Michael Coates, profile picture
Uploaded byMichael Coates
PPTX, PDF10,378 views

2013 michael coates-javaone

This document discusses how to scale web security programs to enable security at large organizations. It argues that relying solely on security professionals is not scalable, and that security must be embedded throughout the entire software development lifecycle (SDLC). It recommends automating as many security tasks as possible, such training developers, conducting static/dynamic analysis, and defending applications post-release. Security experts should focus on strategic tasks like risk management, architecture design, and tackling new problems. The key is gaining incremental security wins at each stage and building everything with scaling in mind.

Embed presentation

Downloaded 18 times
Scaling Web Security - Tools, Processes and Techniques to Enable Security At Scale
About Me michael.coates@owasp.org
“The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” theregister.co.uk Sept 7, 2011
Reality
Data Loss & Breaches Verizon Data Breach Report 2013datalossdb.org/statistics
Data Loss & Breaches Verizon Data Breach Report 2013datalossdb.org/statistics
The Supposed Security Program • “Security is everyone’s job…” • “Security training is the answer…” • “It’s easy, just use encoding…” • “Companies that care about security wouldn’t have those vulnerabilities…”
Two Facts about Security Programs
1) Fixing a single security bug:
1) Fixing a single security bug: Easy
1) Fixing a single security bug: Easy (generally)
2) Ensuring no critical bugs are introduced to software
2) Ensuring no critical bugs are introduced to software • While moving fast
2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers
2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model
2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code
2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code
The Goal • Eliminate all possible security bugs? • Keep company out of the headlines? • Protect data? • Ensure uptime? • The real goal – manage risk
RETHINKING SECURITY PROGRAMS Eliminate the Security Professional
You can’t solve security by throwing bodies at the problem Security Professionals – Expensive – Hard to find – Competition for employment
Humans Don’t Scale Well
Security Throughout SDLC
Development • Developer Training • Coding Guidelines – Cheat Sheets – Concise, Usable owasp.org/index.php/Cheat_Sheets
Development • Security Libraries & Services – Abstract away internals of security code – Standardized security libraries • OWASP ESAPI – an example of what you should build within your organization – Web services for security
Automation • Dynamic security analysis built for developers – Report what can be found >95% accuracy – Skip issues where accuracy is low – Accurate Tool > Tool which requires security team wiki.mozilla.org/Security/Projects/Minion
Automation • Static / Dynamic Analysis – Careful – security resource may be required – Can scale if homogenous environment • Security X as a Service – Yes! The Future!
QA • Security validation within QA • Functional testing of forms + basic sec tests • Follow patterns of current QA – Pass / Fail – Self contained testing – no need for security evaluation “><script>alert(‘problem’)</script>
Organizational Strategy • Embedding security inside dev team – team effort to ship – real time collaboration – eliminates “us” vs “them” – build alliance Dev Team Dev Team Dev Team
Organizational Strategy • Scaling via Security Champions • Primary Role: Developer Secondary: Security • Scales Effectively • Liaison to security team Dev Team Dev Team
Post Release - Bounty Programs! • Engage Security Community https://bugcrowd.com/list-of-bug-bounty-programs/
Post Release – Defend That App • Detect and repel common attacks – Web Application Firewall • Detect and repel custom attacks at business layer – Integrated application defense – OWASP AppSensor owasp.org/index.php/OWASP_AppSensor_Project crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf
Post Release – Defend That App • Scale! – Attack blocking? Automated only – No human analysis in critical path.
How to Use Security Expertise • Security strategy, risk programs, architecture & design • Tackle new problems, determine how to automate them • Build scalable security resources & services
Key Points • Security is not just an activity conducted by a single team • A strategic security program gains incremental wins at every step • Build everything for scaling • Automate first, human SMEs only when required
Thanks @_mwc michael.coates@owasp.org security101@lists.owasp.org https://lists.owasp.org/mailman/listinfo/security101

More Related Content

PDF
Devbeat Conference - Developer First Security
byMichael Coates
 
PPTX
Web application security: Threats & Countermeasures
byAung Thu Rha Hein
 
PDF
Secure Web Services
byRob Daigneau
 
PPTX
Web Application Security - DevFest + GDay George Town 2016
byGareth Davies
 
PDF
The Web Application Hackers Toolchain
byjasonhaddix
 
PPTX
OWASP Top Ten 2017
byMichael Furman
 
PPTX
ZeroNights2013 testing of password policy
byAnton Dedov
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
Devbeat Conference - Developer First Security
byMichael Coates
 
Web application security: Threats & Countermeasures
byAung Thu Rha Hein
 
Secure Web Services
byRob Daigneau
 
Web Application Security - DevFest + GDay George Town 2016
byGareth Davies
 
The Web Application Hackers Toolchain
byjasonhaddix
 
OWASP Top Ten 2017
byMichael Furman
 
ZeroNights2013 testing of password policy
byAnton Dedov
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 

