SlideShare a Scribd company logo

The Thing That Should Not Be

M
morisson

Presentation delivered @ OWASP's IBWAS 2010

Technology
1 of 33
Download to read offline
The Thing That Should Not Be A glimpse into the dark future of web application security Bruno Morisson <bm@integrity.pt> IBWAS’10
About me •  Consultant & Partner - INTEGRITY, Consulting & Advisory •  ~12 years in Information Security •  CISSP-ISSMP/CISA/ISO27001 Lead Auditor •  Background as a Linux/Unix sysadmin •  Background as a C developer 2
Warning! This is all rather unscientific! Really. Consider yourself warned. 3
If wishes were ponies… …security would be inherent to the applications. …there would be no (security) bugs. …we would all get along just fine. 4
This is how they see us 5
This is how we see them 6
We’re all skewed! Security practitioners have a skewed vision of reality. We’re usually what regular people would call paranoid. Developers have a skewed vision of reality. They usually don’t care about (or understand) security issues. 7
We’re all skewed! We believe everyone should care about security at least as much as we do. WE’RE WRONG! 8
We’re all skewed! 9
Security Mindset “Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.” Bruce Schneier 10
“We have a firewall on our internets” 11
“We use usernames and passwords to access our web application” 12
SSL 13
Proof Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2010, Cenzic Inc. 14
More Proof Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2010, Cenzic Inc. 15
Even more proof Source: Verizon Data Breach Report 2010 16
OWASP Top Ten •  Injection •  XSS •  Broken Authentication and Session Management •  Insecure Direct Object Reference •  CSRF •  Security Misconfiguration •  Insecure Cryptographic Storage •  Failure to Restrict URL Access •  Insufficient Transport Layer Protection •  Unvalidated Redirects and Forwards 17
How are we solving this ? The typical approach is forcing developers to solve all of these problems. But the question is: Who are the developers ? Do they understand the problem ? Most of them know nothing about security. Some of them know little about web development. 18
19
Render Unto Caesar… Security practitioners are not web developers Why should web developers be security practitioners ? 20
Flashback 21
Let’s party like it’s 1999 Most security vulnerabilities had to do with services: •  HTTP (IIS, apache) •  FTP (wu-ftpd, IIS) •  POP3 (Qpopper) •  SMTP (Sendmail) •  DNS (Bind) •  Telnet •  SSH •  … Buffer Overflows, Format Strings, Integer Overflows were the flavor of the decade… 22
What happened ? Security vulnerabilities had global impact. Few companies/groups produced that software: Microsoft, Apache, SUN, Sendmail, Linux community/vendors. Some built security into the process (Secure SDL), mainly Microsoft. Tools started having security features (from bounds checking, to static and dynamic code analysis) Operating Systems security was improved (no ASLR or DEP back then) 23
Back to the future 24
And now ? Impact of vulnerabilities is limited to that company (or set of companies that use that particular software) Anyone develops a Web Application. Myriad of development languages. Point & Click frameworks that automagically create code… 25
Looking into the future… Let’s break this down into 4 areas: •  Compliance •  Processes •  People •  Tools 26
Compliance Unless there’s a business requirement, don’t expect anyone to implement security. Ex: PCI-DSS, Data Privacy Laws, … 27
Processes If security is done ad-hoc, it will most surely fail. •  Embed security in the SDL •  Create internal processes for dealing specifically with security (e.g. risk assessment, engineering, testing, etc) 28
29
People Developers won’t build security into the apps, unless it’s a requirement… They need to: understand the security impact. know how to solve the problem. know how to use the tools… Developers won’t become security gurus. 30
Tools People fail. Tools/frameworks should become more idiot- proof. Have security built in by default. Force insecurity to be explicit. 31
32
Thank You!" Q&A? Bruno Morisson CISSP-ISSMP, CISA, ISO27001LA [email]: bm@integrity.pt [work]: http://www.integrity.pt/ [fun]: http://genhex.org/~mori/ 33

