Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Holistic InfoSec For Web Developers

Kim Carter
May 27, 2015
Technology
5
400

Holistic InfoSec For Web Developers

Write the wiki URL on the board:
https://github.com/binarymist/HolisticInfoSec-For-WebDevelopers/
http://bit.ly/1BaOPF1

##############################################################
Keep Calm
##############################################################

A security solution can not be automated.
Some small pieces can be once you've understood the specific landscape you're dealing with.

##############################################################
Cat and Mouse
##############################################################

The reason why security can't be automated is because it's a game of cat and mouse.
The attackers vs the protectors.

Smart human minds often working together vs the developer mind
which most of the time isn't even thinking about how their system can be broken.

It's like thinking that software architecture (which is one of the most complex activities known to man) can be automated.
That we can take the human element out of it entirely.

Yes we can try and automate small sections that are repeatable.

Machines can not be trusted to think like humans, because they're not.

##############################################################
Mouse with Red Helmet
##############################################################

Machines are best at performing mundane & repeatable jobs.
This is not where security fits into the picture.

##############################################################
Mouse Dropp...

Kim Carter

May 27, 2015
Tweet

More Decks by Kim Carter

See All by Kim Carter
Application Intrusion Detection
binarymist
0
420
owaspnz-chch-meetup-2021-workshop-planning-and-covid
binarymist
0
470
Security Regression Testing on OWASP Zap Node API
binarymist
1
9.4k
Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha
binarymist
0
1.2k
OWASP Quiz Night
binarymist
2
1.1k
The Art of Exploitation
binarymist
2
1.1k
Developing a High Performance Security Focussed Agile Team (2 hr workshop)
binarymist
1
740
OWASP NZ Day 2016
binarymist
0
150
Infectious Media with Rubber Ducky
binarymist
1
500

Other Decks in Technology

See All in Technology
エンジニアが一生困らない ドキュメント作成の基本
naohiro_nakata
2
150
TinyGoを使ったVSCode拡張機能実装
askua
2
210
ジョブマッチングサービスにおける相互推薦システムの応用事例と課題
hakubishin3
3
640
SREの組織類型に応じた リーダシップの考察
kenta_hi
PRO
1
640
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
190
Railsで4GBのデカ動画ファイルのアップロードと配信、どう実現する?
asflash8
2
260
今、始める、第一歩。 / Your first step
yahonda
2
730
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
1
510
Terraform Stacks入門 #HashiTalks
msato
0
310
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
610
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
300
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
200

Featured

See All Featured
Being A Developer After 40
akosma
86
590k
Code Review Best Practice
trishagee
64
17k
Thoughts on Productivity
jonyablonski
67
4.3k
Statistics for Hackers
jakevdp
796
220k
RailsConf 2023
tenderlove
29
900
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Making Projects Easy
brettharned
115
5.9k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Gamification - CAS2011
davidbonilla
80
5k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k

Transcript

  1. Holistic InfoSec IoT Physical People Mobile Cloud VPS Network Web

    App Web App for Web Developers
  2. None

  3. 5: Identify Risks?

  4. 5: Identify Risks?

  5. 5: Identify Risks?

  6. 5: Identify Risks?

  7. 5: Identify Risks? Defence in Depth

  8. 5: Identify Risks? Security Thinking Up-front

  9. 5: Identify Risks?

  10. 5: Identify Risks?

  11. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via traditional external Penetration Testing

  12. Requirements or design defect found via Product Backlog Item (PBI)

    collaboration Length of Feedback Cycle Cost Requirements or design defect found in Test Conditions Workshop Programming or design defect found via Pair Programming Programming defect found via Continuous Integration Programming or design defect found via Test Driven Development (T(B)DD) Requirements or design defect found via Stakeholder Participation Defect found via pair Developer Testing Defect found via Independent Review Requirements defect found via traditional Acceptance Testing Programming or design defect found via Pair Review Design defect found via traditional System Testing Programming defect found via traditional System Testing Security defect found via Security Test Driven Development (STDD)

  13. 5: Identify Risks?

  14. 5: Identify Risks? But increasing quality has to be expensive

    right?

  15. 5: Identify Risks? Nope!

  16. 5: Identify Risks? Test condition workshop...

  17. 5: Identify Risks? Test condition workshop... Given When Then There

    are no items in the shopping cart Customer clicks “Purchase” button for a book which is in stock 1 x book is added to shopping cart. Book is held - preventing selling it twice. “ Customer clicks “Purchase” button for a book which is not in stock Dialog with “Out of stock” message is displayed and offering customer option of putting book on back order.

  18. 5: Identify Risks? Given When Then There are no items

    in the shopping cart User tries to downgrade TLS and the HSTS header is not sent by the server User should be redirected (response 301 status code) to the HTTPS site from the server “ User tries to downgrade TLS and the HSTS header is sent by the server User should be redirected to the HTTPS site from the browser (no HTTP traffic for sslstrip to tamper with) Test condition workshop...

  19. 5: Identify Risks? Injection TLS Downgrade D-DOS? Easy to execute.

    Tricky to mitigate People in need of education

  20. 5: Identify Risks? Q/A $

  21. 5: Identify Risks?

  22. 5: Identify Risks?

  23. 5: Identify Risks? People App IoT Mobile VPS Network Cloud

    Physical

  24. 5: Identify Risks? Injection TLS Downgrade D-DOS? Easy to execute.

    Tricky to mitigate People in need of education Buffer Overflows

  25. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  26. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  27. 5: Identify Risks? https://github.com/binarymist/ HolisticInfoSec-For-WebDevelopers/ wiki

  28. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  29. 5: Identify Risks? 1: Asset Identification

  30. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  31. 5: Identify Risks? 2: Identify Risks

  32. 5: Identify Risks? 2: Identify Risks Dependency

  33. 5: Identify Risks? 2: Identify Risks Likelihood Threat Agent Factors

    • Skill level • Motive • Opportunity • Size

  34. 5: Identify Risks? 2: Identify Risks Likelihood Vulnerability Factors •

    Ease of discovery • Ease of exploit • Awareness • Intrusion detection

  35. 5: Identify Risks? 2: Identify Risks Impact Technical Factors •

    Loss of confidentiality • Loss of integrity • Loss of availability • Loss of accountability

  36. 5: Identify Risks? 2: Identify Risks Impact Business Factors •

    Financial damage • Reputation damage • Non-compliance • Privacy violation

  37. 5: Identify Risks? 2: Identify Risks Risk = Likelihood *

    Impact

  38. 2: Identify Risks

  39. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs
  40. None

  41. 3: Countermeasures Break Your System

  42. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  43. • Avoid Commercial • Use Public-Domain 4: Risks that solution

    causes

  44. 4: Risks that solution causes New Mitigated

  45. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  46. 5: Costs and Trade-offs Establish Value Loss of Convenience

  47. 5: Costs and Trade-offs

  48. 1: Asset Identification 2: Identify Risks 3: Countermeasures 4: What

    risks does solution cause? 5: Costs and Trade-offs

  49. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  50. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  51. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  52. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  53. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  54. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  55. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  56. 5: Identify Risks? IoT Physical People Mobile Cloud VPS Network

    Web App

  57. Staying on Top 5: Costs and Trade-offs

  58. None