Professional Documents
Culture Documents
http://www.owasp.org
Dinis Cruz
dinis.cruz@owasp.org
3
Tuesday, 8 November 2011
OWASP is Amazing
8
Tuesday, 8 November 2011
Dont stop asking why not?
Try new ideas:
8
Tuesday, 8 November 2011
Dont stop asking why not?
Try new ideas:
Barefoot walking/running
8
Tuesday, 8 November 2011
Dont stop asking why not?
Try new ideas:
Barefoot walking/running
8
Tuesday, 8 November 2011
Dont stop asking why not?
Try new ideas:
Barefoot walking/running
8
Tuesday, 8 November 2011
Im a developer
10
Tuesday, 8 November 2011
O2 PLATFORM
OWASP
TeamMentor
Security Innovation
11
Tuesday, 8 November 2011
Im going to speak as
the developer of
12
Tuesday, 8 November 2011
for which security
IS NOT a priority
13
Tuesday, 8 November 2011
it is important
14
Tuesday, 8 November 2011
but not a priority
15
Tuesday, 8 November 2011
In fact I want to
security to be
INVISIBLE
(or transparent)
16
Tuesday, 8 November 2011
As with every other
developer,
I dont want my app to
have security
vulnerabilities
17
Tuesday, 8 November 2011
So Im happy to help
the security process...
18
Tuesday, 8 November 2011
... as long as the
workflow works for me
and my team
19
Tuesday, 8 November 2011
and at the moment it
doesnt
20
Tuesday, 8 November 2011
Dear Security
teams / vendors
22
Tuesday, 8 November 2011
Features and
Functionality
Rule!
23
Tuesday, 8 November 2011
You (security teams)
24
Tuesday, 8 November 2011
Im smart
25
Tuesday, 8 November 2011
If Im not Smart
26
Tuesday, 8 November 2011
If Im not Smart
Make me Smart!
27
Tuesday, 8 November 2011
Since Im smart
Make me a HERO
28
Tuesday, 8 November 2011
Actually
30
Tuesday, 8 November 2011
Im not a security
expert
31
Tuesday, 8 November 2011
that is YOUR job
32
Tuesday, 8 November 2011
if you want to talk about:
jQuery, Javascript, MVC, Reflection, Hibernate, Struts,
AoP, High performance Algorithms, Compression
techniques, cache management, Agile, Pointers, Code
Patterns, Authorisation Models, QA, User-acceptance-
tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App
Hosting/Clustering, etc....
33
Tuesday, 8 November 2011
thats me
34
Tuesday, 8 November 2011
Security
35
Tuesday, 8 November 2011
Thats you
36
Tuesday, 8 November 2011
(btw)
Im the one
creating value
37
Tuesday, 8 November 2011
Im the one
making money,
grabbing eyeballs,
creating value
38
Tuesday, 8 November 2011
YOU are a TAX
As positioned today
39
Tuesday, 8 November 2011
which is why I dont
really like to talk/deal
with you
40
Tuesday, 8 November 2011
Quiz Question:
41
Tuesday, 8 November 2011
Yeah I can see the
Queue from here.....
42
Tuesday, 8 November 2011
Developers dirty
secrets
44
Tuesday, 8 November 2011
The devs cant visualise
how their app works
45
Tuesday, 8 November 2011
nt )
me
age
an
d m
(an
The devs cant visualise
how their app works
45
Tuesday, 8 November 2011
The devs dont understand
how their app works
46
Tuesday, 8 November 2011
nt )
me
age
an
d m
(an
The devs dont understand
how their app works
46
Tuesday, 8 November 2011
nt )
m e r s )
ag e u ye
an d b
d m (a n
(an
The devs dont understand
how their app works
46
Tuesday, 8 November 2011
nt )
m e r s ) r s )
ag e u ye s e
an d b d u
d m (a n (a n
(an
The devs dont understand
how their app works
46
Tuesday, 8 November 2011
In practice what does
this mean?
47
Tuesday, 8 November 2011
it means that they cant
quickly answer questions like:
48
Tuesday, 8 November 2011
what are the URLs?
49
Tuesday, 8 November 2011
what data do you
expect to receive from
the web?
50
Tuesday, 8 November 2011
what data CAN be
submitted from the web
51
Tuesday, 8 November 2011
what is the data-binding
behaviour of the
Frameworks used
(case point MVC Frameworks)
52
Tuesday, 8 November 2011
Where is my Data
Validation layer
53
Tuesday, 8 November 2011
Who and what connects
to the databases/assets
54
Tuesday, 8 November 2011
Where are my assets?
55
Tuesday, 8 November 2011
Where is the
Credit Card data?
