Slide 1
Slide 1 text
The OWASP Foundation
http://www.owasp.org
Making Security Invisible by
Becoming the Developer's
Best Friends
OWASP AppSec Latam 2011 (Brazil)
Dinis Cruz
[email protected]
Tuesday, 8 November 2011
Slide 2
Slide 2 text
Dinis Cruz
Long-time OWASP contributor
OWASP O2 Platform (project)
OWASP Seasons of Code
OWASP Summits (2008 & 2011)
OWASP Training Days
OWASP Books
Helped multiple chapters and conferences
Multiple tools & research at OWASP .NET
Setup Application Security Team at Global Bank
Performed Security Reviews (White and Black box) on 100s of apps
Credited for vulnerability on .NET Framework and vulnerability on Spring MVC
Worked for OunceLabs (now IBM AppScan Source) and made it work
Didn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting the
OWASP O2 platform (and making my vision a reality)
Currently at Security Innovation (Boston/Seattle company)
Tuesday, 8 November 2011
Slide 3
Slide 3 text
Dinis @ Security Innovation
Responsible for the TeamMentor product
i.e. I’m shipping code
SI is going to Commercially Support the
OWASP O2 Platform
with a focus on findings-automation and security-tools-integration
SI is a strong OWASP Supporter
Silver sponsor at AppSec USA
published OWASP TeamMentor Library under CC (Creative Commons)
published OWASP Top 10 e-learning course under CC
helping the clarify the commercial relationship with OWASP’s ecosystem
Sponsored me to come here
3
Tuesday, 8 November 2011
Slide 4
Slide 4 text
OWASP is Amazing
Tuesday, 8 November 2011
Slide 5
Slide 5 text
5
Tuesday, 8 November 2011
Slide 6
Slide 6 text
6
Tuesday, 8 November 2011
Slide 7
Slide 7 text
owasp
band
7
Tuesday, 8 November 2011
Slide 8
Slide 8 text
Don’t stop asking ‘why not?’
8
Tuesday, 8 November 2011
Slide 9
Slide 9 text
Don’t stop asking ‘why not?’
Try new ideas:
8
Tuesday, 8 November 2011
Slide 10
Slide 10 text
Don’t stop asking ‘why not?’
Try new ideas:
8
Barefoot walking/running
Tuesday, 8 November 2011
Slide 11
Slide 11 text
Don’t stop asking ‘why not?’
Try new ideas:
8
Barefoot walking/running
Tuesday, 8 November 2011
Slide 12
Slide 12 text
Don’t stop asking ‘why not?’
Try new ideas:
8
Barefoot walking/running
Tuesday, 8 November 2011
Slide 13
Slide 13 text
I’m a developer
Tuesday, 8 November 2011
Slide 14
Slide 14 text
Yes
I have shipped code
10
Tuesday, 8 November 2011
Slide 15
Slide 15 text
11
O2 PLATFORM
OWASP
TeamMentor
Security Innovation
Tuesday, 8 November 2011
Slide 16
Slide 16 text
I’m going to speak as
the developer of
12
and a couple other apps:
HacmeBank, JPetstore, Altoro Mutual
Tuesday, 8 November 2011
Slide 17
Slide 17 text
for which security
IS NOT a priority
13
Tuesday, 8 November 2011
Slide 18
Slide 18 text
it is important
14
Tuesday, 8 November 2011
Slide 19
Slide 19 text
but not a priority
15
Tuesday, 8 November 2011
Slide 20
Slide 20 text
In fact I want to
security to be
INVISIBLE
(or transparent)
16
Tuesday, 8 November 2011
Slide 21
Slide 21 text
As with every other
developer,
I don’t want my app to
have security
vulnerabilities
17
Tuesday, 8 November 2011
Slide 22
Slide 22 text
So I’m happy to help
the ‘security’ process...
18
Tuesday, 8 November 2011
Slide 23
Slide 23 text
... as long as the
workflow ‘works’ for me
and my team
19
Tuesday, 8 November 2011
Slide 24
Slide 24 text
and at the moment it
doesn’t
20
Tuesday, 8 November 2011
Slide 25
Slide 25 text
Dear Security
teams / vendors
Tuesday, 8 November 2011
Slide 26
Slide 26 text
Understand this:
22
Tuesday, 8 November 2011
Slide 27
Slide 27 text
Features and
Functionality
Rule!
