the web to the backend and back to the web) 61
  70. 70. Bottom line:(*unless we have been attacked before) 62
  71. 71. If it compiles Ship it!(I see this behaviour at a lot of dev shops) 63
  72. 72. Bottom line:(*If we have been attacked before) 64
  73. 73. If it compiles (and passes the ‘security tools’) Send it to the ‘Security Team’(who now have funds to hire their own staff) 65
  74. 74. Dealing with Security
  75. 75. I care about my users 67
  76. 76. And exploitation ofsecurity vulnerabilities affects them 68
  77. 77. So by-proxy I care about security 69
  78. 78. But the current workflow betweendevelopers and security teams is.... 70
  79. 79. F****d 71
  80. 80. or more politically correct 72
  81. 81. Highly inefficient 73
  82. 82. and that is on companies WITHinternal security teams & awareness 74
  83. 83. It is even worse for the rest 75
  84. 84. We need a new paradigm 76
  85. 85. One where ‘applicationsecurity’ ADDs value to the Business 77
  86. 86. One where ‘ApplicationSecurity’ practices aredeeply embedded into the SDL 78
  87. 87. One where ‘Application Security’ practices areinvisible/transparent to 99% of the parties involved(the 1% are the ones directly involved in security, such as security teams, devs,architects, CISO, etc...) 79
  88. 88. but before we get tothe solution, lets set the stage.... 80
  89. 89. As a developer , this isWhat I don’t want
  90. 90. I dont want to:receive a PDF (or portal) with security findings 82
  91. 91. I dont want to: receive a tool result with partial (or zero)context about my app 83
  92. 92. I dont want to:spent time sorting out the False positives created by tools 84
  93. 93. I dont want to:have tons of bugs filled into my bug tracking system 85
  94. 94. I dont want to:receive non-automated findings (that will force me to spend time replicating the issue) 86
  95. 95. I dont want to:receive no information on the impact of the ‘proposed fix’ the ‘blast ratio’ of a fix i.e. how much s*** will break 87
  96. 96. I dont want to: be ‘lectured’ by a ‘security expert’ thatdoesn’t understand my application 88
  97. 97. I dont want to:I don’t want to be told to ‘go to school’ usually framed as “we need to give ‘security education’ to developers” 89
  98. 98. Got that? 90
  99. 99. I don’t think that (even if they tried)‘security consultants’couldn’t OFEND more the developers than they do today 91
  100. 100. What I want
  101. 101. I want to know theimplications of the multiple APIs & frameworks used 93
  102. 102. Ideally I should be ableto use those APIs is the most efficient way 94
  103. 103. I want to know when I use those APIs andFrameworks incorrectly 95
  104. 104. I want to understand my Application! 96
  105. 105. Can YOU do that? 97
  106. 106. Can you help me to understand my Application? 98
  107. 107. because,as a developer 99
  108. 108. if you can help me to understand my Application ... 100
  109. 109. ... you add value to my world.... 101
  110. 110. if you don’t help me to understand how my Application works 102
  111. 111. you are a TAX that I have to Payor an INSURANCE that I have to Pay 103
  112. 112. Did you noticed the lack of ‘security’ in the last slides? :) 104
  113. 113. let’s try this again 105
  114. 114. What I wantfrom a security point of view (in red)
  115. 115. I want to know theSecurity implications of the multiple APIs & frameworks used 107
  116. 116. Ideally i should only beable to use those APIs in a SECURE way 108
  117. 117. I want to know when I use those APIs andFrameworks insecurely 109
  118. 118. I want to understandthe security risk profile of my Application! 110
  119. 119. Making Security Invisible by becoming thedeveloper’s best friend
  120. 120. So how was I able to do what I wanted (from both a security anddeveloper point of view) 112
  121. 121. using theOWASP O2 Platform 113
  122. 122. DEMO TIME..... 114
  123. 123. Any questions?
  124. 124. Thanks 116

×