Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Making Security Invisible by Becoming the Developer's Best Friends

Making Security Invisible by Becoming the Developer's Best Friends

Here is the presentation I delivered in Oct 2011 at OWASP's AppSec Brazil conference:

I think I was able to capture how security tends to be seen by developers, how it is currently a TAX on the SDL and how we need to move Application Security into the 'application visibility' space so that we add value to the entire SDL (and create a positive model where the developers want to engage with us)

After you read the presentation, check out this video which I recorded also in Brazil: "A developer's rant about security professionals" http://www.youtube.com/watch?v=HYEPYSF32kQ (he was one of the developers that was at the audience which really related to the problem of receiving security guidance from security 'consultants' that don't understand his app).

The demos showed how the O2 Platform (http://o2platform.com) allowed this world to exist :)

diniscruz

April 07, 2012
Tweet

More Decks by diniscruz

Other Decks in Programming

Transcript

  1. The OWASP Foundation
    http://www.owasp.org
    Making Security Invisible by
    Becoming the Developer's
    Best Friends
    OWASP AppSec Latam 2011 (Brazil)
    Dinis Cruz
    [email protected]
    Tuesday, 8 November 2011

    View Slide

  2. Dinis Cruz
    Long-time OWASP contributor
    OWASP O2 Platform (project)
    OWASP Seasons of Code
    OWASP Summits (2008 & 2011)
    OWASP Training Days
    OWASP Books
    Helped multiple chapters and conferences
    Multiple tools & research at OWASP .NET
    Setup Application Security Team at Global Bank
    Performed Security Reviews (White and Black box) on 100s of apps
    Credited for vulnerability on .NET Framework and vulnerability on Spring MVC
    Worked for OunceLabs (now IBM AppScan Source) and made it work
    Didn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting the
    OWASP O2 platform (and making my vision a reality)
    Currently at Security Innovation (Boston/Seattle company)
    Tuesday, 8 November 2011

    View Slide

  3. Dinis @ Security Innovation
    Responsible for the TeamMentor product
    i.e. I’m shipping code
    SI is going to Commercially Support the
    OWASP O2 Platform
    with a focus on findings-automation and security-tools-integration
    SI is a strong OWASP Supporter
    Silver sponsor at AppSec USA
    published OWASP TeamMentor Library under CC (Creative Commons)
    published OWASP Top 10 e-learning course under CC
    helping the clarify the commercial relationship with OWASP’s ecosystem
    Sponsored me to come here
    3
    Tuesday, 8 November 2011

    View Slide

  4. OWASP is Amazing
    Tuesday, 8 November 2011

    View Slide

  5. 5
    Tuesday, 8 November 2011

    View Slide

  6. 6
    Tuesday, 8 November 2011

    View Slide

  7. owasp
    band
    7
    Tuesday, 8 November 2011

    View Slide

  8. Don’t stop asking ‘why not?’
    8
    Tuesday, 8 November 2011

    View Slide

  9. Don’t stop asking ‘why not?’
    Try new ideas:
    8
    Tuesday, 8 November 2011

    View Slide

  10. Don’t stop asking ‘why not?’
    Try new ideas:
    8
    Barefoot walking/running
    Tuesday, 8 November 2011

    View Slide

  11. Don’t stop asking ‘why not?’
    Try new ideas:
    8
    Barefoot walking/running
    Tuesday, 8 November 2011

    View Slide

  12. Don’t stop asking ‘why not?’
    Try new ideas:
    8
    Barefoot walking/running
    Tuesday, 8 November 2011

    View Slide

  13. I’m a developer
    Tuesday, 8 November 2011

    View Slide

  14. Yes
    I have shipped code
    10
    Tuesday, 8 November 2011

    View Slide

  15. 11
    O2 PLATFORM
    OWASP
    TeamMentor
    Security Innovation
    Tuesday, 8 November 2011

    View Slide

  16. I’m going to speak as
    the developer of
    12
    and a couple other apps:
    HacmeBank, JPetstore, Altoro Mutual
    Tuesday, 8 November 2011