23
Tuesday, 8 November 2011
Slide 28
Slide 28 text
You (security teams)
are quite in the bottom
of the food chain
24
Tuesday, 8 November 2011
Slide 29
Slide 29 text
I’m smart
If I wasn’t smart I wouldn’t be working (& paid) as a developer
25
Tuesday, 8 November 2011
Slide 30
Slide 30 text
If I’m not Smart
don’t tell that to my boss
(specially NOT in a report format)
26
Tuesday, 8 November 2011
Slide 31
Slide 31 text
If I’m not Smart
Make me Smart!
27
Tuesday, 8 November 2011
Slide 32
Slide 32 text
Since I’m smart
Make me a HERO
28
Tuesday, 8 November 2011
Slide 33
Slide 33 text
Actually
In the real world the
issue is usually not
‘smart’ but
‘experience on the
APIs/Framworks used’
29
Tuesday, 8 November 2011
Slide 34
Slide 34 text
Another important topic
30
Tuesday, 8 November 2011
Slide 35
Slide 35 text
I’m not a security
expert
31
Tuesday, 8 November 2011
Slide 36
Slide 36 text
that is YOUR job
32
Tuesday, 8 November 2011
Slide 37
Slide 37 text
if you want to talk about:
jQuery, Javascript, MVC, Reflection, Hibernate, Struts,
AoP, High performance Algorithms, Compression
techniques, cache management, Agile, Pointers, Code
Patterns, Authorisation Models, QA, User-acceptance-
tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App
Hosting/Clustering, etc....
33
Tuesday, 8 November 2011
Slide 38
Slide 38 text
that’s me
34
Tuesday, 8 November 2011
Slide 39
Slide 39 text
Security
35
Tuesday, 8 November 2011
Slide 40
Slide 40 text
That’s you
36
Tuesday, 8 November 2011
Slide 41
Slide 41 text
(btw)
I’m the one
creating value
37
Tuesday, 8 November 2011
Slide 42
Slide 42 text
I’m the one
making money,
grabbing eyeballs,
creating value
or whatever the business wants to call it
38
Tuesday, 8 November 2011
Slide 43
Slide 43 text
YOU are a TAX
As positioned today
39
Tuesday, 8 November 2011
Slide 44
Slide 44 text
which is why I don’t
really like to talk/deal
with you
40
Tuesday, 8 November 2011
Slide 45
Slide 45 text
Quiz Question:
When was the last time
that developers where
REALLY exited to talk
with Security Teams?
41
Tuesday, 8 November 2011
Slide 46
Slide 46 text
Yeah I can see the
Queue from here.....
(I think some developers would shoot Security
teams if that was legal)
42
Tuesday, 8 November 2011
Slide 47
Slide 47 text
Developers dirty
secrets
Tuesday, 8 November 2011
Slide 48
Slide 48 text
Here are a couple dirty
secrets about ‘most’
development projects
44
Tuesday, 8 November 2011
Slide 49
Slide 49 text
The devs can’t visualise
how their app works
45
Tuesday, 8 November 2011
Slide 50
Slide 50 text
The devs can’t visualise
how their app works
45
(and management)
Tuesday, 8 November 2011
Slide 51
Slide 51 text
The devs don’t understand
how their app works
46
Tuesday, 8 November 2011
Slide 52
Slide 52 text
The devs don’t understand
how their app works
46
(and management)
Tuesday, 8 November 2011
Slide 53
Slide 53 text
The devs don’t understand
how their app works
46
(and management)
(and buyers)
Tuesday, 8 November 2011
Slide 54
Slide 54 text
The devs don’t understand
how their app works
46
(and management)
(and buyers)
(and users)
Tuesday, 8 November 2011
Slide 55
Slide 55 text
In practice what does
this mean?
47
Tuesday, 8 November 2011
Slide 56
Slide 56 text
it means that they can’t
quickly answer questions like:
48
Tuesday, 8 November 2011
Slide 57
Slide 57 text
what are the URLs?
49
Tuesday, 8 November 2011
Slide 58
Slide 58 text
what data do you
expect to receive from
the web?
