Howtospend$3.6Mononecodingmistakeandotherfunstuffyoucandowith$3.6MMatiasMadouPh.D.,SecureCodeWarrior
• Ph.D.inComputerEngineeringfromGhentUniversity• Over15yearshands-onsoftwaresecurityexperience• Ledmultipleapplicationsecurityresearchprojectsfor
HPEFortifywhichhaveledtocommercialproducts• Instructorforadvancedapplicationsecuritytraining
courses• SpeakeratglobalconferencesincludingRSA
Conference,BlackHat,DefCon,BSIMM,OWASPAppSec andBruCon
MatiasMadou,Ph.D.CTOandCo-Founder
Ariane5rocket• $7billion• 10yearsofwork
Technical:• Velocity:64-bitfloat• Convertto16-bitint• Overflow• Errorhandlingsuppressed(performance)
Codingfailurecostsmoney
Whyisthisnotresolvedyet?
13
1) Fix known security issues
2) Do not introduce new issues 700+ categories of problems!
Ton of overhead!
Scale of AppSec team?
Security knows about issues in code
Never ending story…
Flyingaplane:simulatorvsflyingforreal
Timespendintraining
Timespendingdoingitforreal
Beginner Master
Developerscandosomething Noideawhat’shappeningoverthere
Howdoesadeveloperlookatthis?
Developer Write Repository Build Deploy Production
SECURITY…
Developerscandosomething Noideawhat’shappeningoverthere
Howdoesadeveloperlookatthis?
Developer Write Repository Build Deploy Production
SECURITY…
Developerscandosomething Noideawhat’shappeningoverthere
Howdoesadeveloperlookatthis?
Developer Write Repository Build Deploy Production
SECURITY…
Developer:totalcontrolSecurity:nocontrol
Developer:nocontrolSecurity:canaccessit…
Developerscandosomething Noideawhat’shappeningoverthere
Howdoesadeveloperlookatthis?
Developer Write Repository Build Deploy Production
SECURITY…
InIDEhelp SASTTraining DASTIAST RASP
Howdocompaniesspendtheirmoney?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
Howdocompaniesspendtheirmoney?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
HowdowespendtheAppSec budgetinthemostoptimalway?Nobodyknows.
Howdocompaniesspendtheirmoney?
Whattypeofcompanyisthis?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
“Allisgood”-company Or,wearenothackedcompany … yet
Whattypeofcompanyisthis?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
“Ows***,weneedtodosomething”- company
Ows***,weneedtodo“pen-testing”andhackersandthelike
Whattypeofcompanyisthis?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
Companymaturingovertime…
PCICompliancesticker
butit’sveryreactiveandbaseless.
Goodsalespeople,lotoftraction
Gartnersaysit’sthelatestgoodstuff
WhatdoestheBSIMMsay?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
(T)TrainingPractice
(CR)CodeReview
(PT)PenetrationTesting
(ST)SecurityTesting
(?)CMVM:MaybeCMVM1.1:Createinterfacewithincidentresponse(?)
WhatdoestheBSIMMsay?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
T1.1:Provideawarenesstraining
CR1.4:Useautomatedtoolswithmanualcodereview
T2.6:Includesecurityresourcesinonboarding
T3.4:Requireannualrefresher
CR2.6:Useautomatedtoolswithtailoredrules
CR3.5:Enforcecodingstandards
WhatdoestheBSIMMsay?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
PT1.3:Usepenetrationtestingtoolsinternally
ST2.5:IncludesecuritytestsinQAautomation
PT2.3:Scheduleperiodicpenetrationtestsforapplicationcoverage
PT3.2:HavetheSSGcustomizepenetrationtestingtoolsandscripts
Endresult:allsolutionshavetheirprosandcons
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
Cool… butwecannotcallthisprogress
Allthisissaying:Yes,thereisavalidcasetospendmoney
Whatdowedo?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
Findthebadstuff:talkaboutvulnerabilitiesWriteSecurecode:Codingguidelines
• OWASPSecurecodingguidelines• AndroidSecuredevelopment(JSSA)• …
• SQLInjection• OWASPTop10• …
AppSec approachtoday
“SELECT * FROM database WHERE param1 = ‘ ” + param1 + ” ’ and
param2 = ‘ ” + param2 + ” ’ and
param3 = ‘ ” + param3 + ” ’ and
param4 = ‘ ” + param4 + “ ’;”
“SELECT * FROM database WHERE param1 = ? and
param2 = ? and
param3 = ????????????????? and
param4 = ‘ ” + param4 + “ ’;”
Ask QA to find an exploit?
