OWASP Brazil - Making Security Invisible by Becoming The Developer's Best Friends v2

The OWASP Foundation
http://www.owasp.org
Making Security Invisible by

Becoming the Developer's
Best Friends
OWASP AppSec Latam 2011 (Brazil)
Dinis Cruz
dinis.cruz@owasp.org
Tuesday, 8 November 2011

Dinis Cruz
Long-time OWASP contributor
OWASP O2 Platform (project)
OWASP Seasons of Code
OWASP Summits (2008 & 2011)
OWASP Training Days
OWASP Books
Helped multiple chapters and conferences
Multiple tools & research at OWASP .NET
Setup Application Security Team at Global Bank

Performed Security Reviews (White and Black box) on 100s of apps
Credited for vulnerability on .NET Framework and vulnerability on Spring MVC
Worked for OunceLabs (now IBM AppScan Source) and made it work
Didnt joined IBM (after OunceLabs acquisition) and spent 18 months rewriting the
OWASP O2 platform (and making my vision a reality)
Currently at Security Innovation (Boston/Seattle company)

Dinis @ Security Innovation
Responsible for the TeamMentor product

i.e. Im shipping code
SI is going to Commercially Support the

OWASP O2 Platform
with a focus on findings-automation and security-tools-integration
SI is a strong OWASP Supporter

Silver sponsor at AppSec USA
published OWASP TeamMentor Library under CC (Creative Commons)
published OWASP Top 10 e-learning course under CC
helping the clarify the commercial relationship with OWASPs ecosystem
Sponsored me to come here
3
OWASP is Amazing

5
6
owasp
band
7
Dont stop asking why not?
8
Try new ideas:
8
Try new ideas:
Barefoot walking/running
8
Try new ideas:
8
Try new ideas:
8
Im a developer

Yes
I have shipped code
10
O2 PLATFORM
OWASP
TeamMentor
Security Innovation
11
Im going to speak as
the developer of
and a couple other apps:

HacmeBank, JPetstore, Altoro Mutual
12
for which security
IS NOT a priority
13
it is important
14
but not a priority
15
In fact I want to
security to be
INVISIBLE
(or transparent)
16
As with every other
developer,
I dont want my app to
have security
vulnerabilities
17
So Im happy to help
the security process...
18
... as long as the
workflow works for me
and my team
19
and at the moment it
doesnt
20
Dear Security
teams / vendors

Understand this:
22
Features and
Functionality
Rule!
23
You (security teams)
are quite in the bottom

of the food chain
24
Im smart
If I wasnt smart I wouldnt be working (& paid) as a developer
25
If Im not Smart
dont tell that to my boss
(specially NOT in a report format)
26
If Im not Smart
Make me Smart!
27
Since Im smart
Make me a HERO
28
Actually
In the real world the

issue is usually not
smart but
experience on the
APIs/Framworks used
29
Another important topic
30
Im not a security
expert
31
that is YOUR job
32
if you want to talk about:
jQuery, Javascript, MVC, Reflection, Hibernate, Struts,
AoP, High performance Algorithms, Compression
techniques, cache management, Agile, Pointers, Code
Patterns, Authorisation Models, QA, User-acceptance-
tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App
Hosting/Clustering, etc....
33
thats me
34
Security
35
Thats you
36
(btw)
Im the one
creating value
37
Im the one
making money,
grabbing eyeballs,
creating value
or whatever the business wants to call it
38
YOU are a TAX
As positioned today
39
which is why I dont
really like to talk/deal
with you
40
Quiz Question:
When was the last time

that developers where
REALLY exited to talk
with Security Teams?
41
Yeah I can see the
Queue from here.....
(I think some developers would shoot Security

teams if that was legal)
42
Developers dirty
secrets

Here are a couple dirty
secrets about most
development projects
44
The devs cant visualise
how their app works
45
nt )
me
age
an
d m
(an
The devs cant visualise
how their app works
45
The devs dont understand
how their app works
46
nt )
me
age
an
d m
(an
how their app works
46
nt )
m e r s )
ag e u ye
an d b
d m (a n
(an
how their app works
46
nt )
m e r s ) r s )
ag e u ye s e
an d b d u
d m (a n (a n
(an
how their app works
46
In practice what does
this mean?
47
it means that they cant
quickly answer questions like:
48
what are the URLs?
49
what data do you
expect to receive from
the web?
50
what data CAN be
submitted from the web
51
what is the data-binding
behaviour of the
Frameworks used
(case point MVC Frameworks)
52
Where is my Data
Validation layer
53
Who and what connects
to the databases/assets
54
Where are my assets?
55
Where is the
Credit Card data?
56
What are the connections
between the managed layers
(C# & Java) and unmanaged
layers (C/C++)?
57
What happens at the
Javascript layer?
58
(easier question)
What is the real