Recommended

Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM Solutions
Joshua Berman
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach Postmortem
Adrian Sanabria
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Technology to Mitigate Risk
Technology to Mitigate RiskTechnology to Mitigate Risk
Technology to Mitigate Risk
HB Litigation Conferences
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008
Anton Chuvakin
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware AttackAcronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis
 
New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)
Seungjoo Kim
 

Recommended

Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM Solutions
Joshua Berman
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach Postmortem
Adrian Sanabria
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Technology to Mitigate Risk
Technology to Mitigate RiskTechnology to Mitigate Risk
Technology to Mitigate Risk
HB Litigation Conferences
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008
Anton Chuvakin
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
Peter Wood
 
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware AttackAcronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis
 
New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)
Seungjoo Kim
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
Kevin Murphy
 
Zymr Cybersecurity
Zymr Cybersecurity Zymr Cybersecurity
Zymr Cybersecurity
Zymr Inc
 
Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM Solutions
SolarWinds
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
Tripwire
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
Major Hayden
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
CODE BLUE
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde..."Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
HackIT Ukraine
 
Secure webdev 3.0
Secure webdev 3.0Secure webdev 3.0
Secure webdev 3.0
toots marcelo
 
Security Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsSecurity Kung Fu: Firewall Logs
Security Kung Fu: Firewall Logs
Joshua Berman
 
Top Ten Hacks of 2007
Top Ten Hacks of 2007Top Ten Hacks of 2007
Top Ten Hacks of 2007
Jeremiah Grossman
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trust
scoopnewsgroup
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Dragos, Inc.
 
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITYSOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
DialogueScience
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecurity
nathan-axonius
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
CMR WORLD TECH
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy Invasion
Isaiah Edem
 
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security IndustryUnsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry
digitallibrary
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
Zsolt Nemeth
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
Security Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesSecurity Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory Changes
Joshua Berman
 
Virtualization & Security
Virtualization & SecurityVirtualization & Security
Virtualization & Security
morisson
 
APT
APTAPT
APT
morisson
 

More Related Content

What's hot

The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
Tripwire
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
CODE BLUE
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde..."Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
HackIT Ukraine
 
Security Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsSecurity Kung Fu: Firewall Logs
Security Kung Fu: Firewall Logs
Joshua Berman
 
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security IndustryUnsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry
digitallibrary
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
Zsolt Nemeth
 
Security Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesSecurity Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory Changes
Joshua Berman
 

What's hot (20)

Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
 
Zymr Cybersecurity
Zymr Cybersecurity Zymr Cybersecurity
Zymr Cybersecurity
 
Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM Solutions
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde..."Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
 
Secure webdev 3.0
Secure webdev 3.0Secure webdev 3.0
Secure webdev 3.0
 
Security Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsSecurity Kung Fu: Firewall Logs
Security Kung Fu: Firewall Logs
 
Top Ten Hacks of 2007
Top Ten Hacks of 2007Top Ten Hacks of 2007
Top Ten Hacks of 2007
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trust
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITYSOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecurity
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy Invasion
 
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security IndustryUnsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Security Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesSecurity Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory Changes
 

Viewers also liked

Virtualization & Security
Virtualization & SecurityVirtualization & Security
Virtualization & Security
morisson
 
Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection
morisson
 
Security asap
Security asapSecurity asap
Security asap
morisson
 

Viewers also liked (7)

Virtualization & Security
Virtualization & SecurityVirtualization & Security
Virtualization & Security
 
APT
APTAPT
APT
 
Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
Security asap
Security asapSecurity asap
Security asap
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 

Similar to The Thing That Should Not Be

The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
NTEN
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 

Similar to The Thing That Should Not Be (20)

Security For Free
Security For FreeSecurity For Free
Security For Free
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - Idealware
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec Matters
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Forget cyber, it's all about AppSec
Forget cyber, it's all about AppSecForget cyber, it's all about AppSec
Forget cyber, it's all about AppSec
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligence
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

