Security YMCA

Security YMCA
Why shouting into the security echo chamber does no good!

Are we, as security people reaching the
people we need to reach the
most…developers?

Disclaimers
• Be careful what you say on twitter
• This started of as a joke
• We do not represent our employers, these are or
own opinions
• Our survey has NO scientific basis
• Our survey is NOT free of bias
• The outfits are just so
you won’t take us
seriously ;)

Image: YMCA a CC NC image from bogdog Dan’s Flicks stream:
http://www.flickr.com/photos/25689440@N06/2866020311/

Points of order
• We have about 25 minutes left in this
presentation
• In this 25 minutes we will try to start a discussion
• Maybe we may even get people to do some real
research
• 10 minutes are reserved for Q&A and YMCA song
• The next 20 slides will auto-advance every 45
seconds…
• This talk is interactive… so interact!

• Why the f*ck did you guys pick this talk? No Really

Who are we?
• Chris John Riley

• Arron “F1nux” Finnon

Who are we?
• Frank “Seccubus” Breedijk

• Chris “Suggy” Sumner

So what is this about?
Raise of hands:
• Who in this room is not working in info security?
• Who in this room has ever presented at a
conference?
• Of those, who presented at a non-security
conference?

• And yet we wonder why “developers don’t get
it?”

HTTP Parameter Pollution
• There are multiple ways to send parameters
• Sending parameters with both GET and
POST can lead to interesting results
• This problem has been known for 11 years
• Yet 30% for the Alexa top 5000 sites has at
least on page with this problem*
• Including Microsoft, Google, VMWare,
Facebook, Symantec and Paypal
* Taken from Marco Balduzzi’s talk “HTTP Parameter Pollution Vulnerabilities in Web Applications”
Black Hat Europe 2011

So we did a survey
• Not scientific (we’re no scientists)
• Bias introduced (but we’re are biased ;)
• Intended to generate discussion and actual
research

• Writing a survey to prove a point is not good
science
• We do not know if the participants were actually
developers

Demographics - Roles
Senior
management or
Sponsor Application
Security Architect Application
Architect Developer
Project Manager

Application
Support

Business Owner

Other
Responses from all over the
geographic spectrum…
Lots from UK and USA

Demographics -Experience
more than 15 less than 2 years
years

2 -4 years

10 - 15 years

4 - 10 years

Demographics -Skillz

50
45
40
35
30
25
20
15
10
5
0

novice
intermediate
advanced
ninja

... as an application developer? .... in application security?

What a 12 step program
boils down to…
• Recognize /admit there is a problem
• Accept it needs to be fixed
• Get to know the problem
• Fix the problem
• Learn new rules to avoid the problem
• Help others avoid the problem

Admitting/recognizing the problem
• Where do you find most problem when it
comes to securing applications you develop?
– I'm not able spot security issues

• Disagree – 25% 25%
• Somewhat agree – 28% 48%
• Agree – 19%
27%
• Strongly Agree – 1%
• No Answer – 27%

Accept that you need to fix it
– Security loses out to features

11
• Disagree – 11% %
63%
• Somewhat agree – 17%
• Agree – 25%
26%
• Strongly Agree – 21%

Investigate the problem
– Understanding information on how to secure
things

• Agree – 16%
• Strongly Agree – 3% 26%


Fixing the problem
– Fitting security into the development timeline

7
• Disagree – 7% %


• Agree – 21%

Help others avoid the problem
– Finding the right tools to assist in secure
development


• Agree – 29%

Where do you find most problems when it comes to
securing applications you develop?
Disagree "Agree"

66
60 63
60

48
46

1. Make it easier to find the right information & tools
2. Acknowledge the timeline & features issues
28
25

12 11 13
7

Understanding I'm not able spot Finding the correct Fitting security Security loses out Finding the right
information on security issues information into the to features tools to assist in
how to secure development secure
things timeline development

Information Sources
How often to you refer to the following information
sources to ensure the security of your applications?

Rarely / Never Regularly / Constantly

31 24
40 45
49 49
60

61 67
51 47
43 43
32

Blogs Social Books Forums Training Best Internal
Networks Material Practice Coding
Guides Guidelines

How often to you refer to the following information
sources to ensure the security of your applications?

Rarely / Never Regularly / Constantly

31 24
40 45
49 49
60

61 67
51 47
43 43
32

Blogs Social Books Forums Training Best Practice Internal
Networks Material Guides Coding
Guidelines

We don’t suck We suck

Internal Coding Guidelines

Constantly
Never
Regularly

Do you even
Rarely
have any?

Detect / Prevent
When developing applications do you or your
company use any of the following to ensure security
of the applications developed?
35

30

25

20 Code-Review (automated
or manual)
15 Penetration Testing
10
Security Review
5

0
Surprised by code review, do
they mean a Security Code
Review or Quality Review?

About tools
• In our survey our audience said: 80.8 % wanted
more tools, however my 2 pence worth (as
usual in security your being over charged), is
that we have too many tools.
• Dare I say too much fragmentation in choice of
tools.
• I wonder about a world with only x1 port
scanner, all training material, all methodologies,
all good practice would reflect the x1 single
tool.
• So my question is, am i officially crazy?

And now for the singing and dancing

Image: “Chewbacca wasn't sure they had disco on Kashyyyk but he sure as hell wasn't going to put all that practice at looking like an 'M' go to
waste” a CC NC SA image from harold.loyd’s Flickr stream: http://www.flickr.com/photos/14434912@N07/3503661701/

Security YMCA

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to Security YMCA

Similar to Security YMCA (20)

More from Security BSides London

More from Security BSides London (12)

Recently uploaded

Recently uploaded (20)

Security YMCA