CALL FLOW
of a request
(from the web to the backend and back to the web)
59
(harder question)
What is the real

TAINT FLOW
of a request
60
(much harder question)
What is the real

TAINT (with CONTROL) FLOW
of a request
61
Bottom line:
(*unless we have been attacked before)
62
If it compiles
Ship it!
(I see this behaviour at a lot of dev shops)
63
Bottom line:
(*If we have been attacked before)
64
If it compiles
(and passes the security tools)
Send it to the
Security Team
(who now have funds to hire their own staff)
65
Dealing with
Security

I care about my users
67
And exploitation of
security vulnerabilities
affects them
68
So by-proxy I care
about security
69
But the current
workflow between
developers and security
teams is....
70
F****d
71
or more politically
correct
72
Highly inefficient
73
and that is on
companies WITH
internal security teams
& awareness
74
It is even worse for the
rest
75
We need a new
paradigm
76
One where application
security ADDs value to
the Business
77
One where Application
Security practices are
deeply embedded into
the SDL
78
One where Application
Security practices are
invisible/transparent to
99% of the parties
involved
(the 1% are the ones directly involved in security, such as
security teams, devs,architects, CISO, etc...)
79
but before we get to
the solution, lets set the
stage....
80
As a developer , this is
What I dont want

I don't want to:
receive a PDF (or portal)

with security findings
82
I don't want to:
receive a tool result

with partial (or zero)
context about my app
83
I don't want to:
spent time sorting out

the False positives
created by tools
84
I don't want to:
have tons of bugs filled

into my bug tracking
system
85
I don't want to:
receive non-automated
findings
(that will force me to spend
time replicating the issue)
86
I don't want to:
receive no information
on the impact of the
proposed fix
the blast ratio of a fix
i.e. how much s*** will break
87
I don't want to:
be lectured by a
security expert that
doesnt understand my
application
88
I don't want to:
I dont want to be told

to go to school
usually framed as
we need to give security education to
developers
89
Got that?
90
I dont think that
(even if they tried)
security consultants
couldnt OFEND more
the developers than
they do today
91
What I want

I want to know the
implications of the
multiple APIs &
frameworks used
93
Ideally I should be able
to use those APIs is the
most efficient way
94
I want to know when I
use those APIs and
Frameworks incorrectly
95
I want to understand
my Application!
96
Can YOU do that?
97
Can you help me to
understand my
Application?
98
because,
as a developer
99
if you can help me to
understand my
Application ...
100
... you add value to my
world....
101
if you dont help me to
understand how my
Application works
102
you are a TAX that I
have to Pay
or an INSURANCE that I
have to Pay
103
Did you noticed the lack
of security in the last
slides?
:)
104
lets try this again
105
What I want
from a security point of view (in red)

I want to know the
Security implications of
the multiple APIs &
frameworks used
107
Ideally i should only be
able to use those APIs
in a SECURE way
108
I want to know when I
use those APIs and
Frameworks insecurely
109
I want to understand
the security risk profile
of my Application!
110
Making Security
Invisible
by becoming the
developers best friend

So how was I able to do
what I wanted (from
both a security and
developer point of view)
112
using the
OWASP O2 Platform
113
DEMO TIME.....
114
Any questions?

Thanks
116

OWASP Brazil - Making Security Invisible by Becoming The Developer's Best Friends v2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OWASP Brazil - Making Security Invisible by Becoming The Developer's Best Friends v2

Uploaded by

Copyright:

Available Formats

The OWASP Foundation

Making Security Invisible by

OWASP AppSec Latam 2011 (Brazil)

Tuesday, 8 November 2011

Setup Application Security Team at Global Bank

Tuesday, 8 November 2011

Responsible for the TeamMentor product

SI is going to Commercially Support the

SI is a strong OWASP Supporter

Tuesday, 8 November 2011

Tuesday, 8 November 2011

I have shipped code

and a couple other apps:

Tuesday, 8 November 2011

are quite in the bottom

If I wasnt smart I wouldnt be working (& paid) as a developer

dont tell that to my boss

(specially NOT in a report format)

In the real world the

or whatever the business wants to call it

When was the last time

(I think some developers would shoot Security

Tuesday, 8 November 2011

What is the real

What is the real

(from the web to the backend and back to the web)

What is the real

(from the web to the backend and back to the web)

Tuesday, 8 November 2011

What I dont want

Tuesday, 8 November 2011

receive a PDF (or portal)

receive a tool result

spent time sorting out

have tons of bugs filled

I dont want to be told

Tuesday, 8 November 2011

Tuesday, 8 November 2011

Tuesday, 8 November 2011

Tuesday, 8 November 2011

You might also like