better do what they told ya
DESCRIPTION
Developers are pressed for producing more secure code, but do not receive support from stakeholders, management and even from the very manufacturers who produce the tools used to write applications. What can go wrong when even the official documentation for a product is wrong regarding security aspects?TRANSCRIPT
![Page 2: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/2.jpg)
© 2012
$ whois urma
• Ulisses Albuquerque– App Security Consultant for Trustwave
SpiderLabs• Penetration testing• Code reviews• Secure development training
– Passionate and opinionated developer• Ruby and C FTW
– Long time F/LOSS advocate• It’s all about the community
![Page 3: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/3.jpg)
© 2012
Who is SpiderLabs?SpiderLabs is the elite security team at Trustwave, offering clients the most advanced information security expertise and intelligence available today.
The SpiderLabs team has performed more than 1,500 computer incident response and forensic investigations globally, as well as over 15,000 penetration and application security tests for Trustwave’s clients.
The global team actively provides threat intelligence to both Trustwave and growing numbers of organizations from Fortune 50 to enterprises and start-ups.
Companies and organizations in more than 50 countries rely on the SpiderLabs team’s technical expertise to identify and anticipate cyber security attacks before they happen.
Featured Speakers at:
Featured Media:
![Page 4: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/4.jpg)
© 2012
Agenda
• Motivation• Non-Functional Requirements• Who You Gonna Call?• Official Documentation• What Can We Do About It?• Conclusion
![Page 5: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/5.jpg)
© 2012© 2012
Motivation
![Page 6: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/6.jpg)
© 2012
Motivation
Really, b*tch?
http://seclists.org/fulldisclosure/2013/Apr/173
Meanwhile, on [full-disclosure]…
![Page 7: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/7.jpg)
© 2012
Motivation
http://memegenerator.net/instance/37406597
![Page 8: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/8.jpg)
© 2012
Motivation
• Are developers really at fault?• Do we (ahem, them) really suck this much?• Do we have an attitude problem between
developers and security people in the software industry?• Obviously not, developers SUCK, right?
![Page 9: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/9.jpg)
© 2012© 2012
Non-Functional Requirements
![Page 10: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/10.jpg)
© 2012
Non-Functional Requirements
• Implicit expectations about the software• It should be fast• It should not crash• It should be user-friendly• It should be secure
![Page 11: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/11.jpg)
© 2012
Non-Functional Requirements
…and that’s assuming you know what you should be
doing!
http://memegenerator.net/instance/37522060
![Page 12: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/12.jpg)
© 2012© 2012
Who You Gonna Call?
![Page 13: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/13.jpg)
© 2012
Who You Gonna Call?
Software
Concepts
Business Needs Constraints
Craftmanship
![Page 14: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/14.jpg)
© 2012
Who You Gonna Call?
• How to fill the concept-to-code knowledge gap?
• Google can help• Stack Overflow can help a lot
• But… There’s more than one way to do it™
http://www.spidereyeballs.com/os5/perl/small_os5_r23_1542.html
![Page 15: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/15.jpg)
© 2012
Who You Gonna Call?
![Page 16: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/16.jpg)
© 2012
Who You Gonna Call?
![Page 17: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/17.jpg)
© 2012
Who You Gonna Call?
![Page 18: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/18.jpg)
© 2012
Who You Gonna Call?
• Official documentation should be the most trustworthy source of information
• We don’t want to know just any “how to do it”• We want to know “how to do it in a secure way”
http://www.themahoganyblog.com/2012/04/attention-music-imposter/laptop-thief/
<3 Stack Overflow!
![Page 19: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/19.jpg)
© 2012© 2012
How are vendors providing information on the security aspects
of their tools, APIs and frameworks?
![Page 20: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/20.jpg)
© 2012© 2012
Official Documentation
![Page 21: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/21.jpg)
© 2012
Official Documentation - Java
http://docs.oracle.com/javase/7/docs/api/java/io/File.html#toURL()
![Page 22: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/22.jpg)
© 2012
Official Documentation - Java
• Pros• Use of annotations to indicate deprecated APIs
• Compiler warnings
• Clear indication of reason for deprecation• Security aspects mixed with functional description
• Cons• Deprecation is not a security-oriented feature
![Page 23: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/23.jpg)
© 2012
Official Documentation - .NET
http://msdn.microsoft.com/en-us/library/system.collections.caseinsensitivehashcodeprovider.aspx
![Page 24: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/24.jpg)
© 2012
Official Documentation - .NET
• Pros• Use of annotations to indicate deprecated APIs
• Compiler warnings
• Cons• No indication of reason for deprecation• Deprecation is not a security-oriented feature
![Page 25: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/25.jpg)
© 2012
Official Documentation
• What about code samples?
http://msdn.microsoft.com/en-us/library/system.io.file.aspx
Race conditionin sample code?
![Page 26: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/26.jpg)
© 2012
Official Documentation
• It’s not only about documentation in web pages
• manpages are very inconsistent in their presentation of security-relevant information
• Shame on us, F/LOSS developers
![Page 27: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/27.jpg)
© 2012
Official Documentation
![Page 28: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/28.jpg)
© 2012
Official Documentation
![Page 29: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/29.jpg)
© 2012
Official Documentation
![Page 30: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/30.jpg)
© 2012
Official Documentation
![Page 31: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/31.jpg)
© 2012
Official Documentation
http://memegenerator.net/instance/37529225
![Page 32: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/32.jpg)
© 2012© 2012
Sometimes it’s not just incompetence or laziness, but
intentionally harmful documentation
![Page 33: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/33.jpg)
© 2012
Official Documentation
http://docs.oracle.com/cd/E13222_01/wls/docs81b/secintro/archtect.html#1033713
Are you f*ckingkidding me,Oracle?
![Page 34: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/34.jpg)
© 2012© 2012
What Can We Do About It?
![Page 35: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/35.jpg)
© 2012
What Can We Do About It?
• We = security professionals– Ignorance != incompetence– Assume developers are unaware of their
mistakes– Avoid confrontation
• Do proper secure SDLC and be involved in ALL stages of development– Help developers make the right choices instead
of just vetoing them– Easier said than done, unfortunately
![Page 36: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/36.jpg)
© 2012
What Can We Do About It?
• We = developers– Developers write tools for developers– Add consistent and comprehensive security
information to documentation– Help fellow developers make the right choices
• Deprecate what needs deprecation• Remove what is too dangerous
![Page 37: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/37.jpg)
© 2012© 2012
Conclusion
![Page 38: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/38.jpg)
© 2012
Conclusion
• Developers need training– Obviously
• Vendor documentation MUST improve– Even trained developers need context to guide
their choices
• Developers are easy targets after a breach– Their work takes months or years, breaches
happen in the blink of an eye
![Page 39: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/39.jpg)
© 2012
Conclusion
• MOAR ACCOUNTABILITY! MOAR RESOURCES!– Train your teams– Assess your results and ACT on them
• Security people need to position themselves as facilitators rather than opponents– Who enjoys having their work vetoed after
months working on it?
![Page 40: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/40.jpg)
© 2012© 2012
Questions?
![Page 41: Better Do What They Told Ya](https://reader035.vdocuments.site/reader035/viewer/2022062513/5575745ad8b42adb7e8b4627/html5/thumbnails/41.jpg)
© 2012
Trustwave SpiderLabsSpiderLabs is an elite team of ethical hackers at Trustwave advancing the security capabilities of leading businesses and organizations throughout the world.
More Information:
Web: https://www.trustwave.com/spiderlabs
Blog: http://blog.spiderlabs.com
Twitter: @SpiderLabs