SlideShare a Scribd company logo

2013 michael coates-javaone

Download as PPTX, PDF
Michael Coates
Michael Coates

This document discusses how to scale web security programs to enable security at large organizations. It argues that relying solely on security professionals is not scalable, and that security must be embedded throughout the entire software development lifecycle (SDLC). It recommends automating as many security tasks as possible, such training developers, conducting static/dynamic analysis, and defending applications post-release. Security experts should focus on strategic tasks like risk management, architecture design, and tackling new problems. The key is gaining incremental security wins at each stage and building everything with scaling in mind.

TechnologyBusiness
1 of 35
Scaling Web Security - Tools, Processes and Techniques to Enable Security At Scale
About Me michael.coates@owasp.org
“The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” theregister.co.uk Sept 7, 2011
Reality
Data Loss & Breaches Verizon Data Breach Report 2013datalossdb.org/statistics
Data Loss & Breaches Verizon Data Breach Report 2013datalossdb.org/statistics
The Supposed Security Program • “Security is everyone’s job…” • “Security training is the answer…” • “It’s easy, just use encoding…” • “Companies that care about security wouldn’t have those vulnerabilities…”
Two Facts about Security Programs
1) Fixing a single security bug:
1) Fixing a single security bug: Easy
1) Fixing a single security bug: Easy (generally)
2) Ensuring no critical bugs are introduced to software
2) Ensuring no critical bugs are introduced to software • While moving fast
2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers
2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model
2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code
2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code
The Goal • Eliminate all possible security bugs? • Keep company out of the headlines? • Protect data? • Ensure uptime? • The real goal – manage risk
RETHINKING SECURITY PROGRAMS Eliminate the Security Professional
You can’t solve security by throwing bodies at the problem Security Professionals – Expensive – Hard to find – Competition for employment
Humans Don’t Scale Well
Security Throughout SDLC
Development • Developer Training • Coding Guidelines – Cheat Sheets – Concise, Usable owasp.org/index.php/Cheat_Sheets
Development • Security Libraries & Services – Abstract away internals of security code – Standardized security libraries • OWASP ESAPI – an example of what you should build within your organization – Web services for security
Automation • Dynamic security analysis built for developers – Report what can be found >95% accuracy – Skip issues where accuracy is low – Accurate Tool > Tool which requires security team wiki.mozilla.org/Security/Projects/Minion
Automation • Static / Dynamic Analysis – Careful – security resource may be required – Can scale if homogenous environment • Security X as a Service – Yes! The Future!
QA • Security validation within QA • Functional testing of forms + basic sec tests • Follow patterns of current QA – Pass / Fail – Self contained testing – no need for security evaluation “><script>alert(‘problem’)</script>
Organizational Strategy • Embedding security inside dev team – team effort to ship – real time collaboration – eliminates “us” vs “them” – build alliance Dev Team Dev Team Dev Team
Organizational Strategy • Scaling via Security Champions • Primary Role: Developer Secondary: Security • Scales Effectively • Liaison to security team Dev Team Dev Team
Post Release - Bounty Programs! • Engage Security Community https://bugcrowd.com/list-of-bug-bounty-programs/
Post Release – Defend That App • Detect and repel common attacks – Web Application Firewall • Detect and repel custom attacks at business layer – Integrated application defense – OWASP AppSensor owasp.org/index.php/OWASP_AppSensor_Project crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf
Post Release – Defend That App • Scale! – Attack blocking? Automated only – No human analysis in critical path.
How to Use Security Expertise • Security strategy, risk programs, architecture & design • Tackle new problems, determine how to automate them • Build scalable security resources & services
Key Points • Security is not just an activity conducted by a single team • A strategic security program gains incremental wins at every step • Build everything for scaling • Automate first, human SMEs only when required
Thanks @_mwc michael.coates@owasp.org security101@lists.owasp.org https://lists.owasp.org/mailman/listinfo/security101

Recommended

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Michael Coates
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
Anton Dedov
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 

Recommended

Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Michael Coates
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016Web Application Security - DevFest + GDay George Town 2016
Web Application Security - DevFest + GDay George Town 2016
Gareth Davies
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
Anton Dedov
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
Trivadis
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
Gareth Davies
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
ColdFusionConference
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1
robin_bene
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
Lewis Ardern
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
Dangerous Design Patterns In One Line
Dangerous Design Patterns In One LineDangerous Design Patterns In One Line
Dangerous Design Patterns In One Line
Lewis Ardern
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
Michael Coates
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 

More Related Content

What's hot

CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
Trivadis
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
Gareth Davies
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Madhu Akula
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
ColdFusionConference
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1
robin_bene
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
Lewis Ardern
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
Dangerous Design Patterns In One Line
Dangerous Design Patterns In One LineDangerous Design Patterns In One Line
Dangerous Design Patterns In One Line
Lewis Ardern
 