    View Slide

  17. for which security
    IS NOT a priority
    13
    Tuesday, 8 November 2011

    View Slide

  18. it is important
    14
    Tuesday, 8 November 2011

    View Slide

  19. but not a priority
    15
    Tuesday, 8 November 2011

    View Slide

  20. In fact I want to
    security to be
    INVISIBLE
    (or transparent)
    16
    Tuesday, 8 November 2011

    View Slide

  21. As with every other
    developer,
    I don’t want my app to
    have security
    vulnerabilities
    17
    Tuesday, 8 November 2011

    View Slide

  22. So I’m happy to help
    the ‘security’ process...
    18
    Tuesday, 8 November 2011

    View Slide

  23. ... as long as the
    workflow ‘works’ for me
    and my team
    19
    Tuesday, 8 November 2011

    View Slide

  24. and at the moment it
    doesn’t
    20
    Tuesday, 8 November 2011

    View Slide

  25. Dear Security
    teams / vendors
    Tuesday, 8 November 2011

    View Slide

  26. Understand this:
    22
    Tuesday, 8 November 2011

    View Slide

  27. Features and
    Functionality
    Rule!
    23
    Tuesday, 8 November 2011

    View Slide

  28. You (security teams)
    are quite in the bottom
    of the food chain
    24
    Tuesday, 8 November 2011

    View Slide

  29. I’m smart
    If I wasn’t smart I wouldn’t be working (& paid) as a developer
    25
    Tuesday, 8 November 2011

    View Slide

  30. If I’m not Smart
    don’t tell that to my boss
    (specially NOT in a report format)
    26
    Tuesday, 8 November 2011

    View Slide

  31. If I’m not Smart
    Make me Smart!
    27
    Tuesday, 8 November 2011

    View Slide

  32. Since I’m smart
    Make me a HERO
    28
    Tuesday, 8 November 2011

    View Slide

  33. Actually
    In the real world the
    issue is usually not
    ‘smart’ but
    ‘experience on the
    APIs/Framworks used’
    29
    Tuesday, 8 November 2011

    View Slide

  34. Another important topic
    30
    Tuesday, 8 November 2011

    View Slide

  35. I’m not a security
    expert
    31
    Tuesday, 8 November 2011

    View Slide

  36. that is YOUR job
    32
    Tuesday, 8 November 2011

    View Slide

  37. if you want to talk about:
    jQuery, Javascript, MVC, Reflection, Hibernate, Struts,
    AoP, High performance Algorithms, Compression
    techniques, cache management, Agile, Pointers, Code
    Patterns, Authorisation Models, QA, User-acceptance-
    tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App
    Hosting/Clustering, etc....
    33
    Tuesday, 8 November 2011

    View Slide

  38. that’s me
    34
    Tuesday, 8 November 2011

    View Slide

  39. Security
    35
    Tuesday, 8 November 2011

    View Slide

  40. That’s you
    36
    Tuesday, 8 November 2011

    View Slide

  41. (btw)
    I’m the one
    creating value
    37
    Tuesday, 8 November 2011

    View Slide

  42. I’m the one
    making money,
    grabbing eyeballs,
    creating value
    or whatever the business wants to call it
    38
    Tuesday, 8 November 2011

    View Slide

  43. YOU are a TAX
    As positioned today
    39
    Tuesday, 8 November 2011

    View Slide

  44. which is why I don’t
    really like to talk/deal
    with you
    40
    Tuesday, 8 November 2011

    View Slide

  45. Quiz Question:
    When was the last time
    that developers where
    REALLY exited to talk
    with Security Teams?
    41
    Tuesday, 8 November 2011

    View Slide

  46. Yeah I can see the
    Queue from here.....
    (I think some developers would shoot Security
    teams if that was legal)
    42
    Tuesday, 8 November 2011