• SQLinjection• Commandinjection• …
What’sthedifference?
• Useparameterizedqueries• Commandlineexecutionisforbidden
• …
Vulnerability Writecodingguideline
CourtesyofGaryMcGraw,Cigital
BestROIandvalueformoney?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
Findthebadstuff:talkaboutvulnerabilitiesWriteSecurecode:Codingguidelines
Prevention Detection
CourtesyofGaryMcGraw,Cigital
Whattypeofcompanyisthis?
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
Findthebadstuff:talkaboutvulnerabilitiesWriteSecurecode:Codingguidelines
80%NOTintroduced 20%detectedandfixed
Let’sthrownumbersinthere
ActualdatafromJimRouth,Aetna
Generalconsensus:theearlieryoufindit,thelessitcoststofix
Shouldwecare?
3.6million,averagecostofabreach
Youcanfixmorethan1problem!ActualdatafromJimRouth,Aetna
3,600,000$Requirements 139$ 25,899 issuesDesign 455$ 7,912 issuesCode 977$ 3,685 issuesTest 7,136$ 504 issuesMaintain 14,102$ 255 issues
Thenumbers:10D@$$/dayIssuesfoundDevelopercost(fix)COST
COST/issue
Penetrationtesting:Consultingservices
$20,00010NotimeWasteofmoney
XxxxYyyyZzzzPrettybignumber
Stillabignumber
Thenumbers:10D@$$/dayIssuesfoundDevelopercost(fix)COST
COST/issue
Penetrationtesting:Consultingservices
$20,00010$2,000$40,000
$4,000
XxxxYyyyZzzzPrettybignumber
Stillabignumber
Fillinyourownnumbers!Thisisanexample.Dotheexerciseinternally.
Thenumbers:10D@$$/dayIssuesfoundDevelopercost(fix)COST
COST/issue
Penetrationtesting:Consultingservices
$20,00010$2,000$40,000
$4,000
XxxxYyyyZzzzPrettybignumber
Stillabignumber
Bearinmindthatthesearerealissues!Likabilityofanadversaryexploitingtheseishigh
Thenumbers:CostofSASTsolutionIssuesfoundDevelopercost(fix)COST
COST/issue
SASTSolution
XxxxYyyyZzzzPrettybignumber
LooksbetterthanPentesting
Bearinmindthatthesearetheoreticalproblems
Thenumbers:Costoftraining????COST
COST/issue
Training
Effectoftrainingoncoding:Lessmistakesintroduced+issuesfixed
Conclusiononwheretospendmoney
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
Findthebadstuff:talkaboutvulnerabilitiesWriteSecurecode:Codingguidelines
1. Measure!Securityismeasurable2. CalculateROI3. Optimizeyourbudget
Developerintroduces$45.18/dayonsecurityproblemsinthecode
Solution1:Getridofalldevelopers
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
Findthebadstuff:talkaboutvulnerabilitiesWriteSecurecode:Codingguidelines
1. Measure!Securityismeasurable2. CalculateROI3. Optimizeyourbudget
Developerintroduces$45.18/dayonsecurityproblemsinthecode
Solution2:Dothenumbersandoptimizebudget
Developer Write Repository Build Deploy Production
InIDEhelp SASTTraining DASTIAST RASP
Findthebadstuff:talkaboutvulnerabilitiesWriteSecurecode:Codingguidelines
1. Measure!Securityismeasurable2. CalculateROI3. Optimizeyourbudget
Developerintroduces$45.18/dayonsecurityproblemsinthecode
Bringdownthisnumber!
CLICK‘REGISTER’,FILLINYOUREMAILANDUSETHEFOLLOWINGTOKENKEY:947273385338
ACCOUNT&TOURNAMENTREGISTRATION
3
1 GOTO:https://portal.securecodewarrior.com/#/register
2
ClickontheTournamentsTab,andthenClickBENELUX2017
THETOURNAMENTWILLGOLIVEAT10.30AMandstopat 4:00PM
FollowusonTwitterandbeinwithachancetowinsomemorecoolprizes@Seccodewarrior #securecodewarrior
MatiasMadou,Ph.D.
CTOandCo-FounderSecureCodeWarrior
+32495254978
@mmadou
www.linkedin.com/in/matiasmadou/
Top Related