Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to protect your web
applications
Magno Logan
magno.logan@owasp.org
OWASP Paraíba Chapter Leader
About Me
Who am I?
!
• Ex-developer
• Security Analyst
• Chapter Leader
• Martial Arts
• Investments
Agenda
!
• They are everywhere!
• Testing, testing, testing…
• Guides, tools and much more
• The insecure software lifecyc...
e
They are everywhere!
And they have bugs everywhere!
!
• The cost of a data breach averages $5.5
million or $194 per customer record*
!
• Compan...
So, how to protect them?!
!
1. Security Testing
!
2. Code Review
!
3. SDL
OWASP Top 10 2010
Testing, testing, testing…
And more testing… 2011 CWE/SANS Top 25
So what do they do?
!
• Protect you from common mistakes
!
• Avoid you from getting hacked by automated
tools/scanners and...
You need to find another job!
Many more FREE resources!
Not just OWASP stuff…
Ok, now what?!
OWASP Code Review Guide
!
• Code review takes a deeper look into your
app
!
• Things that automated scanner...
We fixed the problems. How to stop them?
!
• Implement a SDL process
!
• Train your developers about app security
!
• They...
Yay! More free stuff…
!
• OWASP ASVS – verify your security
!
• OWASP OpenSAMM – create a security
program
!
• OWASP Devel...
It’s not that simple…
!
• If we have all that, why aren’t our apps
secure?
!
• Why even the big companies don’t follow
the...
We know, we know…
!
• Security costs money. Yeah, but so does
development, support, operations, etc.
!
• Security costs mo...
Like Dinis Cruz said at AppSec Latam 2011:
!
Unless you’ve been hacked before…
!
If it compiles,
Ship it!
!
That’s the mot...
The real picture (Developer’s view)
!
• They don’t like the security teams
!
• They already work on a tight schedule
!
• S...
How it should be…
!
• Dev and infosec should work together
!
• Security practices and implementations should
be included i...
In a nutshell…
!
• Security is not a plugin, it’s a process.
!
• Test everything, every time they change.
!
• Allocate tim...
!
!
Questions?
!
!
@magnologan
@owasppb
References
!
Wagner Elias. “Testar não é suficiente, tem que fazer
direito!”. YSTS 2012
!
Dinis Cruz. “Making Security Inv...
Upcoming SlideShare
Loading in …5
×

BHack 2012 - How to protect your web applications

BHack 2012 - How to protect your web applications

Junho de 2012 em Belo Horizonte, MG

http://bhack.com.br/

  • Login to see the comments

BHack 2012 - How to protect your web applications

  1. 1. How to protect your web applications Magno Logan magno.logan@owasp.org OWASP Paraíba Chapter Leader
  2. 2. About Me Who am I? ! • Ex-developer • Security Analyst • Chapter Leader • Martial Arts • Investments
  3. 3. Agenda ! • They are everywhere! • Testing, testing, testing… • Guides, tools and much more • The insecure software lifecycle • How to solve these problems
  4. 4. e They are everywhere!
  5. 5. And they have bugs everywhere! ! • The cost of a data breach averages $5.5 million or $194 per customer record* ! • Companies that take security seriously can reduce the cost per customer by up to 62% ! ! ! ! * From a 2011 study by the Ponemon Institute
  6. 6. So, how to protect them?! ! 1. Security Testing ! 2. Code Review ! 3. SDL
  7. 7. OWASP Top 10 2010 Testing, testing, testing…
  8. 8. And more testing… 2011 CWE/SANS Top 25
  9. 9. So what do they do? ! • Protect you from common mistakes ! • Avoid you from getting hacked by automated tools/scanners and script kiddies ! By the way, if you work with AppSec and you never heard of these two docs…
  10. 10. You need to find another job!
  11. 11. Many more FREE resources! Not just OWASP stuff…
  12. 12. Ok, now what?! OWASP Code Review Guide ! • Code review takes a deeper look into your app ! • Things that automated scanners won’t find ! • You’ll see the common mistakes devs make
  13. 13. We fixed the problems. How to stop them? ! • Implement a SDL process ! • Train your developers about app security ! • They don’t need to be experts, at least know how it works and how to protect their apps
  14. 14. Yay! More free stuff… ! • OWASP ASVS – verify your security ! • OWASP OpenSAMM – create a security program ! • OWASP Developer’s Guide – tips to devs
  15. 15. It’s not that simple… ! • If we have all that, why aren’t our apps secure? ! • Why even the big companies don’t follow the basic rules? Hello Linkedin!
  16. 16. We know, we know… ! • Security costs money. Yeah, but so does development, support, operations, etc. ! • Security costs money. But it will save you a lot more! ! Why most companies still don’t see the value of security until they get hacked?
  17. 17. Like Dinis Cruz said at AppSec Latam 2011: ! Unless you’ve been hacked before… ! If it compiles, Ship it! ! That’s the motto in most dev companies
  18. 18. The real picture (Developer’s view) ! • They don’t like the security teams ! • They already work on a tight schedule ! • Security will increase their programming time
  19. 19. How it should be… ! • Dev and infosec should work together ! • Security practices and implementations should be included in the schedule time ! • It will increase the apps protection and decrease the amount of bugs and work
  20. 20. In a nutshell… ! • Security is not a plugin, it’s a process. ! • Test everything, every time they change. ! • Allocate time for security testing within your project ! • Never assume security controls are effective
  21. 21. ! ! Questions? ! ! @magnologan @owasppb
  22. 22. References ! Wagner Elias. “Testar não é suficiente, tem que fazer direito!”. YSTS 2012 ! Dinis Cruz. “Making Security Invisible by Becoming the Developer's Best Friends”. OWASP AppSec Latam 2011 ! Building Secure Web Applications Infographic - http:// www.veracode.com/blog/2012/06/building-secure-web- applications-infographic/ ! OWASP - www.owasp.org

×