The Thing That Should Not Be

  • 1. The Thing That Should Not Be A glimpse into the dark future of web application security Bruno Morisson <bm@integrity.pt> IBWAS’10
  • 2. About me •  Consultant & Partner - INTEGRITY, Consulting & Advisory •  ~12 years in Information Security •  CISSP-ISSMP/CISA/ISO27001 Lead Auditor •  Background as a Linux/Unix sysadmin •  Background as a C developer 2
  • 3. Warning! This is all rather unscientific! Really. Consider yourself warned. 3
  • 4. If wishes were ponies… …security would be inherent to the applications. …there would be no (security) bugs. …we would all get along just fine. 4
  • 5. This is how they see us 5
  • 6. This is how we see them 6
  • 7. We’re all skewed! Security practitioners have a skewed vision of reality. We’re usually what regular people would call paranoid. Developers have a skewed vision of reality. They usually don’t care about (or understand) security issues. 7
  • 8. We’re all skewed! We believe everyone should care about security at least as much as we do. WE’RE WRONG! 8
  • 10. Security Mindset “Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.” Bruce Schneier 10
  • 11. “We have a firewall on our internets” 11
  • 12. “We use usernames and passwords to access our web application” 12
  • 13. SSL 13
  • 14. Proof Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2010, Cenzic Inc. 14
  • 15. More Proof Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2010, Cenzic Inc. 15
  • 16. Even more proof Source: Verizon Data Breach Report 2010 16
  • 17. OWASP Top Ten •  Injection •  XSS •  Broken Authentication and Session Management •  Insecure Direct Object Reference •  CSRF •  Security Misconfiguration •  Insecure Cryptographic Storage •  Failure to Restrict URL Access •  Insufficient Transport Layer Protection •  Unvalidated Redirects and Forwards 17
  • 18. How are we solving this ? The typical approach is forcing developers to solve all of these problems. But the question is: Who are the developers ? Do they understand the problem ? Most of them know nothing about security. Some of them know little about web development. 18
  • 19. 19
  • 20. Render Unto Caesar… Security practitioners are not web developers Why should web developers be security practitioners ? 20
  • 21. Flashback 21
  • 22. Let’s party like it’s 1999 Most security vulnerabilities had to do with services: •  HTTP (IIS, apache) •  FTP (wu-ftpd, IIS) •  POP3 (Qpopper) •  SMTP (Sendmail) •  DNS (Bind) •  Telnet •  SSH •  … Buffer Overflows, Format Strings, Integer Overflows were the flavor of the decade… 22
  • 23. What happened ? Security vulnerabilities had global impact. Few companies/groups produced that software: Microsoft, Apache, SUN, Sendmail, Linux community/vendors. Some built security into the process (Secure SDL), mainly Microsoft. Tools started having security features (from bounds checking, to static and dynamic code analysis) Operating Systems security was improved (no ASLR or DEP back then) 23
  • 24. Back to the future 24
  • 25. And now ? Impact of vulnerabilities is limited to that company (or set of companies that use that particular software) Anyone develops a Web Application. Myriad of development languages. Point & Click frameworks that automagically create code… 25
  • 26. Looking into the future… Let’s break this down into 4 areas: •  Compliance •  Processes •  People •  Tools 26
  • 27. Compliance Unless there’s a business requirement, don’t expect anyone to implement security. Ex: PCI-DSS, Data Privacy Laws, … 27
  • 28. Processes If security is done ad-hoc, it will most surely fail. •  Embed security in the SDL •  Create internal processes for dealing specifically with security (e.g. risk assessment, engineering, testing, etc) 28
  • 29. 29
  • 30. People Developers won’t build security into the apps, unless it’s a requirement… They need to: understand the security impact. know how to solve the problem. know how to use the tools… Developers won’t become security gurus. 30
  • 31. Tools People fail. Tools/frameworks should become more idiot- proof. Have security built in by default. Force insecurity to be explicit. 31
  • 32. 32
  • 33. Thank You!" Q&A? Bruno Morisson CISSP-ISSMP, CISA, ISO27001LA [email]: bm@integrity.pt [work]: http://www.integrity.pt/ [fun]: http://genhex.org/~mori/ 33