56
Tuesday, 8 November 2011
What are the connections
between the managed layers
(C# & Java) and unmanaged
layers (C/C++)?
57
Tuesday, 8 November 2011
What happens at the
Javascript layer?
58
Tuesday, 8 November 2011
(easier question)
59
Tuesday, 8 November 2011
(harder question)
60
Tuesday, 8 November 2011
(much harder question)
61
Tuesday, 8 November 2011
Bottom line:
(*unless we have been attacked before)
62
Tuesday, 8 November 2011
If it compiles
Ship it!
(I see this behaviour at a lot of dev shops)
63
Tuesday, 8 November 2011
Bottom line:
(*If we have been attacked before)
64
Tuesday, 8 November 2011
If it compiles
(and passes the security tools)
Send it to the
Security Team
(who now have funds to hire their own staff)
65
Tuesday, 8 November 2011
Dealing with
Security
67
Tuesday, 8 November 2011
And exploitation of
security vulnerabilities
affects them
68
Tuesday, 8 November 2011
So by-proxy I care
about security
69
Tuesday, 8 November 2011
But the current
workflow between
developers and security
teams is....
70
Tuesday, 8 November 2011
F****d
71
Tuesday, 8 November 2011
or more politically
correct
72
Tuesday, 8 November 2011
Highly inefficient
73
Tuesday, 8 November 2011
and that is on
companies WITH
internal security teams
& awareness
74
Tuesday, 8 November 2011
It is even worse for the
rest
75
Tuesday, 8 November 2011
We need a new
paradigm
76
Tuesday, 8 November 2011
One where application
security ADDs value to
the Business
77
Tuesday, 8 November 2011
One where Application
Security practices are
deeply embedded into
the SDL
78
Tuesday, 8 November 2011
One where Application
Security practices are
invisible/transparent to
99% of the parties
involved
(the 1% are the ones directly involved in security, such as
security teams, devs,architects, CISO, etc...)
79
Tuesday, 8 November 2011
but before we get to
the solution, lets set the
stage....
80
Tuesday, 8 November 2011
As a developer , this is
82
Tuesday, 8 November 2011
I don't want to:
83
Tuesday, 8 November 2011
I don't want to:
84
Tuesday, 8 November 2011
I don't want to:
85
Tuesday, 8 November 2011
I don't want to:
receive non-automated
findings
(that will force me to spend
time replicating the issue)
86
Tuesday, 8 November 2011
I don't want to:
receive no information
on the impact of the
proposed fix
the blast ratio of a fix
i.e. how much s*** will break
87
Tuesday, 8 November 2011
I don't want to:
be lectured by a
security expert that
doesnt understand my
application
88
Tuesday, 8 November 2011
I don't want to:
89
Tuesday, 8 November 2011
Got that?
90
Tuesday, 8 November 2011
I dont think that
(even if they tried)
security consultants
couldnt OFEND more
the developers than
they do today
91
Tuesday, 8 November 2011
What I want
93
Tuesday, 8 November 2011
Ideally I should be able
to use those APIs is the
most efficient way
94
Tuesday, 8 November 2011
I want to know when I
use those APIs and
Frameworks incorrectly
95
Tuesday, 8 November 2011
I want to understand
my Application!
96
Tuesday, 8 November 2011
Can YOU do that?
97
Tuesday, 8 November 2011
Can you help me to
understand my
Application?
98
Tuesday, 8 November 2011
because,
as a developer
99
Tuesday, 8 November 2011
if you can help me to
understand my
Application ...
100
Tuesday, 8 November 2011
... you add value to my
world....
101
Tuesday, 8 November 2011
if you dont help me to
understand how my
Application works
102
Tuesday, 8 November 2011
you are a TAX that I
have to Pay
or an INSURANCE that I
have to Pay
103
Tuesday, 8 November 2011
Did you noticed the lack
of security in the last
slides?
:)
104
Tuesday, 8 November 2011
lets try this again
105
Tuesday, 8 November 2011
What I want
from a security point of view (in red)
107
Tuesday, 8 November 2011
Ideally i should only be
able to use those APIs
in a SECURE way
108
Tuesday, 8 November 2011
I want to know when I
use those APIs and
Frameworks insecurely
109
Tuesday, 8 November 2011
I want to understand
the security risk profile
of my Application!
110
Tuesday, 8 November 2011
Making Security
Invisible
by becoming the
developers best friend
112
Tuesday, 8 November 2011
using the
OWASP O2 Platform
113
Tuesday, 8 November 2011
DEMO TIME.....
114
Tuesday, 8 November 2011
Any questions?
116
Tuesday, 8 November 2011