Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure Coding - Are we doing it wrong


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Secure Coding - Are we doing it wrong

  1. 1. Teaching Secure Coding [Discussion] - Are we doing it wrong?
  2. 2. Who are you?• Bryn Salisbury (@bryns)• Welsh born and Hertfordshire based.• IT Security Consultant by day.• Podcaster, Blogger, Twitter-er (is that even a word?) and adequate photographer• First time at Barcamp London (quite excited).
  3. 3. IT Security• Been working in IT for around 12 years.• IT Security full time for the last 5• Penetration testing and security scanning• PCI QSA
  4. 4. PCI Data Security Standard • Global Security Standard for the handling of credit card (and some debit card) data. • Breaks down into 12 requirements (everything from firewalls to HR). • Rules on applications (web and otherwise) development. • Requires the development of secure coding guidelines, as well as a teaching programme. • Sets minimum standards to keep credit card data safe.
  5. 5. What is Secure Development?• A set of methods that, when used, can reduce the ability of hostile parties to exploit your application(s).• In web applications, these are commonly Input Validation (e.g. Cross Site Scripting), Injection (e.g. SQL Injection)
  6. 6. Is it really that necessary?• Absolutely... 85% of the data breaches in 2009-2010 were as a result of web application compromises.• Defensive devices such as IPS/IDS and WAF are not always effective.• Heavy fines for loss of data - €50,000 initial, €75,000/month for failure to remediate the breach. see:
  7. 7. Secure Coding:Are we teaching it wrong?
  8. 8. “If we taught people to drive the same way weteach them secure coding, we’d have a lot more wrecked cards and dead bodies to clean up” @securityninja
  9. 9. Are we doing it wrong?• I’ve always had the tendency to want to demonstrate the worst case scenario.• Easier to show off “exploitable” code and a lot more impressive.• Examples of the ‘right way’ are technology dependant.• Hadn’t even occurred to me that the training wasn’t what they needed (or wanted).
  10. 10. What would the right way look like?
  11. 11. What would the right way look like?• The idea of showing how it should be done is appealing• Gives clear and concise guidance to the coder• Easier to track and audit in the long term• See @securityninja’s RSA talk - http:// simplicity-not-sql-rsa-europe-2010
  12. 12. What would the right way look like?• Ultimately, I think that the perfect program needs to: • Educate, but not be patronising to the developers. • Give them enough information to work with, but not overload them. • Be straightforward enough that the principles can be applied to any language.• It should definitely carry the full support of the management.
  13. 13. I know, I’ll blog about it!
  14. 14. Blog Response• Wrote it up a few days ago: http:// diogel-secure-development/• Opinions appear to be evenly divided - some arguing that coders need to see how bad it gets.• Another suggesting the coders only need to know what they should do, the rest is up to the pen-testers.
  15. 15. Let’s throw it to the floor...
  16. 16. Let’s keep thediscussion going...
  17. 17. Let’s keep the discussion going!• After the talk...• At the bar...• On the blog: http:// datblygu-diogel-secure-development/• On Twitter... I’m @bryns• On Google+... I’m Bryn Salisbury
  18. 18. Diolch yn Fawr! @bryns