Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bad Version of Builders vs. Breakers

Brett Hardin
October 26, 2012
Technology
1
60

Bad Version of Builders vs. Breakers

Here is an example of what a presentation shouldn't look like.

Brett Hardin

October 26, 2012
Tweet

More Decks by Brett Hardin

See All by Brett Hardin
Penetration Testing is Stupid - BsidesSF 2013
bretthardin
2
2.2k
Building Your House on Sand
bretthardin
2
1.4k
Builders vs. Breakers - AppSec 2012
bretthardin
2
1.4k
Security the Wrong Way
bretthardin
2
240
BSidesSanFrancisco2011 - Misdirection: The Rise and Fall and Rise of Regulatory Compliance
bretthardin
1
210
Security? Who Cares! - Privacy is Dead
bretthardin
1
180
OWASP - Top 10
bretthardin
0
1k

Other Decks in Technology

See All in Technology
ガチ勢によるPipeCD運用大全〜滑らかなCI/CDを添えて〜 / ai-pipecd-encyclopedia
cyberagentdevelopers
PRO
3
210
来年もre:Invent2024 に行きたいあなたへ - “集中”と“つながり”で楽しむ -
ny7760
0
480
AWS re:Inventを徹底的に楽しむためのTips / Tips for thoroughly enjoying AWS re:Invent
yuj1osm
1
570
フルカイテン株式会社 採用資料
fullkaiten
0
36k
Shift-from-React-to-Vue
calm1205
3
1.3k
使えそうで使われないCloudHSM
maikamibayashi
0
170
チームを主語にしてみる / Making "Team" the Subject
ar_tama
4
310
APIテスト自動化の勘所
yokawasa
7
4.2k
WINTICKETアプリで実現した高可用性と高速リリースを支えるエコシステム / winticket-eco-system
cyberagentdevelopers
PRO
1
190
プロダクト成長に対応するプラットフォーム戦略:Authleteによる共通認証基盤の移行事例 / Building an authentication platform using Authlete and AWS
kakehashi
1
150
MAMを軸とした動画ハンドリングにおけるAI活用前提の整備と次世代ビジョン / abema-ai-mam
cyberagentdevelopers
PRO
1
120
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170

Featured

See All Featured
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
328
21k
Faster Mobile Websites
deanohume
304
30k
Building Adaptive Systems
keathley
38
2.2k
Measuring & Analyzing Core Web Vitals
bluesmoon
1
41
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
How to Ace a Technical Interview
jacobian
275
23k
Adopting Sorbet at Scale
ufuk
73
9k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
A designer walks into a library…
pauljervisheath
202
24k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
504
140k

Transcript

  1. Builder vs. Breaker AppSec 2012 Edition

  2. BIOs of DOOOOOOOOOOOOOM! Builder Jon "Dext" Rose Qualifications: •  Built

    Paypal in 2 hours. •  247 code pushes to open source projects. Breaker Matt "Ana" Konda Qualifications: •  Broke into CIA when 12. •  Deleted the arrest record when 16.

  3. BIOs of DOOOOOOOOOOOOOOOM! Moderator Brett "Broken" Hardin Qualifications: •  Board

    Game Junky •  Entrepreneur •  The Original "Fixer" •  Chico Stoplight King

  4. History BSidesChicago 2011 BSidesChicago 2012 Defcon SkyTalk 2012 Thanks to:

    @secbarbie, @securitymoey, @elimmartin, @claudij, @dschlieffer, @miscsecurity Also: @curphey, @joshcorman, (others)

  5. Quick Poll: Builder or Breaker?

  6. Builder Dates Features Functional Quality

  7. Breaker High Risk Vulnerabilities Access to Data and Impact I

    can break into anything!

  8. Format Debate  a  ques*on  –  a  few  minutes  each  

    1-­‐2  Audience  members  provides  input   Audience  Votes   Loser  Drinks   Repeat  
  9. None

  10. Breaker “….developers will never learn, never improve because they are

    repeating the same mistakes over and over again” – Breaker on Twitter

  11. Builder “…only good at ranting. Zero contribs, and almost zero

    constructive feedbacks but bashing” – Developer reply

  12. Breaker “If  you  are  a  developer  and  don’t   know

     who  OWASP  is  at  this  point,  it’s   because  you’ve  chosen  not  to.”   –  Breaker’s   Tweet  

  13. Builder “Problem.  Infosec  pros,  pentesters  etc.   are  more  interested

     in  #appsec  than   programmers.  How  to  change  that?  <   will  not  change”   –  Builder’s   Tweet  

  14. Breaker “…  the  developer  who  did  this  should   be

     taken  out  into  the  street  and   beaten  …”   –  Breaker  at  Thotcon  

  15. Builder “Agile:  Most  security  guys  are  useless”   –  Builder’s

      Tweet  

  16. WAF solves the problem.

  17. Buyers need to explicitly ask for security.

  18. Agile Hurts Security

  19. Does Security Need to Be Part of QA?

  20. A pen-test validates that my app is secure!

  21. Security False positives are a necessary evil.

  22. The Cloud makes me more secure

  23. Breakers don’t understand development

  24. Builders need to understand the vulnerabilities

  25. Can  you  teach  security  to  developers?  

  26. We don’t really feel this way… • Take a hard stance

    on both sides in an attempt to elicit your participation • Get everyone to come to the same conclusion that the current model is broken •  Generate conversation on how we can make it better

  27. Do the current models work? Do you think security issues

    are getting fixed faster or slower than 5 years ago? Do you think there is more/less awareness into security issues? Do you think more/less security issues are being introduced?

  28. Thank you. OWASP AppSecUSA - @wickett