What's hot

PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
PDF
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
byTrivadis
 
PDF
Client-Side Penetration Testing Presentation
byChris Gates
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PDF
Email keeps getting us pwned - Avoiding Ransomware and malware
byMichael Gough
 
PDF
Top 10 web application security risks akash mahajan
byAkash Mahajan
 
PDF
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
byRuby Meditation
 
PDF
OWASP SF - Reviewing Modern JavaScript Applications
byLewis Ardern
 
PDF
Threat Intelligence Field of Dreams
byGreg Foss
 
PPTX
Continuous Integration and Quality Development
byGareth Davies
 
PDF
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
byMadhu Akula
 
PDF
Secure Yourself, Practice what we preach - BSides Austin 2015
byMichael Gough
 
PDF
Web hackingtools cf-summit2014
byColdFusionConference
 
PDF
Finding attacks with these 6 events
byMichael Gough
 
PDF
Deeplook into apt and how to detect and defend v1.0
byMichael Gough
 
PPTX
Owasp methodologies of Security testing part1
byrobin_bene
 
ODP
BSides Columbus: Active Defense - Helping threat actors hack themselves!
byThreatReel Podcast
 
PDF
BSides Leeds - Performing JavaScript Static Analysis
byLewis Ardern
 
PPTX
Security guidelines
bykarthz
 
PDF
Dangerous Design Patterns In One Line
byLewis Ardern
 
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
byTrivadis
 
Client-Side Penetration Testing Presentation
byChris Gates
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
Email keeps getting us pwned - Avoiding Ransomware and malware
byMichael Gough
 
Top 10 web application security risks akash mahajan
byAkash Mahajan
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
byRuby Meditation
 
OWASP SF - Reviewing Modern JavaScript Applications
byLewis Ardern
 
Threat Intelligence Field of Dreams
byGreg Foss
 
Continuous Integration and Quality Development
byGareth Davies
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
byMadhu Akula
 
Secure Yourself, Practice what we preach - BSides Austin 2015
byMichael Gough
 
Web hackingtools cf-summit2014
byColdFusionConference
 
Finding attacks with these 6 events
byMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
byMichael Gough
 
Owasp methodologies of Security testing part1
byrobin_bene
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
byThreatReel Podcast
 
BSides Leeds - Performing JavaScript Static Analysis
byLewis Ardern
 
Security guidelines
bykarthz
 
Dangerous Design Patterns In One Line
byLewis Ardern
 

Similar to 2013 michael coates-javaone

PPTX
Security in an Interconnected and Complex World of Software
byMichael Coates
 
PDF
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
PPT
OWASP: Building Secure Web Apps
bymlogvinov
 
PDF
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
PPTX
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
byDevSecCon
 
PDF
Web Security... Level Up
byIzzet Mustafaiev
 
PPT
OWASP - Building Secure Web Applications
byalexbe
 
PDF
Building a Modern Security Engineering Organization. Zane Lackey
byYandex
 
PDF
Treating Security Like a Product
byVMware Tanzu
 
PPTX
Started In Security Now I'm Here
byChristopher Grayson
 
PDF
Building a Modern Security Engineering Organization
byZane Lackey
 
PPT
Software Security Engineering
byMarco Morana
 
PPT
六合彩香港-六合彩
bybaoyin
 
PDF
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
bySreejesh Madonandy
 
PDF
Beyond the Bug Hunt: Unlocking Your AppSec Superpowers
bySteven Carlson
 
PDF
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
byCodemotion
 
PDF
Just4Meeting 2012 - How to protect your web applications
byMagno Logan
 
PPTX
Web security – everything we know is wrong cloud version
byEoin Keary
 
PDF
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
byMinded Security
 
PDF
Top 6 Web Application Security Best Practices.pdf
bySolviosTechnology
 
Security in an Interconnected and Complex World of Software
byMichael Coates
 
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
OWASP: Building Secure Web Apps
bymlogvinov
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
byPOSSCON
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
byDevSecCon
 
Web Security... Level Up
byIzzet Mustafaiev
 
OWASP - Building Secure Web Applications
byalexbe
 
Building a Modern Security Engineering Organization. Zane Lackey
byYandex
 
Treating Security Like a Product
byVMware Tanzu
 
Started In Security Now I'm Here
byChristopher Grayson
 
Building a Modern Security Engineering Organization
byZane Lackey
 
Software Security Engineering
byMarco Morana
 
六合彩香港-六合彩
bybaoyin
 
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
bySreejesh Madonandy
 
Beyond the Bug Hunt: Unlocking Your AppSec Superpowers
bySteven Carlson
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
byCodemotion
 
Just4Meeting 2012 - How to protect your web applications
byMagno Logan
 
Web security – everything we know is wrong cloud version
byEoin Keary
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
byMinded Security
 
