Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Top 10 Developer Security Misconceptions

Top 10 Developer Security Misconceptions

When it comes to security in development, there's a lot of things developers have the wrong idea about - things like "I don't have enough time" or "I don't know enough to be effective." Join me as a I run through the "top ten" of the list and help dispel them and make your life as a developer easier.

Chris Cornutt

May 15, 2013

More Decks by Chris Cornutt

Other Decks in Technology


  1. I Don’t Know Enough Plenty of Training Resources (free/paid) Conferences

    Read, read and read some more... Wednesday, May 15, 2013
  2. It’s Too Hard Start Small (bits & pieces) A scan

    is worth one thousand words One exploit at a time Wednesday, May 15, 2013
  3. I Can Secure It Later “Later” never comes It’s too

    big later Secure Development Life Cycle Wednesday, May 15, 2013
  4. I Can Secure It Later Plan security in from the

    start Security is not bugfixing “Later” never comes It’s too big later Secure Development Life Cycle Wednesday, May 15, 2013
  5. But My * Handles That For Me Misplaced trust in

    3rd party tools Investigation Validated and popular Security policy definition Wednesday, May 15, 2013
  6. Management Won’t Support It Integrated with development Share statistics on

    common vulnerabilities Find your own exploits...with a patch QA and development are both responsible Wednesday, May 15, 2013
  7. Why Would Someone Hack Us? Too small Unimportant Attack platform

    Shared passwords and account information Low hanging fruit Wednesday, May 15, 2013
  8. My Application’s Internal... Internal threats are larger No excuse for

    lax measures Loose password/access policies Development data sources with prod data Trust. Wednesday, May 15, 2013
  9. We Use * So We’re Secure Cryptography Access control Firewalls

    Web Application Firewalls Framework of choice Wednesday, May 15, 2013
  10. Security People Are Crazy “Them” “Developers don’t know about security”

    QA vs Security Testing Rules, rules, rules... ...and Reasons Integration, not Segregation Wednesday, May 15, 2013
  11. It’s Not My Job Worst. Excuse. Ever. Network Admin... Security

    is your job Sysadmin... Security is your job Developer... Security is your job “Defense in Depth” Wednesday, May 15, 2013