don’t teach developers security
DESCRIPTION
Don’t Teach Developers Security. Caleb Sima [email protected] Armorize Technologies. Who am I?. 1997-2000: Ex- ISSer from X-Force 2000-2007: Founder and CTO of SPI Dynamics 2007-2010: CTO of Application Security at HP Current…: CEO of Armorize Technologies. Old Man in Security Now…. - PowerPoint PPT PresentationTRANSCRIPT
Who am I?1997-2000: Ex-ISSer from X-Force2000-2007: Founder and CTO of SPI Dynamics2007-2010: CTO of Application Security at HPCurrent…: CEO of Armorize Technologies
Old Man in Security Now…
Yes I Know..
Can you fix this Spike?... Can you? Can we do it quick? Can we Spike?
SecurityDevelopment
Training is Important But..
We focus on the wrong method (Top 10)We focus on the wrong people (developers)Security is a PIA.Turnover sucksDon’t rely on it
2010 OWASP Top 101. Injection2. Cross Site Scripting (XSS)3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10. Un-validated Redirects and Forwards
Training is Important But..
We focus on the wrong method (Top 10)We focus on the wrong people (developers)
Security is a PIA.
Turnover sucksDon’t rely on it
What is wrong with this code?
Training is Important But..
We focus on the wrong method (Top 10)We focus on the wrong people (developers)Security is a PIA.Turnover sucks
Don’t rely on it
Note on PCI
Step 1Start with a security assessment
Step 2Assign and train QA on your 2 issues
Step 3Assign 1 developer on each app team to
be the security controller
Step 4Automate this process
FutureCode Analyses + Remediation Libraries = Code
Verification
Security, Accuracy and Privacy in Computer Systems - James Martin
Reasonableness Test:For example. a charge of $500 might be reasonableon a corporations electricity bill but not on an individuals bill.
Consistency Test:In an airline booking to Chicago the transaction may be checked to ensure that the flight number in it does in fact go to Chicago.
Special Tests:Dates may be checked to ensure that the month is between I and l2.that the day is between l and 28, 29, 30, or 31. depending upon the month.Self Checking Numbers:
The extra digit is derivedarithmetically from the other digits.
Written in 1973!
“To me, security is important. But it's no less important than
everything *else* that is also important!”
- Linus
Caleb [email protected]
Download Trial of CodeSecure at http://www.armorize.com/codesecure4-beta/
Google: “OWASP ESAPI”, “BSIMM”, “Armorize”,”James Martin”REFERENCES