Making Security Invisible by Becoming the Developer's Best Friends

The OWASP Foundation
http://www.owasp.org
Making Security Invisible by
Becoming the Developer's
Best Friends
OWASP AppSec Latam 2011 (Brazil)
Dinis Cruz
[email protected]
Tuesday, 8 November 2011

View Slide

Dinis Cruz
Long-time OWASP contributor
OWASP O2 Platform (project)
OWASP Seasons of Code
OWASP Summits (2008 & 2011)
OWASP Training Days
OWASP Books
Helped multiple chapters and conferences
Multiple tools & research at OWASP .NET
Setup Application Security Team at Global Bank
Performed Security Reviews (White and Black box) on 100s of apps
Credited for vulnerability on .NET Framework and vulnerability on Spring MVC
Worked for OunceLabs (now IBM AppScan Source) and made it work
Didn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting the
OWASP O2 platform (and making my vision a reality)
Currently at Security Innovation (Boston/Seattle company)

View Slide

Dinis @ Security Innovation
Responsible for the TeamMentor product
i.e. I’m shipping code
SI is going to Commercially Support the
OWASP O2 Platform
with a focus on findings-automation and security-tools-integration
SI is a strong OWASP Supporter
Silver sponsor at AppSec USA
published OWASP TeamMentor Library under CC (Creative Commons)
published OWASP Top 10 e-learning course under CC
helping the clarify the commercial relationship with OWASP’s ecosystem
Sponsored me to come here
3

View Slide

OWASP is Amazing

View Slide

5

View Slide

6

View Slide

owasp
band
7

View Slide

Don’t stop asking ‘why not?’
8

View Slide

Try new ideas:
8

View Slide

Try new ideas:
8
Barefoot walking/running

View Slide

I’m a developer

View Slide

Yes
I have shipped code
10

View Slide

11
O2 PLATFORM
OWASP
TeamMentor
Security Innovation

View Slide

I’m going to speak as
the developer of
12
and a couple other apps:
HacmeBank, JPetstore, Altoro Mutual

View Slide

for which security
IS NOT a priority
13

View Slide

it is important
14

View Slide

but not a priority
15

View Slide

In fact I want to
security to be
INVISIBLE
(or transparent)
16

View Slide

As with every other
developer,
I don’t want my app to
have security
vulnerabilities
17

View Slide

So I’m happy to help
the ‘security’ process...
18

View Slide

... as long as the
workflow ‘works’ for me
and my team
19

View Slide

and at the moment it
doesn’t
20

View Slide

Dear Security
teams / vendors

View Slide

Understand this:
22

View Slide

Features and
Functionality
Rule!
23

View Slide

You (security teams)
are quite in the bottom
of the food chain
24

View Slide

I’m smart
If I wasn’t smart I wouldn’t be working (& paid) as a developer
25

View Slide

If I’m not Smart
don’t tell that to my boss
(specially NOT in a report format)
26

View Slide

If I’m not Smart
Make me Smart!
27

View Slide

Since I’m smart
Make me a HERO
28

View Slide

Actually
In the real world the
issue is usually not
‘smart’ but
‘experience on the
APIs/Framworks used’
29

View Slide

Another important topic
30

View Slide

I’m not a security
expert
31

View Slide

that is YOUR job
32

View Slide

if you want to talk about:
jQuery, Javascript, MVC, Reflection, Hibernate, Struts,
AoP, High performance Algorithms, Compression
techniques, cache management, Agile, Pointers, Code
Patterns, Authorisation Models, QA, User-acceptance-
tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App
Hosting/Clustering, etc....
33

View Slide

that’s me
34

View Slide

Security
35

View Slide

That’s you
36

View Slide

(btw)
I’m the one
creating value
37

View Slide

I’m the one
making money,
grabbing eyeballs,
creating value
or whatever the business wants to call it
38

View Slide

YOU are a TAX
As positioned today
39

View Slide

which is why I don’t
really like to talk/deal
with you
40

View Slide

Quiz Question:
When was the last time
that developers where
REALLY exited to talk
with Security Teams?
41

View Slide

Yeah I can see the
Queue from here.....
(I think some developers would shoot Security
teams if that was legal)
42

View Slide

Developers dirty
secrets

View Slide

Here are a couple dirty
secrets about ‘most’
development projects
44

View Slide

The devs can’t visualise
how their app works
45

View Slide

The devs can’t visualise
how their app works
45
(and management)

View Slide

The devs don’t understand
how their app works
46

View Slide

how their app works
46
(and management)

View Slide

how their app works
46
(and management)
(and buyers)

View Slide

how their app works
46
(and management)
(and buyers)
(and users)

View Slide

In practice what does
this mean?
47

View Slide

it means that they can’t
quickly answer questions like:
48

View Slide

what are the URLs?
49

View Slide

what data do you
expect to receive from
the web?
50

View Slide

what data CAN be
submitted from the web
51

View Slide

what is the data-binding
behaviour of the
Frameworks used
(case point MVC Frameworks)
52

