They are everywhere!
And they have bugs everywhere!
• The cost of a data breach averages $5.5
million or $194 per customer record*
• Companies that take security seriously can
reduce the cost per customer by up to 62%
* From a 2011 study by the Ponemon Institute
What are we doing wrong?
• Secure application development is a top priority
• But web applications are still the number one
source of data breaches
• We need to change the mindset of software
*From a 2011 Forrester Research study: Application Security: 2011 & Beyond
What are we doing wrong?
• We’re in 2012 and SQL Injection is still the
• The first public issue dates from 1998
• SQL Injections can lead to shell access now!
Why these still happens?
Excuses to the problems:
• Security is not important! Money is!
• There is no time!
• Developer’s fault! They are the scape goat of
• Structured approach to identify and measure
• It defines the security requisites
• Allows the design to address the security issues
• Helps the security testing and code reviews
Threat Modeling Process
1. Identify your assets
2. Create an architectural view
3. Decompose the software
4. Identify, document and classify the threats to
(Security) Design Patterns
• Use them! There a lot out there!
• Don’t reinvent the wheel!
• Exception Handling
• Input Validation
• Protected Logging
• Use a guide to implement your security, like
the OWASP Developer’s Guide
• Use unit test cases focused on security
• Present security training to developers
• Perform penetration testing and code reviews
So what do they do?
• Protect you from common mistakes
• Avoid you from getting hacked by automated
tools/scanners and script kiddies
By the way, if you work with AppSec and you never
heard of these two docs…
How to apply them?
Many FREE resources!
Not just OWASP stuff…
Ok, now what?!
OWASP Code Review Guide
• Code review takes a deeper look into your app
• Things that automated scanners won’t find
• You’ll see the common mistakes devs make
We fixed the problems. How to stop them?
• Implement a SDL process
• Train your developers about app security
• They don’t need to be experts, at least know
how it works and how to protect their apps
Yay! More free stuff…
• OWASP ASVS – verify your security
• OWASP OpenSAMM – create a security
• OWASP Developer’s Guide – tips to devs
It’s not that simple…
• If we have all that, why aren’t our apps
• Why even the big companies don’t follow the
basic rules? Hello Linkedin!
We know, we know…
• Security costs money. Yeah, but so does
development, support, operations, etc.
• Security costs money. But it will save you a lot
Why most companies still don’t see the value of
security until they get hacked?
If it compiles, ship it!
Like Dinis Cruz said at AppSec Latam 2011:
Unless you’ve been hacked before…
If it compiles,
That’s the motto in most dev companies
The real picture (Developer’s view)
• They don’t like the security teams
• They already work on a tight schedule
• Security will increase their programming time
The ideal world
How it should be…
• Dev and infosec should work together
• Security practices and implementations should be
included in the schedule time
• It will increase the apps protection and decrease
the amount of bugs and work
In a nutshell…
• Security is not a plugin, it’s a process.
• Test everything, every time they change.
• Allocate time for security testing within your
• Never assume security controls are effective
OWASP Floripa Day
15 e 16 de Setembro
AppSec Brazil 2012
OWASP AppSec Brazil 2012
In November in João Pessoa!
Wagner Elias. “Testar não é suficiente, tem que fazer direito!”.
Dinis Cruz. “Making Security Invisible by Becoming the
Developer's Best Friends”. OWASP AppSec Latam 2011
Building Secure Web Applications Infographic -
OWASP - www.owasp.org