Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to protect your web
applications
Magno Logan
magno.logan@owasp.org
OWASP Paraíba Chapter Leader
About Me
Who am I?
• Ex-developer
• Security Analyst
• Chapter Leader
• Investments
• Martial Arts
Paraíba?! I’m here!
• Caipirinha
• Soccer
• Samba
• Girls
We have it all!
I live where you take vacations, sorry! =)
Agenda
• They are everywhere!
• Testing, testing, testing…
• Guides, tools and much more
• The insecure software lifecycle...
They are everywhere!
They are everywhere!
And they have bugs everywhere!
• The cost of a data breach averages $5.5
million or $194 per customer...
What are we doing wrong?
• Secure application development is a top priority
• But web applications are still the number on...
What are we doing wrong?
• We’re in 2012 and SQL Injection is still the
biggest issue!
• The first public issue dates from...
Why these still happens?
Excuses to the problems:
• Security is not important! Money is!
• There is no time!
• Developer’s...
Back to the basics
CIA Triad
Now what?
So, how to protect our apps?!
1. Threat Modeling
2. Security Testing
3. Code Review
4. SDL
Threat Modeling
Threat Modeling
• Structured approach to identify and measure
risks
• It defines the security requisites
• Allows the desi...
Threat Modeling Process
1. Identify your assets
2. Create an architectural view
3. Decompose the software
4. Identify, doc...
(Security) Design Patterns
• Use them! There a lot out there!
• Don’t reinvent the wheel!
• Exception Handling
• Input Val...
Development Phase
• Use a guide to implement your security, like
the OWASP Developer’s Guide
• Use unit test cases focused...
OWASP Top 10 2010
Testing, testing, testing…
2011 CWE/SANS Top 25
And more testing…
So what do they do?
• Protect you from common mistakes
• Avoid you from getting hacked by automated
tools/scanners and scr...
You need to find another job!
How to apply them?
Many FREE resources!
Not just OWASP stuff…
Code reviews
Ok, now what?!
OWASP Code Review Guide
• Code review takes a deeper look into your app
• Things that automate...
SDL
We fixed the problems. How to stop them?
• Implement a SDL process
• Train your developers about app security
• They d...
Free Docs
Yay! More free stuff…
• OWASP ASVS – verify your security
• OWASP OpenSAMM – create a security
program
• OWASP D...
Not yet…
It’s not that simple…
• If we have all that, why aren’t our apps
secure?
• Why even the big companies don’t follo...
Security Myths
We know, we know…
• Security costs money. Yeah, but so does
development, support, operations, etc.
• Securi...
If it compiles, ship it!
Like Dinis Cruz said at AppSec Latam 2011:
Unless you’ve been hacked before…
If it compiles,
Ship...
ISLC
The real picture (Developer’s view)
• They don’t like the security teams
• They already work on a tight schedule
• Se...
The ideal world
How it should be…
• Dev and infosec should work together
• Security practices and implementations should b...
Conclusions
In a nutshell…
• Security is not a plugin, it’s a process.
• Test everything, every time they change.
• Alloca...
OWASP Floripa Day
Conferences
15 e 16 de Setembro
https://www.owasp.org/index.php/OWASP_Floripa_Day_2012
AppSec Brazil 2012
Conferences
OWASP AppSec Brazil 2012
In November in João Pessoa!
Questions?
@magnologan
@owasppb
References
Wagner Elias. “Testar não é suficiente, tem que fazer direito!”.
YSTS 2012
Dinis Cruz. “Making Security Invisib...
Just4Meeting 2012 -  How to protect your web applications
Upcoming SlideShare
Loading in …5
×

Just4Meeting 2012 - How to protect your web applications

369 views

Published on

Just4Meeting 2012 - How to protect your web applications

Julho de 2012 em Cascais, Portugal.

