Top 10 Developer Security Misconceptions

Transcript

1. Top 10 Developer Security Misconceptions <script> alert(‘Chris Cornutt @ php|tek

   2013’);</script> Wednesday, May 15, 2013

2. Wednesday, May 15, 2013

3. Code Reviews? Wednesday, May 15, 2013

4. Security Code Reviews? Wednesday, May 15, 2013

5. “Make it Work” vs “Make it Secure” Wednesday, May 15,

   2013

6. “Make it Work Securely” Wednesday, May 15, 2013

7. I Don’t Know Enough Plenty of Training Resources (free/paid) Conferences

   Read, read and read some more... Wednesday, May 15, 2013

8. Wednesday, May 15, 2013

9. It’s Too Hard Start Small (bits & pieces) A scan

   is worth one thousand words One exploit at a time Wednesday, May 15, 2013

10. I Can Secure It Later “Later” never comes It’s too

    big later Secure Development Life Cycle Wednesday, May 15, 2013

11. Secure Development Lifecycle Gathering Requirements System Design Implementation/Development Verification Release

    of Tested/Verified Product Wednesday, May 15, 2013

12. Image copyright Microsoft, Inc Wednesday, May 15, 2013

13. I Can Secure It Later Plan security in from the

    start Security is not bugfixing “Later” never comes It’s too big later Secure Development Life Cycle Wednesday, May 15, 2013

14. But My * Handles That For Me Misplaced trust in

    3rd party tools Investigation Validated and popular Security policy definition Wednesday, May 15, 2013

15. Management Won’t Support It Integrated with development Share statistics on

    common vulnerabilities Find your own exploits...with a patch QA and development are both responsible Wednesday, May 15, 2013

16. Wednesday, May 15, 2013

17. Why Would Someone Hack Us? Too small Unimportant Attack platform

    Shared passwords and account information Low hanging fruit Wednesday, May 15, 2013

18. My Application’s Internal... Internal threats are larger No excuse for

    lax measures Loose password/access policies Development data sources with prod data Trust. Wednesday, May 15, 2013

19. We Use * So We’re Secure Cryptography Access control Firewalls

    Web Application Firewalls Framework of choice Wednesday, May 15, 2013

20. Security People Are Crazy “Them” “Developers don’t know about security”

    QA vs Security Testing Rules, rules, rules... ...and Reasons Integration, not Segregation Wednesday, May 15, 2013

21. It’s Not My Job Worst. Excuse. Ever. Network Admin... Security

    is your job Sysadmin... Security is your job Developer... Security is your job “Defense in Depth” Wednesday, May 15, 2013

22. Architecture Development Testing Environments Processes & Policies SECURITY Wednesday, May

    15, 2013

23. Questions? Chris Cornutt @enygma @websecquickfix http://websec.io http://joind.in/8164 http://bit.ly/top10-devsec-tek13 Wednesday, May

    15, 2013