Naked Security

Transcript

1. Mark Curphey or the unclothed state of the “application” security

   industry today

2. • Topic: Intro • Topic: How Applications Get Built in

   the Real World • Topic: How Geeks Communicate • Topic: Sales and Marketing • Topic: Culture • Topic: Complexity and Context • Topic: Standards, Compliance and Security Councils • Topic: Tools • Topic: Closing True Story

3. ぺちゃ く Pecha Kucha Chatter or chit-chat , ?

4. None
5. None
6. None
7. None

8. Gentle Life Reminder If you think technology is the solution

   then you don’t understand the problem!
9. None
10. None
11. None
12. None
13. None
14. None
15. None
16. None
17. None
18. None
19. None
20. None
21. None
22. None
23. None
24. None
25. None
26. None
27. None
28. None

29. How Applications Get Built in the Real World! New Topic

30. None
31. None
32. None

33. How is security built in the real world?

34. None
35. None
36. None

37. How is security built in the real world?

38. How is security built in the real world?

39. None

40. How Geeks Communicate New Topic Communication - Noun a. The

    exchange of thoughts, messages, or information, as by speech, signals, writing, or behavior. b. Interpersonal rapport.
41. None
42. None
43. None
44. None
45. None

46. If communicating functionality is hard, communicating security is harder still!

47. None

48. Sales and Marketing New Topic

49. None
50. None

51. Mozilla vs. Klocwork 611 “defects” 72 “vulnerabilities” 3 verified bugs

    99.5% useless?
52. None
53. None
54. None

55. “You miss 100% of the shots you never take.” —Wayne

    Gretzky
56. None
57. None

58. Culture New Topic Noun 1: a particular civilization at a

    particular stage 2: the tastes in art and manners that are favored by a social group 3: all the knowledge and values shared by a society

59. Corporate Security People as the Thought Police

60. Application security people are from Mars, software developers are from

    Venus

61. Most application security people are not software people Most application

    security people have no idea what enterprise software really is or understand the process of how it is created Most application security people think that if they understand HTTP then they understand web application security and can advise people on how to build secure web sites Most application security people can’t write code

62. NEWS FLASH: The world is not falling down because of

    cross site scripting Security < Performance < Functionality Start caring about the important stuff (before security becomes ignored)

63. “In the future everyone will have their 15 minutes of

    fame” – Andy Warhol

64. Complexity and Context New Topic Noun 1. complicated nature: the

    condition of being difficult to analyze, understand, or solve 2. condition of having many parts: the condition of being made up of many interrelated parts 3. complicated thing: one of the interrelated problems or difficulties involved in a complicated matter
65. None
66. None
67. None
68. None
69. None

70. Standards, compliance and SECURITY Councils New Topic

71. The 3 Types of “Compliance” 1. Government Regulations 2. Industry

    Standards 3. Marketing FUD Remember: You can‟t spell compliance without „liance’

72. The XXX-XX Security Standard

73. 6.6 Ensure that all web-facing applications are protected against known

    attacks by applying either of the following methods: • Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security • Installing an application layer firewall in front of web-facing applications. Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement. Full document at https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm

74. ……or go straight to the document here! https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

75. None

76. Let’s Create a Security Cartel Community Council ?

77. New Topic 1. device for doing work: an object designed

    to do a specific kind of work such as cutting or chopping by directing manually applied force or by means of a motor 2. means to end: something used as a means of achieving something 3. something used for job: something used in the course of somebody's everyday work Tools

78. Introducing the only tool in the world that really works

    effectively today……
79. None

80. A fool with a tool …. is still a fool

    (A tool with a tool …. is definitely a tool)

81. News for people who run tools

82. China!

83. China!

84. China!

85. None
86. None
87. None

88. Closing Topic True Story

89. None

90. That’s all folks!