    View Slide

  47. Developers dirty
    secrets
    Tuesday, 8 November 2011

    View Slide

  48. Here are a couple dirty
    secrets about ‘most’
    development projects
    44
    Tuesday, 8 November 2011

    View Slide

  49. The devs can’t visualise
    how their app works
    45
    Tuesday, 8 November 2011

    View Slide

  50. The devs can’t visualise
    how their app works
    45
    (and management)
    Tuesday, 8 November 2011

    View Slide

  51. The devs don’t understand
    how their app works
    46
    Tuesday, 8 November 2011

    View Slide

  52. The devs don’t understand
    how their app works
    46
    (and management)
    Tuesday, 8 November 2011

    View Slide

  53. The devs don’t understand
    how their app works
    46
    (and management)
    (and buyers)
    Tuesday, 8 November 2011

    View Slide

  54. The devs don’t understand
    how their app works
    46
    (and management)
    (and buyers)
    (and users)
    Tuesday, 8 November 2011

    View Slide

  55. In practice what does
    this mean?
    47
    Tuesday, 8 November 2011

    View Slide

  56. it means that they can’t
    quickly answer questions like:
    48
    Tuesday, 8 November 2011

    View Slide

  57. what are the URLs?
    49
    Tuesday, 8 November 2011

    View Slide

  58. what data do you
    expect to receive from
    the web?
    50
    Tuesday, 8 November 2011

    View Slide

  59. what data CAN be
    submitted from the web
    51
    Tuesday, 8 November 2011

    View Slide

  60. what is the data-binding
    behaviour of the
    Frameworks used
    (case point MVC Frameworks)
    52
    Tuesday, 8 November 2011

    View Slide

  61. Where is my Data
    Validation layer
    53
    Tuesday, 8 November 2011

    View Slide

  62. Who and what connects
    to the databases/assets
    54
    Tuesday, 8 November 2011

    View Slide

  63. Where are my assets?
    55
    Tuesday, 8 November 2011

    View Slide

  64. Where is the
    Credit Card data?
    56
    Tuesday, 8 November 2011

    View Slide

  65. What are the connections
    between the managed layers
    (C# & Java) and unmanaged
    layers (C/C++)?
    57
    Tuesday, 8 November 2011

    View Slide

  66. What happens at the
    Javascript layer?
    58
    Tuesday, 8 November 2011

    View Slide

  67. (easier question)
    What is the real
    CALL FLOW
    of a request
    (from the web to the backend and back to the web)
    59
    Tuesday, 8 November 2011

    View Slide

  68. (harder question)
    What is the real
    TAINT FLOW
    of a request
    (from the web to the backend and back to the web)
    60
    Tuesday, 8 November 2011

    View Slide

  69. (much harder question)
    What is the real
    TAINT (with CONTROL) FLOW
    of a request
    (from the web to the backend and back to the web)
    61
    Tuesday, 8 November 2011

    View Slide

  70. Bottom line:
    (*unless we have been attacked before)
    62
    Tuesday, 8 November 2011

    View Slide

  71. If it compiles
    Ship it!
    (I see this behaviour at a lot of dev shops)
    63
    Tuesday, 8 November 2011

    View Slide

  72. Bottom line:
    (*If we have been attacked before)
    64
    Tuesday, 8 November 2011

    View Slide

  73. If it compiles
    (and passes the ‘security tools’)
    Send it to the
    ‘Security Team’
    (who now have funds to hire their own staff)
    65
    Tuesday, 8 November 2011

    View Slide

  74. Dealing with
    Security
    Tuesday, 8 November 2011

    View Slide

  75. I care about my users
    67
    Tuesday, 8 November 2011

    View Slide

  76. And exploitation of
    security vulnerabilities
    affects them
    68
    Tuesday, 8 November 2011

    View Slide

  77. So by-proxy I care
    about security
    69
    Tuesday, 8 November 2011

    View Slide

  78. But the current
    workflow between
    developers and security
    teams is....
    70
    Tuesday, 8 November 2011

    View Slide

  79. F****d
    71
    Tuesday, 8 November 2011

    View Slide

  80. or more politically
    correct
    72
    Tuesday, 8 November 2011

    View Slide

  81. Highly inefficient
    73
    Tuesday, 8 November 2011

    View Slide

  82. and that is on
    companies WITH
    internal security teams
    & awareness
    74
    Tuesday, 8 November 2011

