leveraging static analysis to secure software
TRANSCRIPT
Paraso& © 2014 2 2
Open and hide your control panel Join audio: • Choose “Mic & Speakers” to use
VoIP • Choose “Telephone” and dial
using the information provided Submit questions and comments via the Questions panel
Note: Today’s presentation is being recorded and will be provided within a week.
Your Par=cipa=on
GoToWebinar Housekeeping
Paraso& © 2014 3 3
Agenda
§ Street Santas everywhere § AIack surfaces growing § Which should I allow § Can’t I just shut the chimney?
§ Imprac=cal in today’s cloud world
§ Security Best Prac=ces
Paraso& © 2014 4 4
SantaQL Injec=on
Common
Easy to exploit
Easy to prevent
Data valida=on
Stored procedures
Paraso& © 2014 6 6
What are you geXng?
§ What about all that stuff Santa brings?
§ What’s in your open source?
Paraso& © 2014 8 8
Authen=ca=on and authoriza=on
§ Right password § Right person (not the same) § Right privileges § hIps § cer=ficates
Paraso& © 2014 9 9
Protect Sensi=ve Informa=on
Sensi=ve data should be encrypted
Sending
Storing
Enforce reasonable passwords
Paraso& © 2014 10 10
Malicious Insiders
§ Who is working for you § Controlled access § Appropriate access § Monitoring
Paraso& © 2014 11 11
Training
§ Secure Coding § Tes=ng for security § Proper Valida=on § Anatomy of aIacks § Healthy paranoia
Paraso& © 2014 12 12
Tools
§ Pen test § Regression test § Flow analysis § PaIern-‐based analysis § Coding standards § Virtualiza=on
Paraso& © 2014 19 19
Educate Yourself
§ Know your business § Know the technology § What are the risks? § What are the threats? § How can I mi=gate them?
Paraso& © 2014 24 24
Security Resources
CWE – Common Weakness Enumera=on • hIp://cwe.mitre.org
So&ware Assurance Marketplace (SwAMp) • hIps://con=nuousassurance.org
OWASP -‐ Open Web Applica=on Security Project • hIp://www.owasp.org
PCI – Payment Card Industry Security Standards • hIps://www.pcisecuritystandards.org
Hack.me – Community based security learning project • hIps://hack.me
SAMATE -‐ So&ware Assurance Metrics And Tool Evalua=on • hIp://samate.nist.gov
Build Security In – Collabora=ve security effort • hIps://buildsecurityin.us-‐cert.gov
Paraso& © 2014 25 25
Q&A
§ Web § hIp://www.paraso&.com/jsp/resources
§ Blog § hIp://alm.paraso&.com
§ Social § Facebook: hIps://www.facebook.com/paraso&corpora=on
§ TwiIer: @Paraso& @MustRead4Dev
§ LinkedIn: hIp://www.linkedin.com/company/paraso&
§ Google+ Community: Sta=c Analysis for Fun and Profit