View Slide

Where is my Data
Validation layer
53

View Slide

Who and what connects
to the databases/assets
54

View Slide

Where are my assets?
55

View Slide

Where is the
Credit Card data?
56

View Slide

What are the connections
between the managed layers
(C# & Java) and unmanaged
layers (C/C++)?
57

View Slide

What happens at the
Javascript layer?
58

View Slide

(easier question)
What is the real
CALL FLOW
of a request
(from the web to the backend and back to the web)
59

View Slide

(harder question)
What is the real
TAINT FLOW
of a request
60

View Slide

(much harder question)
What is the real
TAINT (with CONTROL) FLOW
of a request
61

View Slide

Bottom line:
(*unless we have been attacked before)
62

View Slide

If it compiles
Ship it!
(I see this behaviour at a lot of dev shops)
63

View Slide

Bottom line:
(*If we have been attacked before)
64

View Slide

If it compiles
(and passes the ‘security tools’)
Send it to the
‘Security Team’
(who now have funds to hire their own staff)
65

View Slide

Dealing with
Security

View Slide

I care about my users
67

View Slide

And exploitation of
security vulnerabilities
affects them
68

View Slide

So by-proxy I care
about security
69

View Slide

But the current
workflow between
developers and security
teams is....
70

View Slide

F****d
71

View Slide

or more politically
correct
72

View Slide

Highly inefficient
73

View Slide

and that is on
companies WITH
internal security teams
& awareness
74

View Slide

It is even worse for the
rest
75

View Slide

We need a new
paradigm
76

View Slide

One where ‘application
security’ ADDs value to
the Business
77

View Slide

One where ‘Application
Security’ practices are
deeply embedded into
the SDL
78

View Slide

One where ‘Application
Security’ practices are
invisible/transparent to
99% of the parties
involved
(the 1% are the ones directly involved in security, such as
security teams, devs,architects, CISO, etc...)
79

View Slide

but before we get to
the solution, lets set the
stage....
80

View Slide

As a developer , this is
What I don’t want

View Slide

receive a PDF (or portal)
with security findings
82
I don't want to:

View Slide

receive a tool result
with partial (or zero)
context about my app
83
I don't want to:

View Slide

spent time sorting out
the False positives
created by tools
84
I don't want to:

View Slide

have tons of bugs filled
into my bug tracking
system
85
I don't want to:

View Slide

receive non-automated
findings
(that will force me to spend
time replicating the issue)
86
I don't want to:

View Slide

receive no information
on the impact of the
‘proposed fix’
the ‘blast ratio’ of a fix
i.e. how much s*** will break
87
I don't want to:

View Slide

be ‘lectured’ by a
‘security expert’ that
doesn’t understand my
application
88
I don't want to:

View Slide

I don’t want to be told
to ‘go to school’
usually framed as
“we need to give ‘security education’ to
developers”
89
I don't want to:

View Slide

Got that?
90

View Slide

I don’t think that
(even if they tried)
‘security consultants’
couldn’t OFEND more
the developers than
they do today
91

View Slide

What I want

View Slide

I want to know the
implications of the
multiple APIs &
frameworks used
93

View Slide

Ideally I should be able
to use those APIs is the
most efficient way
94

View Slide

I want to know when I
use those APIs and
Frameworks incorrectly
95

View Slide

I want to understand
my Application!
96

View Slide

Can YOU do that?
97

View Slide

Can you help me to
understand my
Application?
98

View Slide

because,
as a developer
99

View Slide

if you can help me to
understand my
Application ...
100

View Slide

... you add value to my
world....
101

View Slide

if you don’t help me to
understand how my
Application works
102

View Slide

you are a TAX that I
have to Pay
or an INSURANCE that I
have to Pay
103

View Slide

Did you noticed the lack
of ‘security’ in the last
slides?
:)
104

View Slide

let’s try this again
105

View Slide

What I want
from a security point of view (in red)

View Slide

I want to know the
Security implications of
the multiple APIs &
frameworks used
107

View Slide

Ideally i should only be
able to use those APIs
in a SECURE way
108

View Slide

I want to know when I
use those APIs and
Frameworks insecurely
109

View Slide

I want to understand
the security risk profile
of my Application!
110

View Slide

Making Security
Invisible
by becoming the
developer’s best friend

View Slide

So how was I able to do
what I wanted (from
both a security and
developer point of view)
112

View Slide

using the
OWASP O2 Platform
113

View Slide

DEMO TIME.....
114

View Slide

Any questions?

View Slide

Thanks
116

View Slide

Making Security Invisible by Becoming the Developer's Best Friends

Making Security Invisible by Becoming the Developer's Best Friends

diniscruz

More Decks by diniscruz

Other Decks in Programming

Featured

Transcript