Top 6 Web Application Security Best Practices.pdf
bySolviosTechnology
 

More from Michael Coates

PPTX
Self Defending Applications
byMichael Coates
 
PDF
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
byMichael Coates
 
PDF
Sf startup-security
byMichael Coates
 
KEY
Bug Bounty Programs For The Web
byMichael Coates
 
KEY
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
PDF
Real Time Application Defenses - The Reality of AppSensor & ESAPI
byMichael Coates
 
PDF
SSL Screw Ups
byMichael Coates
 
Self Defending Applications
byMichael Coates
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
byMichael Coates
 
Sf startup-security
byMichael Coates
 
Bug Bounty Programs For The Web
byMichael Coates
 
SQL Injection - Mozilla Security Learning Center
byMichael Coates
 
Cross Site Scripting - Mozilla Security Learning Center
byMichael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
byMichael Coates
 
SSL Screw Ups
byMichael Coates
 

Recently uploaded

PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
December Patch Tuesday
byIvanti
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
December Patch Tuesday
byIvanti
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 

2013 michael coates-javaone

  • 1.
    Scaling Web Security- Tools, Processes and Techniques to Enable Security At Scale
  • 2.
  • 3.
    “The global costof cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” theregister.co.uk Sept 7, 2011
  • 4.
  • 5.
    Data Loss &Breaches Verizon Data Breach Report 2013datalossdb.org/statistics
  • 6.
    Data Loss &Breaches Verizon Data Breach Report 2013datalossdb.org/statistics
  • 7.
    The Supposed SecurityProgram • “Security is everyone’s job…” • “Security training is the answer…” • “It’s easy, just use encoding…” • “Companies that care about security wouldn’t have those vulnerabilities…”
  • 8.
    Two Facts aboutSecurity Programs
  • 9.
    1) Fixing asingle security bug:
  • 10.
    1) Fixing asingle security bug: Easy
  • 11.
    1) Fixing asingle security bug: Easy (generally)
  • 12.
    2) Ensuring nocritical bugs are introduced to software
  • 13.
    2) Ensuring nocritical bugs are introduced to software • While moving fast
  • 14.
    2) Ensuring nocritical bugs are introduced to software • While moving fast • With minimal impact to developers
  • 15.
    2) Ensuring nocritical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model
  • 16.
    2) Ensuring nocritical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code
  • 17.
    2) Ensuring nocritical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code
  • 18.
    The Goal • Eliminateall possible security bugs? • Keep company out of the headlines? • Protect data? • Ensure uptime? • The real goal – manage risk
  • 19.
    RETHINKING SECURITY PROGRAMS Eliminatethe Security Professional
  • 20.
    You can’t solvesecurity by throwing bodies at the problem Security Professionals – Expensive – Hard to find – Competition for employment
  • 21.
  • 22.
  • 23.
    Development • Developer Training •Coding Guidelines – Cheat Sheets – Concise, Usable owasp.org/index.php/Cheat_Sheets
  • 24.
    Development • Security Libraries& Services – Abstract away internals of security code – Standardized security libraries • OWASP ESAPI – an example of what you should build within your organization – Web services for security
  • 25.
    Automation • Dynamic security analysisbuilt for developers – Report what can be found >95% accuracy – Skip issues where accuracy is low – Accurate Tool > Tool which requires security team wiki.mozilla.org/Security/Projects/Minion
  • 26.
    Automation • Static /Dynamic Analysis – Careful – security resource may be required – Can scale if homogenous environment • Security X as a Service – Yes! The Future!
  • 27.
    QA • Security validationwithin QA • Functional testing of forms + basic sec tests • Follow patterns of current QA – Pass / Fail – Self contained testing – no need for security evaluation “><script>alert(‘problem’)</script>
  • 28.
    Organizational Strategy • Embeddingsecurity inside dev team – team effort to ship – real time collaboration – eliminates “us” vs “them” – build alliance Dev Team Dev Team Dev Team
  • 29.
    Organizational Strategy • Scalingvia Security Champions • Primary Role: Developer Secondary: Security • Scales Effectively • Liaison to security team Dev Team Dev Team
  • 30.
    Post Release -Bounty Programs! • Engage Security Community https://bugcrowd.com/list-of-bug-bounty-programs/
  • 31.
    Post Release –Defend That App • Detect and repel common attacks – Web Application Firewall • Detect and repel custom attacks at business layer – Integrated application defense – OWASP AppSensor owasp.org/index.php/OWASP_AppSensor_Project crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf
  • 32.
    Post Release –Defend That App • Scale! – Attack blocking? Automated only – No human analysis in critical path.
  • 33.
    How to UseSecurity Expertise • Security strategy, risk programs, architecture & design • Tackle new problems, determine how to automate them • Build scalable security resources & services
  • 34.
    Key Points • Securityis not just an activity conducted by a single team • A strategic security program gains incremental wins at every step • Build everything for scaling • Automate first, human SMEs only when required
  • 35.