98% of the attacks against applications are opportunistic. This means, vast majority of these attacks could be prevented by simply following "Defense Driven Development" methodology. A variant of Test Driven Development, this methodology puts emphasis on early detection, automation, and defensive coding styles.
This presentation talks about what it is like to adopt Defense Driven Development.
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Software Development in the Age of Breaches
1.
2.
3.
4. Opportunistic Indeed !
TalkTalk
150K + PII records compromised
SQL Injection
Ashley Madison
37 MM records compromised
Weak VPN Authentication
HomeDepot
56MM PII records compromised
Weak Access Control
Patreon
2.3MM PII records compromised
Debugger in Prod
000WebHost
13.5MM PII records compromised
Using old PHP version
5.
6.
7. Test Driven Development
• Bugs increase security risk
• Allows you to release faster
• Fixing issues while in development is cheaper
• Only way to prove that “My code works”
8. Take it to the next level
select version();
select current_database();
select current_user;
select session_user;
'));waitfor delay '0:0:3'--
"));waitfor delay '0:0:3'--
benchmark(10000000,MD5(1))#
1 or benchmark(10000000,MD5(1))#
" or benchmark(10000000,MD5(1))#
' or benchmark(10000000,MD5(1))#
getUserByName(first_name,last_name)
{
…
}
9.
10. New Responsibility Model
• At SecureDB, we have no testers. Only
“Buddies”
• “Buddies” are fellow developers that:
– Test your code
– Review your code
– Give you feedback
• Switch “Buddies” every sprint
11.
12.
13. Where would I even start?
STEP 1: Find a comparable company in your space
STEP 2: COPY IDEAS SHAMELESSLY
Examples:
You’re a social media co that has too many locked accounts.
A: How many login attempts does Twitter Allow?
You’re an e-commerce site worried about fake accounts.
A: How does Amazon do it?
Don’t re-invent the wheel
14.
15. Two Factor Everything
• Evaluate every service you use for TFA support
- Hosting - Code Repos
- Email - SSH Access
- DNS - File sharing systems
• If a vendor does not support TFA
– Are they really worth your time and money?
17. Firewall Effectively
• Dev environment is only for Developers
– Block access from internet
– IP Based restrictions
• Restrict SSH access
– IP Based restrictions
– Easy to setup
• Ingress and Egress
• Install WAF (It’s FREE)
18.
19. Continuous Security (DevSecOps)
• Provisioning a new VM
– Install latest patches
– Apply right firewall policies
– Stop unwanted services
– Start appropriate services
• Run as part of the build:
– Fuzzing Tests
– Run vulnerability scans
– Static Analysis
– Dynamic Analysis
20.
21. Input Validation
• Trust nothing that comes from client
• Every layer to do it’s own validation
• Whitelist vs Blacklist?
– Whitelist is better
• Use well tested libraries
– Or OWASP RegEx
• Specifically Test for SQLi and XSS
• Example
22. Output Escaping
• Escape all content to be rendered
• Use UI Frameworks that escape by default
• Scan the code to check the usage of un-
escaped methods
• Example
23. Authentication
Web
Form Based Authentication
Two Factor Authentication
TOTP
Text Message
Social Logins
Facebook
Twitter
Google
Basic Authentication
Digest Authentication
OAuth
Certificate Based Auth.
JWT (with JWS/JWE)
APIs
24. Authorization
• Privilege Escalation attacks are common
• Authz mechanisms
– Role Based Access Control (RBAC)
– Attribute Based Access (ABAC)
• Do Authz checks at every layer
– Cookies
– JWT (Mobile Friendly)
25.
26. White Hat Program
• Allow white hat hackers to find security issues and report
them to you
• Explicit contract laying out what kind of attacks they could
execute
• Implicit contract that they won’t go public with it
– And give you reasonable time to fix it
• Make payments per bug and severity
• Example
27. you are the best CISO …
of your application
You are the best CISO
of your application