Bad Version of Builders vs. Breakers

Transcript

1. Builder vs. Breaker AppSec 2012 Edition

2. BIOs of DOOOOOOOOOOOOOM! Builder Jon "Dext" Rose Qualifications: •  Built

   Paypal in 2 hours. •  247 code pushes to open source projects. Breaker Matt "Ana" Konda Qualifications: •  Broke into CIA when 12. •  Deleted the arrest record when 16.

3. BIOs of DOOOOOOOOOOOOOOOM! Moderator Brett "Broken" Hardin Qualifications: •  Board

   Game Junky •  Entrepreneur •  The Original "Fixer" •  Chico Stoplight King

4. History BSidesChicago 2011 BSidesChicago 2012 Defcon SkyTalk 2012 Thanks to:

   @secbarbie, @securitymoey, @elimmartin, @claudij, @dschlieffer, @miscsecurity Also: @curphey, @joshcorman, (others)

5. Quick Poll: Builder or Breaker?

6. Builder Dates Features Functional Quality

7. Breaker High Risk Vulnerabilities Access to Data and Impact I

   can break into anything!

8. Format Debate  a  ques*on  –  a  few  minutes  each  

   1-­‐2  Audience  members  provides  input   Audience  Votes   Loser  Drinks   Repeat  
9. None

10. Breaker “….developers will never learn, never improve because they are

    repeating the same mistakes over and over again” – Breaker on Twitter

11. Builder “…only good at ranting. Zero contribs, and almost zero

    constructive feedbacks but bashing” – Developer reply

12. Breaker “If  you  are  a  developer  and  don’t   know

     who  OWASP  is  at  this  point,  it’s   because  you’ve  chosen  not  to.”   –  Breaker’s   Tweet  

13. Builder “Problem.  Infosec  pros,  pentesters  etc.   are  more  interested

     in  #appsec  than   programmers.  How  to  change  that?  <   will  not  change”   –  Builder’s   Tweet  

14. Breaker “…  the  developer  who  did  this  should   be

     taken  out  into  the  street  and   beaten  …”   –  Breaker  at  Thotcon  

15. Builder “Agile:  Most  security  guys  are  useless”   –  Builder’s

      Tweet  

16. WAF solves the problem.

17. Buyers need to explicitly ask for security.

18. Agile Hurts Security

19. Does Security Need to Be Part of QA?

20. A pen-test validates that my app is secure!

21. Security False positives are a necessary evil.

22. The Cloud makes me more secure

23. Breakers don’t understand development

24. Builders need to understand the vulnerabilities

25. Can  you  teach  security  to  developers?  

26. We don’t really feel this way… • Take a hard stance

    on both sides in an attempt to elicit your participation • Get everyone to come to the same conclusion that the current model is broken •  Generate conversation on how we can make it better

27. Do the current models work? Do you think security issues

    are getting fixed faster or slower than 5 years ago? Do you think there is more/less awareness into security issues? Do you think more/less security issues are being introduced?

28. Thank you. OWASP AppSecUSA - @wickett