Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Top 10 Developer Security Misconceptions

Top 10 Developer Security Misconceptions

When it comes to security in development, there's a lot of things developers have the wrong idea about - things like "I don't have enough time" or "I don't know enough to be effective." Join me as a I run through the "top ten" of the list and help dispel them and make your life as a developer easier.

224dac66704579d941e927965a6220a2?s=128

Chris Cornutt

May 15, 2013
Tweet

Transcript

  1. Top 10 Developer Security Misconceptions <script> alert(‘Chris Cornutt @ php|tek

    2013’);</script> Wednesday, May 15, 2013
  2. Wednesday, May 15, 2013

  3. Code Reviews? Wednesday, May 15, 2013

  4. Security Code Reviews? Wednesday, May 15, 2013

  5. “Make it Work” vs “Make it Secure” Wednesday, May 15,

    2013
  6. “Make it Work Securely” Wednesday, May 15, 2013

  7. I Don’t Know Enough Plenty of Training Resources (free/paid) Conferences

    Read, read and read some more... Wednesday, May 15, 2013
  8. Wednesday, May 15, 2013

  9. It’s Too Hard Start Small (bits & pieces) A scan

    is worth one thousand words One exploit at a time Wednesday, May 15, 2013
  10. I Can Secure It Later “Later” never comes It’s too

    big later Secure Development Life Cycle Wednesday, May 15, 2013
  11. Secure Development Lifecycle Gathering Requirements System Design Implementation/Development Verification Release

    of Tested/Verified Product Wednesday, May 15, 2013
  12. Image copyright Microsoft, Inc Wednesday, May 15, 2013

  13. I Can Secure It Later Plan security in from the

    start Security is not bugfixing “Later” never comes It’s too big later Secure Development Life Cycle Wednesday, May 15, 2013
  14. But My * Handles That For Me Misplaced trust in

    3rd party tools Investigation Validated and popular Security policy definition Wednesday, May 15, 2013
  15. Management Won’t Support It Integrated with development Share statistics on

    common vulnerabilities Find your own exploits...with a patch QA and development are both responsible Wednesday, May 15, 2013
  16. Wednesday, May 15, 2013

  17. Why Would Someone Hack Us? Too small Unimportant Attack platform

    Shared passwords and account information Low hanging fruit Wednesday, May 15, 2013
  18. My Application’s Internal... Internal threats are larger No excuse for

    lax measures Loose password/access policies Development data sources with prod data Trust. Wednesday, May 15, 2013
  19. We Use * So We’re Secure Cryptography Access control Firewalls

    Web Application Firewalls Framework of choice Wednesday, May 15, 2013
  20. Security People Are Crazy “Them” “Developers don’t know about security”

    QA vs Security Testing Rules, rules, rules... ...and Reasons Integration, not Segregation Wednesday, May 15, 2013
  21. It’s Not My Job Worst. Excuse. Ever. Network Admin... Security

    is your job Sysadmin... Security is your job Developer... Security is your job “Defense in Depth” Wednesday, May 15, 2013
  22. Architecture Development Testing Environments Processes & Policies SECURITY Wednesday, May

    15, 2013
  23. Questions? Chris Cornutt @enygma @websecquickfix http://websec.io http://joind.in/8164 http://bit.ly/top10-devsec-tek13 Wednesday, May

    15, 2013