What's hot (20)

CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Dangerous Design Patterns In One Line
Dangerous Design Patterns In One LineDangerous Design Patterns In One Line
Dangerous Design Patterns In One Line
 

Similar to 2013 michael coates-javaone

Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
Michael Coates
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
devObjective
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
ColdFusionConference
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
Stijn Muylle
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
Stefan Streichsbier
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
Michael Davis
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
Ernest Staats
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Product Security
Product SecurityProduct Security
Product Security
Steven Carlson
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
Tudor Damian
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 

Similar to 2013 michael coates-javaone (20)

Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Product Security
Product SecurityProduct Security
Product Security
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 

More from Michael Coates

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
Michael Coates
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
Michael Coates
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterMichael Coates
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Michael Coates
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
Michael Coates
 

More from Michael Coates (8)

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
Sf startup-security
Sf startup-securitySf startup-security
Sf startup-security
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPIReal Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
 

Recently uploaded

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 

Recently uploaded (20)

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 

2013 michael coates-javaone

  • 1. Scaling Web Security - Tools, Processes and Techniques to Enable Security At Scale
  • 3. “The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine” theregister.co.uk Sept 7, 2011
  • 5. Data Loss & Breaches Verizon Data Breach Report 2013datalossdb.org/statistics
  • 6. Data Loss & Breaches Verizon Data Breach Report 2013datalossdb.org/statistics
  • 7. The Supposed Security Program • “Security is everyone’s job…” • “Security training is the answer…” • “It’s easy, just use encoding…” • “Companies that care about security wouldn’t have those vulnerabilities…”
  • 8. Two Facts about Security Programs
  • 9. 1) Fixing a single security bug:
  • 10. 1) Fixing a single security bug: Easy
  • 11. 1) Fixing a single security bug: Easy (generally)
  • 12. 2) Ensuring no critical bugs are introduced to software
  • 13. 2) Ensuring no critical bugs are introduced to software • While moving fast
  • 14. 2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers
  • 15. 2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model
  • 16. 2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code
  • 17. 2) Ensuring no critical bugs are introduced to software • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code
  • 18. The Goal • Eliminate all possible security bugs? • Keep company out of the headlines? • Protect data? • Ensure uptime? • The real goal – manage risk
  • 19. RETHINKING SECURITY PROGRAMS Eliminate the Security Professional
  • 20. You can’t solve security by throwing bodies at the problem Security Professionals – Expensive – Hard to find – Competition for employment
  • 23. Development • Developer Training • Coding Guidelines – Cheat Sheets – Concise, Usable owasp.org/index.php/Cheat_Sheets
  • 24. Development • Security Libraries & Services – Abstract away internals of security code – Standardized security libraries • OWASP ESAPI – an example of what you should build within your organization – Web services for security
  • 25. Automation • Dynamic security analysis built for developers – Report what can be found >95% accuracy – Skip issues where accuracy is low – Accurate Tool > Tool which requires security team wiki.mozilla.org/Security/Projects/Minion
  • 26. Automation • Static / Dynamic Analysis – Careful – security resource may be required – Can scale if homogenous environment • Security X as a Service – Yes! The Future!
  • 27. QA • Security validation within QA • Functional testing of forms + basic sec tests • Follow patterns of current QA – Pass / Fail – Self contained testing – no need for security evaluation “><script>alert(‘problem’)</script>
  • 28. Organizational Strategy • Embedding security inside dev team – team effort to ship – real time collaboration – eliminates “us” vs “them” – build alliance Dev Team Dev Team Dev Team
  • 29. Organizational Strategy • Scaling via Security Champions • Primary Role: Developer Secondary: Security • Scales Effectively • Liaison to security team Dev Team Dev Team
  • 30. Post Release - Bounty Programs! • Engage Security Community https://bugcrowd.com/list-of-bug-bounty-programs/
  • 31. Post Release – Defend That App • Detect and repel common attacks – Web Application Firewall • Detect and repel custom attacks at business layer – Integrated application defense – OWASP AppSensor owasp.org/index.php/OWASP_AppSensor_Project crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf
  • 32. Post Release – Defend That App • Scale! – Attack blocking? Automated only – No human analysis in critical path.
  • 33. How to Use Security Expertise • Security strategy, risk programs, architecture & design • Tackle new problems, determine how to automate them • Build scalable security resources & services
  • 34. Key Points • Security is not just an activity conducted by a single team • A strategic security program gains incremental wins at every step • Build everything for scaling • Automate first, human SMEs only when required