50
Tuesday, 8 November 2011
Slide 59
Slide 59 text
what data CAN be
submitted from the web
51
Tuesday, 8 November 2011
Slide 60
Slide 60 text
what is the data-binding
behaviour of the
Frameworks used
(case point MVC Frameworks)
52
Tuesday, 8 November 2011
Slide 61
Slide 61 text
Where is my Data
Validation layer
53
Tuesday, 8 November 2011
Slide 62
Slide 62 text
Who and what connects
to the databases/assets
54
Tuesday, 8 November 2011
Slide 63
Slide 63 text
Where are my assets?
55
Tuesday, 8 November 2011
Slide 64
Slide 64 text
Where is the
Credit Card data?
56
Tuesday, 8 November 2011
Slide 65
Slide 65 text
What are the connections
between the managed layers
(C# & Java) and unmanaged
layers (C/C++)?
57
Tuesday, 8 November 2011
Slide 66
Slide 66 text
What happens at the
Javascript layer?
58
Tuesday, 8 November 2011
Slide 67
Slide 67 text
(easier question)
What is the real
CALL FLOW
of a request
(from the web to the backend and back to the web)
59
Tuesday, 8 November 2011
Slide 68
Slide 68 text
(harder question)
What is the real
TAINT FLOW
of a request
(from the web to the backend and back to the web)
60
Tuesday, 8 November 2011
Slide 69
Slide 69 text
(much harder question)
What is the real
TAINT (with CONTROL) FLOW
of a request
(from the web to the backend and back to the web)
61
Tuesday, 8 November 2011
Slide 70
Slide 70 text
Bottom line:
(*unless we have been attacked before)
62
Tuesday, 8 November 2011
Slide 71
Slide 71 text
If it compiles
Ship it!
(I see this behaviour at a lot of dev shops)
63
Tuesday, 8 November 2011
Slide 72
Slide 72 text
Bottom line:
(*If we have been attacked before)
64
Tuesday, 8 November 2011
Slide 73
Slide 73 text
If it compiles
(and passes the ‘security tools’)
Send it to the
‘Security Team’
(who now have funds to hire their own staff)
65
Tuesday, 8 November 2011
Slide 74
Slide 74 text
Dealing with
Security
Tuesday, 8 November 2011
Slide 75
Slide 75 text
I care about my users
67
Tuesday, 8 November 2011
Slide 76
Slide 76 text
And exploitation of
security vulnerabilities
affects them
68
Tuesday, 8 November 2011
Slide 77
Slide 77 text
So by-proxy I care
about security
69
Tuesday, 8 November 2011
Slide 78
Slide 78 text
But the current
workflow between
developers and security
teams is....
70
Tuesday, 8 November 2011
Slide 79
Slide 79 text
F****d
71
Tuesday, 8 November 2011
Slide 80
Slide 80 text
or more politically
correct
72
Tuesday, 8 November 2011
Slide 81
Slide 81 text
Highly inefficient
73
Tuesday, 8 November 2011
Slide 82
Slide 82 text
and that is on
companies WITH
internal security teams
& awareness
74
Tuesday, 8 November 2011
Slide 83
Slide 83 text
It is even worse for the
rest
75
Tuesday, 8 November 2011
Slide 84
Slide 84 text
We need a new
paradigm
76
Tuesday, 8 November 2011
Slide 85
Slide 85 text
One where ‘application
security’ ADDs value to
the Business
77
Tuesday, 8 November 2011
Slide 86
Slide 86 text
One where ‘Application
Security’ practices are
deeply embedded into
the SDL
78
Tuesday, 8 November 2011
Slide 87
Slide 87 text
One where ‘Application
Security’ practices are
invisible/transparent to
99% of the parties
involved
(the 1% are the ones directly involved in security, such as
security teams, devs,architects, CISO, etc...)
79
Tuesday, 8 November 2011
Slide 88
Slide 88 text
but before we get to
the solution, lets set the
stage....
