Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Holistic InfoSec For Web Developers

Kim Carter
May 27, 2015
Technology
5
430

Holistic InfoSec For Web Developers

Write the wiki URL on the board:
https://github.com/binarymist/HolisticInfoSec-For-WebDevelopers/
http://bit.ly/1BaOPF1

##############################################################
Keep Calm
##############################################################

A security solution can not be automated.
Some small pieces can be once you've understood the specific landscape you're dealing with.

##############################################################
Cat and Mouse
##############################################################

The reason why security can't be automated is because it's a game of cat and mouse.
The attackers vs the protectors.

Smart human minds often working together vs the developer mind
which most of the time isn't even thinking about how their system can be broken.

It's like thinking that software architecture (which is one of the most complex activities known to man) can be automated.
That we can take the human element out of it entirely.

Yes we can try and automate small sections that are repeatable.

Machines can not be trusted to think like humans, because they're not.

##############################################################
Mouse with Red Helmet
##############################################################

Machines are best at performing mundane & repeatable jobs.
This is not where security fits into the picture.

##############################################################
Mouse Dropp...

Kim Carter

May 27, 2015
Tweet

More Decks by Kim Carter

See All by Kim Carter
Application Intrusion Detection
binarymist
0
460
owaspnz-chch-meetup-2021-workshop-planning-and-covid
binarymist
0
510
Security Regression Testing on OWASP Zap Node API
binarymist
1
9.8k
Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha
binarymist
0
1.3k
OWASP Quiz Night
binarymist
2
1.2k
The Art of Exploitation
binarymist
2
1.1k
Developing a High Performance Security Focussed Agile Team (2 hr workshop)
binarymist
1
770
OWASP NZ Day 2016
binarymist
0
170
Infectious Media with Rubber Ducky
binarymist
1
550

Other Decks in Technology

See All in Technology
Aspire をカスタマイズしよう & Aspire 9.2
nenonaninu
0
220
2025-04-14 Data & Analytics 井戸端会議 Multi tenant log platform with Iceberg
kamijin_fanta
0
110
バックオフィス向け toB SaaS バクラクにおけるレコメンド技術活用 / recommender-systems-in-layerx-bakuraku
yuya4
5
590
AndroidアプリエンジニアもMCPを触ろう
kgmyshin
1
210
AWS全冠芸人が見た世界 ~資格取得より大切なこと~
masakiokuda
5
6.5k
Cross Data Platforms Meetup LT 20250422
tarotaro0129
1
800
2025-04-24 "Manga AI Understanding & Localization" Furukawa Arata (CyberAgent, Inc)
ornew
2
290
3月のAWSアップデートを5分間でざっくりと!
kubomasataka
0
130
品質文化を支える小さいクロスファンクショナルなチーム / Cross-functional teams fostering quality culture
toma_sm
0
150
ここはMCPの夜明けまえ
nwiizo
32
12k
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
5.9k
日経電子版 for Android の技術的課題と取り組み(令和最新版)/android-20250423
nikkei_engineer_recruiting
1
500

Featured

See All Featured
Six Lessons from altMBA
skipperchong
28
3.7k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Docker and Python
trallard
44
3.3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.2k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
5
540
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
34
2.2k
Rails Girls Zürich Keynote
gr2m
94
13k
Bash Introduction
62gerente
611
210k
We Have a Design System, Now What?
morganepeng
52
7.5k

Transcript

  1. Holistic InfoSec IoT Physical People Mobile Cloud VPS Network Web

    App Web App for Web Developers
  2. None

  3. 5: Identify Risks?

  4. 5: Identify Risks?

  5. 5: Identify Risks?

  6. 5: Identify Risks?

  7. 5: Identify Risks? Defence in Depth

  8. 5: Identify Risks? Security Thinking Up-front

  9. 5: Identify Risks?

  10. 5: Identify Risks?

  11. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via traditional external Penetration Testing

  12. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via Security Test Driven Development (STDD)

  13. 5: Identify Risks?

  14. 5: Identify Risks? But increasing quality has to be expensive

    right?

  15. 5: Identify Risks? Nope!

  16. 5: Identify Risks? Test condition workshop...

  17. 5: Identify Risks? Test condition workshop... Given When Then There

    are no items in the shopping cart Customer clicks “Purchase” button for a book which is in stock 1 x book is added to shopping cart. Book is held - preventing selling it twice. “ Customer clicks “Purchase” button for a book which is not in stock Dialog with “Out of stock” message is displayed and offering customer option of putting book on back order.

  18. 5: Identify Risks? Given When Then There are no items

    in the shopping cart User tries to downgrade TLS and the HSTS header is not sent by the server User should be redirected (response 301 status code) to the HTTPS site from the server “ User tries to downgrade TLS and the HSTS header is sent by the server User should be redirected to the HTTPS site from the browser (no HTTP traffic for sslstrip to tamper with) Test condition workshop...

  19. 5: Identify Risks? Injection TLS Downgrade D-DOS? Easy to execute.

    Tricky to mitigate People in need of education

  20. 5: Identify Risks? Q/A $

  21. 5: Identify Risks?

  22. 5: Identify Risks?

  23. 5: Identify Risks? People App IoT Mobile VPS Network Cloud

    Physical

  24. 5: Identify Risks? Injection TLS Downgrade D-DOS? Easy to execute.

    Tricky to mitigate People in need of education Buffer Overflows

  25. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  26. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  27. 5: Identify Risks? https://github.com/binarymist/ HolisticInfoSec-For-WebDevelopers/ wiki

  28. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  29. 5: Identify Risks? 1: Asset Identification

  30. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  31. 5: Identify Risks? 2: Identify Risks

  32. 5: Identify Risks? 2: Identify Risks Dependency

  33. 5: Identify Risks? 2: Identify Risks Likelihood Threat Agent Factors

    • Skill level • Motive • Opportunity • Size

  34. 5: Identify Risks? 2: Identify Risks Likelihood Vulnerability Factors •

    Ease of discovery • Ease of exploit • Awareness • Intrusion detection

  35. 5: Identify Risks? 2: Identify Risks Impact Technical Factors •

    Loss of confidentiality • Loss of integrity • Loss of availability • Loss of accountability

  36. 5: Identify Risks? 2: Identify Risks Impact Business Factors •

    Financial damage • Reputation damage • Non-compliance • Privacy violation

  37. 5: Identify Risks? 2: Identify Risks Risk = Likelihood *

    Impact

  38. 2: Identify Risks

  39. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs
  40. None

  41. 3: Countermeasures Break Your System

  42. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  43. • Avoid Commercial • Use Public-Domain 4: Risks that solution

    causes

  44. 4: Risks that solution causes New Mitigated

  45. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  46. 5: Costs and Trade-offs Establish Value Loss of Convenience

  47. 5: Costs and Trade-offs

  48. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  49. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  50. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  51. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  52. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  53. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  54. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  55. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  56. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  57. Staying on Top 5: Costs and Trade-offs

  58. None