Don’t Teach Developers Security Caleb Sima [email protected] Armorize Technologies.
19
-
Upload
nathanial-lavers -
Category
Documents
-
view
220 -
download
0
Transcript of Don’t Teach Developers Security Caleb Sima [email protected] Armorize Technologies.
Who am I?
1997-2000: Ex-ISSer from X-Force
2000-2007: Founder and CTO of SPI Dynamics
2007-2010: CTO of Application Security at HP
Current…: CEO of Armorize Technologies
Old Man in Security Now…
Yes I Know..
Can you fix this Spike?... Can you? Can we do it quick? Can we Spike?
Securit
yDevelopment
Training is Important But..
We focus on the wrong method (Top 10)
We focus on the wrong people (developers)
Security is a PIA.
Turnover sucks
Don’t rely on it
2010 OWASP Top 10
1. Injection2. Cross Site Scripting (XSS)3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10. Un-validated Redirects and Forwards
Training is Important But..
We focus on the wrong method (Top 10)
We focus on the wrong people (developers)
Security is a PIA.
Turnover sucks
Don’t rely on it
What is wrong with this code?
Training is Important But..
We focus on the wrong method (Top 10)
We focus on the wrong people (developers)
Security is a PIA.
Turnover sucks
Don’t rely on it
Note on PCI
Step 1Start with a security assessment
Step 2Assign and train QA on your 2 issues
Step 3Assign 1 developer on each app team to
be the security controller
Step 4Automate this process
Future
Code Analyses + Remediation Libraries = Code Verification
Security, Accuracy and Privacy in Computer Systems - James Martin
Reasonableness Test:For example. a charge of $500 might be reasonableon a corporations electricity bill but not on an individuals bill.
Consistency Test:In an airline booking to Chicago the transaction may be checked to ensure that the flight number in it does in fact go to Chicago.
Special Tests:Dates may be checked to ensure that the month is between I and l2.that the day is between l and 28, 29, 30, or 31. depending upon the month.Self Checking Numbers:
The extra digit is derivedarithmetically from the other digits.
Written in 1973!
“To me, security is important. But it's no less important than
everything *else* that is also important!”
- Linus
Caleb [email protected]
Download Trial of CodeSecure at
http://www.armorize.com/codesecure4-beta/
Google: “OWASP ESAPI”, “BSIMM”, “Armorize”,”James Martin”
REFERENCES
