© 2012Presented by:Software Development:You Better Do What They Told YaUlisses Albuquerqueualbuquerque@trustwave.com
© 2012$ whois urma• Ulisses Albuquerque– App Security Consultant for Trustwave SpiderLabs• Penetration testing• Code revie...
© 2012Who is SpiderLabs?SpiderLabs is the elite security team at Trustwave, offering clients the most advancedinformation ...
© 2012Agenda• Motivation• Non-Functional Requirements• Who You Gonna Call?• Official Documentation• What Can We Do About I...
© 2012© 2012Motivation
© 2012MotivationReally, b*tch?http://seclists.org/fulldisclosure/2013/Apr/173Meanwhile, on [full-disclosure]…
© 2012Motivationhttp://memegenerator.net/instance/37406597
© 2012Motivation• Are developers really at fault?• Do we (ahem, them) really suck this much?• Do we have an attitude probl...
© 2012© 2012Non-Functional Requirements
© 2012Non-Functional Requirements• Implicit expectations about the software• It should be fast• It should not crash• It sh...
© 2012Non-Functional Requirementshttp://memegenerator.net/instance/37522060
© 2012© 2012Who You Gonna Call?
© 2012Who You Gonna Call?SoftwareConceptsBusinessNeedsConstraintsCraftmanship
© 2012Who You Gonna Call?• How to fill the concept-to-code knowledge gap?• Google can help• Stack Overflow can help a lot•...
© 2012Who You Gonna Call?
© 2012Who You Gonna Call?
© 2012Who You Gonna Call?
© 2012Who You Gonna Call?• Official documentation should be the mosttrustworthy source of information• We don’t want to kn...
© 2012© 2012How are vendors providing information onthe security aspects of their tools, APIsand frameworks?
© 2012© 2012Official Documentation
© 2012Official Documentation - Javahttp://docs.oracle.com/javase/7/docs/api/java/io/File.html#toURL()
© 2012Official Documentation - Java• Pros• Use of annotations to indicate deprecated APIs• Compiler warnings• Clear indica...
© 2012Official Documentation - .NEThttp://msdn.microsoft.com/en-us/library/system.collections.caseinsensitivehashcodeprovi...
© 2012Official Documentation - .NET• Pros• Use of annotations to indicate deprecated APIs• Compiler warnings• Cons• No ind...
© 2012Official Documentation• What about code samples?http://msdn.microsoft.com/en-us/library/system.io.file.aspxRace cond...
© 2012Official Documentation• It’s not only about documentation in web pages• manpages are very inconsistent in their pres...
© 2012Official Documentation
© 2012Official Documentation
© 2012Official Documentation
© 2012Official Documentation
© 2012Official Documentationhttp://memegenerator.net/instance/37529225
© 2012© 2012Sometimes it’s not just incompetence orlaziness, but intentionally harmfuldocumentation
© 2012Official Documentationhttp://docs.oracle.com/cd/E13222_01/wls/docs81b/secintro/archtect.html#1033713Are you f*ckingk...
© 2012© 2012What Can We Do About It?
© 2012What Can We Do About It?• We = security professionals– Ignorance != incompetence– Assume developers are unaware of t...
© 2012What Can We Do About It?• We = developers– Developers write tools for developers– Add consistent and comprehensive s...
© 2012© 2012Conclusion
© 2012Conclusion• Developers need training– Obviously• Vendor documentation MUST improve– Even trained developers need con...
© 2012Conclusion• MOAR ACCOUNTABILITY! MOAR RESOURCES!– Train your teams– Assess your results and ACT on them• Security pe...
© 2012© 2012Questions?
© 2012Trustwave SpiderLabsSpiderLabs is an elite team of ethical hackers atTrustwave advancing the security capabilities o...
Upcoming SlideShare
Loading in …5
×

Better Do What They Told Ya

271 views

Published on

Developers are pressed for producing more secure code, but do not receive support from stakeholders, management and even from the very manufacturers who produce the tools used to write applications.

What can go wrong when even the official documentation for a product is wrong regarding security aspects?

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
271
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Google Oriented Programming = busca no Google, tentafazerigual, se funcionarpassapara o próximoproblema
  • As respostasmaisóbvias de “comofazer” tambémsãofontes de informaçãofáceisparaosatacantesO atacantenão tem nada a perder
  • Adicionaranimaçãoparatransicionar entre pros e cons
  • Adicionaranimaçãoparatransicionar entre pros e cons
  • De acordo com o estudo da Whitehat Security, 27% dos desenvolvedoresnuncativeramtreinamento de desenvolvimentoseguro, e 32% tiveramaté 3 diasapenas
  • Better Do What They Told Ya

