Writing Secure Code

Alex Cespedes
About me
Software is everywhere
many vulnerabilities
Vulnerabilities can be classified
Humans

Network

Applications

Server Software

Operating System

Hardware
Applications
• Planning
• Development
• QA
OWASP Project
A3:2017 A4:2017
A1:2017 A2:2017
Sensitive Data XML External Entity
Injection Broken Authentication
Exposure (XXE)

A5:2017 A6:2017 A7:2017 A8:2017

Broken Access Security Cross-Site Scripting Insecure
Control Misconfiguration (XSS) Deserialization

A9:2017
A10:2017
Using Components
Insufficient Logging
with Known
& Monitoring
Vulnerabilities
SDLC

564132
Maintenance
Testing Planning
&
Analysis
Integration
Development
Design
SDLC
• Test Early and Test Often
• Understand the Scope of Security
• Develop the Right Mindset
• Understand the Subject
• Use the Right Tools
• Use Source Code When Available
• Develop Metrics
 If more education and training are required
 If there is a particular security mechanism that is not clearly understood by the dev team
 If the total number of security related problems being found each month is going down
Security Techniques
Advantages Disadvantages
Manual Inspections & • Requires no supporting • Can be time consuming
Reviews technology • Requires significant
• Can be applied to variety human thought and skill
of situations to be effective
• Flexible
• Promotes teamwork
• Early in the SDLC
Threat Modeling • Decomposing the • Relatively new technique
application • Good threat models don’t
• Defining and classifying mean good software
the assets
• Exploring potential
vulnerabilities/threats
• Creating mitigation
strategies
Security Techniques
Advantages Disadvantages
Code Review • Completeness and • Requires highly skilled
effectiveness security dev
• Accuracy • Can miss issues in
• Fast compiled libraries
• The source code actually
deployed might differ
from the one being
analyzed
Penetration Testing • Can be fast • Too late in the SDLC
• Requires a relatively • From impact testing only
lower skill-set than
source code review
• Test the code that is
actually being exposed
Prevention
Securing applications

Prevention

Monitoring Detection

Recovery Response
Development
• Scan your code continuously
 Application code
 Packages / Libraries

• Train developers in secure coding

• Make Friday – break the app
• Use secure crypto
• Log errors
• Don’t reinvent
 Login
Password Reset
Database
• Encrypt sensitive data (PI, Addresses, emails, passwords)
• Encrypt database on disk (including backups)
• Minimal privilege for application database user
• Do not store encryption keys in database
Infrastructure
• Secure your development environment
• Block development/Staging to the outside world with an username/password
• Turn off unused servers
• Multifactor authentication to all the infrastructure
• Use IDS/IPS
Thanks!!