$30 off During Our Annual Pro Sale. View Details »

Top 10 Developer Security Misconceptions

Chris Cornutt
May 15, 2013
Technology
0
360

Top 10 Developer Security Misconceptions

When it comes to security in development, there's a lot of things developers have the wrong idea about - things like "I don't have enough time" or "I don't know enough to be effective." Join me as a I run through the "top ten" of the list and help dispel them and make your life as a developer easier.

Chris Cornutt

May 15, 2013
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
90
Pentesting for Developers
ccornutt
0
98
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
290
Securing Legacy Applications
ccornutt
0
310
Build Security In
ccornutt
0
160
Introduction to Slim 3
ccornutt
0
140
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
230

Other Decks in Technology

See All in Technology
ROSCon 2023参加報告:Real-Time Workshop & Zenoh's Current Status and Forecast
takasehideki
1
220
JAWS-UG_YOKOHAMA_20231204
hiashisan
0
300
2023-12-01 吉祥寺.pm ベストプラクティスと組織とIaC
masasuzu
1
380
SmartHRのマルチプロダクト戦略実行の苦悩と挑戦
h1kita
5
3.5k
AWS re:Invent 2023 わざわざ現地まで行く意味あるの?→ありました
minorun365
PRO
5
1k
徹底解説!Power Platform 導入の成功事例から見る DX 推進のコツ / Tips for DX promotion from Power Platform case studies
karamem0
0
350
ライブラリとの上手な付き合い方
sekido
PRO
0
180
【Microsoft社員が振り返る】Microsoft Ignite
yutoy
1
560
AutoGenで作るLLM Agen
peisuke
1
350
AWSに関わる全ての エンジニアへの変革!
ysasago
2
120
KarateによるBDDベースのAPIテスト / BDD based API-Testing with Karate
takanorig
1
190
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
1.1k

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
48
7.5k
Code Review Best Practice
trishagee
53
14k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
352
21k
Rails Girls Zürich Keynote
gr2m
90
12k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
53
33k
Bash Introduction
62gerente
603
210k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.9k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.5k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
52
19k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.4k

Transcript

  1. Top 10 Developer
    Security Misconceptions
    alert(‘Chris Cornutt @ php|tek 2013’);
    Wednesday, May 15, 2013

    View Slide

  2. Wednesday, May 15, 2013

    View Slide

  3. Code Reviews?
    Wednesday, May 15, 2013

    View Slide

  4. Security
    Code Reviews?
    Wednesday, May 15, 2013

    View Slide

  5. “Make it Work” vs “Make it Secure”
    Wednesday, May 15, 2013

    View Slide

  6. “Make it Work Securely”
    Wednesday, May 15, 2013

    View Slide

  7. I Don’t Know Enough
    Plenty of Training Resources (free/paid)
    Conferences
    Read, read and read some more...
    Wednesday, May 15, 2013

    View Slide

  8. Wednesday, May 15, 2013

    View Slide

  9. It’s Too Hard
    Start Small (bits & pieces)
    A scan is worth one thousand words
    One exploit at a time
    Wednesday, May 15, 2013

    View Slide

  10. I Can Secure It Later
    “Later” never comes
    It’s too big later
    Secure Development Life Cycle
    Wednesday, May 15, 2013

    View Slide

  11. Secure Development Lifecycle
    Gathering Requirements
    System Design
    Implementation/Development
    Verification
    Release of Tested/Verified Product
    Wednesday, May 15, 2013

    View Slide

  12. Image copyright Microsoft, Inc
    Wednesday, May 15, 2013

    View Slide

  13. I Can Secure It Later
    Plan security in from the start
    Security is not bugfixing
    “Later” never comes
    It’s too big later
    Secure Development Life Cycle
    Wednesday, May 15, 2013

    View Slide

  14. But My * Handles That For Me
    Misplaced trust in 3rd party tools
    Investigation
    Validated and popular
    Security policy definition
    Wednesday, May 15, 2013

    View Slide

  15. Management Won’t Support It
    Integrated with development
    Share statistics on common vulnerabilities
    Find your own exploits...with a patch
    QA and development are both responsible
    Wednesday, May 15, 2013

    View Slide

  16. Wednesday, May 15, 2013

    View Slide

  17. Why Would Someone Hack Us?
    Too small
    Unimportant
    Attack platform
    Shared passwords and account information
    Low hanging fruit
    Wednesday, May 15, 2013

    View Slide

  18. My Application’s Internal...
    Internal threats are larger
    No excuse for lax measures
    Loose password/access policies
    Development data sources with prod data
    Trust.
    Wednesday, May 15, 2013

    View Slide

  19. We Use * So We’re Secure
    Cryptography
    Access control
    Firewalls
    Web Application Firewalls
    Framework of choice
    Wednesday, May 15, 2013

    View Slide

  20. Security People Are Crazy
    “Them”
    “Developers don’t know about security”
    QA vs Security Testing
    Rules, rules, rules...
    ...and Reasons
    Integration, not Segregation
    Wednesday, May 15, 2013

    View Slide

  21. It’s Not My Job
    Worst. Excuse. Ever.
    Network Admin... Security is your job
    Sysadmin... Security is your job
    Developer... Security is your job
    “Defense in Depth”
    Wednesday, May 15, 2013

    View Slide

  22. Architecture
    Development
    Testing
    Environments
    Processes & Policies
    SECURITY
    Wednesday, May 15, 2013

    View Slide

  23. Questions?
    Chris Cornutt @enygma
    @websecquickfix
    http://websec.io
    http://joind.in/8164
    http://bit.ly/top10-devsec-tek13
    Wednesday, May 15, 2013

    View Slide