    1. 1. © 2012Presented by:Software Development:You Better Do What They Told YaUlisses Albuquerqueualbuquerque@trustwave.com
    2. 2. © 2012$ whois urma• Ulisses Albuquerque– App Security Consultant for Trustwave SpiderLabs• Penetration testing• Code reviews• Secure development training– Passionate and opinionated developer• Ruby and C FTW– Long time F/LOSS advocate• It’s all about the community
    3. 3. © 2012Who is SpiderLabs?SpiderLabs is the elite security team at Trustwave, offering clients the most advancedinformation security expertise and intelligence available today.The SpiderLabs team has performed more than 1,500 computer incident response andforensic investigations globally, as well as over 15,000 penetration and application securitytests for Trustwave’s clients.The global team actively provides threat intelligence to both Trustwave and growingnumbers of organizations from Fortune 50 to enterprises and start-ups.Companies and organizations in more than 50 countries rely on the SpiderLabs team’stechnical expertise to identify and anticipate cyber security attacks before they happen.Featured Speakers at:Featured Media:
    4. 4. © 2012Agenda• Motivation• Non-Functional Requirements• Who You Gonna Call?• Official Documentation• What Can We Do About It?• Conclusion
    5. 5. © 2012© 2012Motivation
    6. 6. © 2012MotivationReally, b*tch?http://seclists.org/fulldisclosure/2013/Apr/173Meanwhile, on [full-disclosure]…
    7. 7. © 2012Motivationhttp://memegenerator.net/instance/37406597
    8. 8. © 2012Motivation• Are developers really at fault?• Do we (ahem, them) really suck this much?• Do we have an attitude problem betweendevelopers and security people in the softwareindustry?• Obviously not, developers SUCK, right?
    9. 9. © 2012© 2012Non-Functional Requirements
    10. 10. © 2012Non-Functional Requirements• Implicit expectations about the software• It should be fast• It should not crash• It should be user-friendly• It should be secure
    11. 11. © 2012Non-Functional Requirementshttp://memegenerator.net/instance/37522060
    12. 12. © 2012© 2012Who You Gonna Call?
    13. 13. © 2012Who You Gonna Call?SoftwareConceptsBusinessNeedsConstraintsCraftmanship
    14. 14. © 2012Who You Gonna Call?• How to fill the concept-to-code knowledge gap?• Google can help• Stack Overflow can help a lot• But…There’s more thanone way to do it™http://www.spidereyeballs.com/os5/perl/small_os5_r23_1542.html
    15. 15. © 2012Who You Gonna Call?
    16. 16. © 2012Who You Gonna Call?
    17. 17. © 2012Who You Gonna Call?
    18. 18. © 2012Who You Gonna Call?• Official documentation should be the mosttrustworthy source of information• We don’t want to know just any “how to do it”• We want to know “how to do it in a secure way”http://www.themahoganyblog.com/2012/04/attention-music-imposter/laptop-thief/<3 Stack Overflow!
    19. 19. © 2012© 2012How are vendors providing information onthe security aspects of their tools, APIsand frameworks?
    20. 20. © 2012© 2012Official Documentation
    21. 21. © 2012Official Documentation - Javahttp://docs.oracle.com/javase/7/docs/api/java/io/File.html#toURL()
    22. 22. © 2012Official Documentation - Java• Pros• Use of annotations to indicate deprecated APIs• Compiler warnings• Clear indication of reason for deprecation• Security aspects mixed with functional description• Cons• Deprecation is not a security-oriented feature
    23. 23. © 2012Official Documentation - .NEThttp://msdn.microsoft.com/en-us/library/system.collections.caseinsensitivehashcodeprovider.aspx
    24. 24. © 2012Official Documentation - .NET• Pros• Use of annotations to indicate deprecated APIs• Compiler warnings• Cons• No indication of reason for deprecation• Deprecation is not a security-oriented feature
    25. 25. © 2012Official Documentation• What about code samples?http://msdn.microsoft.com/en-us/library/system.io.file.aspxRace conditionin sample code?
    26. 26. © 2012Official Documentation• It’s not only about documentation in web pages• manpages are very inconsistent in their presentation ofsecurity-relevant information• Shame on us, F/LOSS developers
    27. 27. © 2012Official Documentation
    28. 28. © 2012Official Documentation
    29. 29. © 2012Official Documentation
    30. 30. © 2012Official Documentation
    31. 31. © 2012Official Documentationhttp://memegenerator.net/instance/37529225
    32. 32. © 2012© 2012Sometimes it’s not just incompetence orlaziness, but intentionally harmfuldocumentation
    33. 33. © 2012Official Documentationhttp://docs.oracle.com/cd/E13222_01/wls/docs81b/secintro/archtect.html#1033713Are you f*ckingkidding me,Oracle?
    34. 34. © 2012© 2012What Can We Do About It?
    35. 35. © 2012What Can We Do About It?• We = security professionals– Ignorance != incompetence– Assume developers are unaware of their mistakes– Avoid confrontation• Do proper secure SDLC and be involved in ALLstages of development– Help developers make the right choices instead of justvetoing them– Easier said than done, unfortunately
    36. 36. © 2012What Can We Do About It?• We = developers– Developers write tools for developers– Add consistent and comprehensive securityinformation to documentation– Help fellow developers make the right choices• Deprecate what needs deprecation• Remove what is too dangerous
    37. 37. © 2012© 2012Conclusion
    38. 38. © 2012Conclusion• Developers need training– Obviously• Vendor documentation MUST improve– Even trained developers need context to guide theirchoices• Developers are easy targets after a breach– Their work takes months or years, breaches happen inthe blink of an eye
    39. 39. © 2012Conclusion• MOAR ACCOUNTABILITY! MOAR RESOURCES!– Train your teams– Assess your results and ACT on them• Security people need to position themselves asfacilitators rather than opponents– Who enjoys having their work vetoed after monthsworking on it?
    40. 40. © 2012© 2012Questions?
    41. 41. © 2012Trustwave SpiderLabsSpiderLabs is an elite team of ethical hackers atTrustwave advancing the security capabilities ofleading businesses and organizations throughoutthe world.More Information:Web: https://www.trustwave.com/spiderlabsBlog: http://blog.spiderlabs.comTwitter: @SpiderLabs

    ×