http://www.just4meeting.com/

Published in: Technology
  • Be the first to comment

Just4Meeting 2012 - How to protect your web applications

  1. 1. How to protect your web applications Magno Logan magno.logan@owasp.org OWASP Paraíba Chapter Leader
  2. 2. About Me Who am I? • Ex-developer • Security Analyst • Chapter Leader • Investments • Martial Arts
  3. 3. Paraíba?! I’m here! • Caipirinha • Soccer • Samba • Girls We have it all!
  4. 4. I live where you take vacations, sorry! =)
  5. 5. Agenda • They are everywhere! • Testing, testing, testing… • Guides, tools and much more • The insecure software lifecycle • How to solve these problems (maybe?)
  6. 6. They are everywhere!
  7. 7. They are everywhere! And they have bugs everywhere! • The cost of a data breach averages $5.5 million or $194 per customer record* • Companies that take security seriously can reduce the cost per customer by up to 62% * From a 2011 study by the Ponemon Institute
  8. 8. What are we doing wrong? • Secure application development is a top priority • But web applications are still the number one source of data breaches • We need to change the mindset of software development *From a 2011 Forrester Research study: Application Security: 2011 & Beyond
  9. 9. What are we doing wrong? • We’re in 2012 and SQL Injection is still the biggest issue! • The first public issue dates from 1998 • SQL Injections can lead to shell access now!
  10. 10. Why these still happens? Excuses to the problems: • Security is not important! Money is! • There is no time! • Developer’s fault! They are the scape goat of security!
  11. 11. Back to the basics CIA Triad
  12. 12. Now what? So, how to protect our apps?! 1. Threat Modeling 2. Security Testing 3. Code Review 4. SDL
  13. 13. Threat Modeling
  14. 14. Threat Modeling • Structured approach to identify and measure risks • It defines the security requisites • Allows the design to address the security issues • Helps the security testing and code reviews
  15. 15. Threat Modeling Process 1. Identify your assets 2. Create an architectural view 3. Decompose the software 4. Identify, document and classify the threats to your app
  16. 16. (Security) Design Patterns • Use them! There a lot out there! • Don’t reinvent the wheel! • Exception Handling • Input Validation • Protected Logging
  17. 17. Development Phase • Use a guide to implement your security, like the OWASP Developer’s Guide • Use unit test cases focused on security • Present security training to developers • Perform penetration testing and code reviews
  18. 18. OWASP Top 10 2010 Testing, testing, testing…
  19. 19. 2011 CWE/SANS Top 25 And more testing…
  20. 20. So what do they do? • Protect you from common mistakes • Avoid you from getting hacked by automated tools/scanners and script kiddies By the way, if you work with AppSec and you never heard of these two docs…
  21. 21. You need to find another job!
  22. 22. How to apply them? Many FREE resources! Not just OWASP stuff…
  23. 23. Code reviews Ok, now what?! OWASP Code Review Guide • Code review takes a deeper look into your app • Things that automated scanners won’t find • You’ll see the common mistakes devs make
  24. 24. SDL We fixed the problems. How to stop them? • Implement a SDL process • Train your developers about app security • They don’t need to be experts, at least know how it works and how to protect their apps
  25. 25. Free Docs Yay! More free stuff… • OWASP ASVS – verify your security • OWASP OpenSAMM – create a security program • OWASP Developer’s Guide – tips to devs
  26. 26. Not yet… It’s not that simple… • If we have all that, why aren’t our apps secure? • Why even the big companies don’t follow the basic rules? Hello Linkedin!
  27. 27. Security Myths We know, we know… • Security costs money. Yeah, but so does development, support, operations, etc. • Security costs money. But it will save you a lot more! Why most companies still don’t see the value of security until they get hacked?
  28. 28. If it compiles, ship it! Like Dinis Cruz said at AppSec Latam 2011: Unless you’ve been hacked before… If it compiles, Ship it! That’s the motto in most dev companies
  29. 29. ISLC The real picture (Developer’s view) • They don’t like the security teams • They already work on a tight schedule • Security will increase their programming time
  30. 30. The ideal world How it should be… • Dev and infosec should work together • Security practices and implementations should be included in the schedule time • It will increase the apps protection and decrease the amount of bugs and work
  31. 31. Conclusions In a nutshell… • Security is not a plugin, it’s a process. • Test everything, every time they change. • Allocate time for security testing within your project • Never assume security controls are effective
  32. 32. OWASP Floripa Day Conferences 15 e 16 de Setembro https://www.owasp.org/index.php/OWASP_Floripa_Day_2012
  33. 33. AppSec Brazil 2012 Conferences OWASP AppSec Brazil 2012 In November in João Pessoa!
  34. 34. Questions? @magnologan @owasppb
  35. 35. References Wagner Elias. “Testar não é suficiente, tem que fazer direito!”. YSTS 2012 Dinis Cruz. “Making Security Invisible by Becoming the Developer's Best Friends”. OWASP AppSec Latam 2011 Building Secure Web Applications Infographic - http://www.veracode.com/blog/2012/06/building-secure- web-applications-infographic/ OWASP - www.owasp.org

×