80
Tuesday, 8 November 2011
Slide 89
Slide 89 text
As a developer , this is
What I don’t want
Tuesday, 8 November 2011
Slide 90
Slide 90 text
receive a PDF (or portal)
with security findings
82
I don't want to:
Tuesday, 8 November 2011
Slide 91
Slide 91 text
receive a tool result
with partial (or zero)
context about my app
83
I don't want to:
Tuesday, 8 November 2011
Slide 92
Slide 92 text
spent time sorting out
the False positives
created by tools
84
I don't want to:
Tuesday, 8 November 2011
Slide 93
Slide 93 text
have tons of bugs filled
into my bug tracking
system
85
I don't want to:
Tuesday, 8 November 2011
Slide 94
Slide 94 text
receive non-automated
findings
(that will force me to spend
time replicating the issue)
86
I don't want to:
Tuesday, 8 November 2011
Slide 95
Slide 95 text
receive no information
on the impact of the
‘proposed fix’
the ‘blast ratio’ of a fix
i.e. how much s*** will break
87
I don't want to:
Tuesday, 8 November 2011
Slide 96
Slide 96 text
be ‘lectured’ by a
‘security expert’ that
doesn’t understand my
application
88
I don't want to:
Tuesday, 8 November 2011
Slide 97
Slide 97 text
I don’t want to be told
to ‘go to school’
usually framed as
“we need to give ‘security education’ to
developers”
89
I don't want to:
Tuesday, 8 November 2011
Slide 98
Slide 98 text
Got that?
90
Tuesday, 8 November 2011
Slide 99
Slide 99 text
I don’t think that
(even if they tried)
‘security consultants’
couldn’t OFEND more
the developers than
they do today
91
Tuesday, 8 November 2011
Slide 100
Slide 100 text
What I want
Tuesday, 8 November 2011
Slide 101
Slide 101 text
I want to know the
implications of the
multiple APIs &
frameworks used
93
Tuesday, 8 November 2011
Slide 102
Slide 102 text
Ideally I should be able
to use those APIs is the
most efficient way
94
Tuesday, 8 November 2011
Slide 103
Slide 103 text
I want to know when I
use those APIs and
Frameworks incorrectly
95
Tuesday, 8 November 2011
Slide 104
Slide 104 text
I want to understand
my Application!
96
Tuesday, 8 November 2011
Slide 105
Slide 105 text
Can YOU do that?
97
Tuesday, 8 November 2011
Slide 106
Slide 106 text
Can you help me to
understand my
Application?
98
Tuesday, 8 November 2011
Slide 107
Slide 107 text
because,
as a developer
99
Tuesday, 8 November 2011
Slide 108
Slide 108 text
if you can help me to
understand my
Application ...
100
Tuesday, 8 November 2011
Slide 109
Slide 109 text
... you add value to my
world....
101
Tuesday, 8 November 2011
Slide 110
Slide 110 text
if you don’t help me to
understand how my
Application works
102
Tuesday, 8 November 2011
Slide 111
Slide 111 text
you are a TAX that I
have to Pay
or an INSURANCE that I
have to Pay
103
Tuesday, 8 November 2011
Slide 112
Slide 112 text
Did you noticed the lack
of ‘security’ in the last
slides?
:)
104
Tuesday, 8 November 2011
Slide 113
Slide 113 text
let’s try this again
105
Tuesday, 8 November 2011
Slide 114
Slide 114 text
What I want
from a security point of view (in red)
Tuesday, 8 November 2011
Slide 115
Slide 115 text
I want to know the
Security implications of
the multiple APIs &
frameworks used
107
Tuesday, 8 November 2011
Slide 116
Slide 116 text
Ideally i should only be
able to use those APIs
in a SECURE way
108
Tuesday, 8 November 2011
Slide 117
Slide 117 text
I want to know when I
use those APIs and
Frameworks insecurely
109
Tuesday, 8 November 2011
Slide 118
Slide 118 text
I want to understand
the security risk profile
of my Application!
110
Tuesday, 8 November 2011
Slide 119
Slide 119 text
Making Security
Invisible
by becoming the
developer’s best friend
Tuesday, 8 November 2011
Slide 120
Slide 120 text
So how was I able to do
what I wanted (from
both a security and
developer point of view)
112
Tuesday, 8 November 2011
Slide 121
Slide 121 text
using the
OWASP O2 Platform
113
Tuesday, 8 November 2011
Slide 122
Slide 122 text
DEMO TIME.....
114
Tuesday, 8 November 2011
Slide 123
Slide 123 text
Any questions?
Tuesday, 8 November 2011
Slide 124
Slide 124 text
Thanks
116
Tuesday, 8 November 2011