don’t teach developers security

Don’t Teach Developers SecurityCaleb Sima

caleb@armorize.comArmorize Technologies

Who am I?1997-2000: Ex-ISSer from X-Force2000-2007: Founder and CTO of SPI Dynamics2007-2010: CTO of Application Security at HPCurrent…: CEO of Armorize Technologies

Old Man in Security Now…

Yes I Know..

Can you fix this Spike?... Can you? Can we do it quick? Can we Spike?

SecurityDevelopment

Training is Important But..

We focus on the wrong method (Top 10)We focus on the wrong people (developers)Security is a PIA.Turnover sucksDon’t rely on it

2010 OWASP Top 101. Injection2. Cross Site Scripting (XSS)3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10. Un-validated Redirects and Forwards

Training is Important But..

We focus on the wrong method (Top 10)We focus on the wrong people (developers)

Security is a PIA.

Turnover sucksDon’t rely on it

What is wrong with this code?

Training is Important But..

We focus on the wrong method (Top 10)We focus on the wrong people (developers)Security is a PIA.Turnover sucks

Don’t rely on it

Note on PCI

Step 1Start with a security assessment

Step 2Assign and train QA on your 2 issues

Step 3Assign 1 developer on each app team to

be the security controller

Step 4Automate this process

FutureCode Analyses + Remediation Libraries = Code

Verification

Security, Accuracy and Privacy in Computer Systems - James Martin

Reasonableness Test:For example. a charge of $500 might be reasonableon a corporations electricity bill but not on an individuals bill.

Consistency Test:In an airline booking to Chicago the transaction may be checked to ensure that the flight number in it does in fact go to Chicago.

Special Tests:Dates may be checked to ensure that the month is between I and l2.that the day is between l and 28, 29, 30, or 31. depending upon the month.Self Checking Numbers:

The extra digit is derivedarithmetically from the other digits.

Written in 1973!

“To me, security is important. But it's no less important than

everything *else* that is also important!”

- Linus

Caleb Simacaleb@armorize.comwww.armorize.com

Download Trial of CodeSecure at http://www.armorize.com/codesecure4-beta/

Google: “OWASP ESAPI”, “BSIMM”, “Armorize”,”James Martin”REFERENCES