    View Slide

  83. It is even worse for the
    rest
    75
    Tuesday, 8 November 2011

    View Slide

  84. We need a new
    paradigm
    76
    Tuesday, 8 November 2011

    View Slide

  85. One where ‘application
    security’ ADDs value to
    the Business
    77
    Tuesday, 8 November 2011

    View Slide

  86. One where ‘Application
    Security’ practices are
    deeply embedded into
    the SDL
    78
    Tuesday, 8 November 2011

    View Slide

  87. One where ‘Application
    Security’ practices are
    invisible/transparent to
    99% of the parties
    involved
    (the 1% are the ones directly involved in security, such as
    security teams, devs,architects, CISO, etc...)
    79
    Tuesday, 8 November 2011

    View Slide

  88. but before we get to
    the solution, lets set the
    stage....
    80
    Tuesday, 8 November 2011

    View Slide

  89. As a developer , this is
    What I don’t want
    Tuesday, 8 November 2011

    View Slide

  90. receive a PDF (or portal)
    with security findings
    82
    I don't want to:
    Tuesday, 8 November 2011

    View Slide

  91. receive a tool result
    with partial (or zero)
    context about my app
    83
    I don't want to:
    Tuesday, 8 November 2011

    View Slide

  92. spent time sorting out
    the False positives
    created by tools
    84
    I don't want to:
    Tuesday, 8 November 2011

    View Slide

  93. have tons of bugs filled
    into my bug tracking
    system
    85
    I don't want to:
    Tuesday, 8 November 2011

    View Slide

  94. receive non-automated
    findings
    (that will force me to spend
    time replicating the issue)
    86
    I don't want to:
    Tuesday, 8 November 2011

    View Slide

  95. receive no information
    on the impact of the
    ‘proposed fix’
    the ‘blast ratio’ of a fix
    i.e. how much s*** will break
    87
    I don't want to:
    Tuesday, 8 November 2011

    View Slide

  96. be ‘lectured’ by a
    ‘security expert’ that
    doesn’t understand my
    application
    88
    I don't want to:
    Tuesday, 8 November 2011

    View Slide

  97. I don’t want to be told
    to ‘go to school’
    usually framed as
    “we need to give ‘security education’ to
    developers”
    89
    I don't want to:
    Tuesday, 8 November 2011

    View Slide

  98. Got that?
    90
    Tuesday, 8 November 2011

    View Slide

  99. I don’t think that
    (even if they tried)
    ‘security consultants’
    couldn’t OFEND more
    the developers than
    they do today
    91
    Tuesday, 8 November 2011

    View Slide

  100. What I want
    Tuesday, 8 November 2011

    View Slide

  101. I want to know the
    implications of the
    multiple APIs &
    frameworks used
    93
    Tuesday, 8 November 2011

    View Slide

  102. Ideally I should be able
    to use those APIs is the
    most efficient way
    94
    Tuesday, 8 November 2011

    View Slide

  103. I want to know when I
    use those APIs and
    Frameworks incorrectly
    95
    Tuesday, 8 November 2011

    View Slide

  104. I want to understand
    my Application!
    96
    Tuesday, 8 November 2011

    View Slide

  105. Can YOU do that?
    97
    Tuesday, 8 November 2011

    View Slide

  106. Can you help me to
    understand my
    Application?
    98
    Tuesday, 8 November 2011

    View Slide

  107. because,
    as a developer
    99
    Tuesday, 8 November 2011

    View Slide

  108. if you can help me to
    understand my
    Application ...
    100
    Tuesday, 8 November 2011

    View Slide

  109. ... you add value to my
    world....
    101
    Tuesday, 8 November 2011

    View Slide

  110. if you don’t help me to
    understand how my
    Application works
    102
    Tuesday, 8 November 2011

    View Slide

  111. you are a TAX that I
    have to Pay
    or an INSURANCE that I
    have to Pay
    103
    Tuesday, 8 November 2011

    View Slide

  112. Did you noticed the lack
    of ‘security’ in the last
    slides?
    :)
    104
    Tuesday, 8 November 2011

    View Slide

  113. let’s try this again
    105
    Tuesday, 8 November 2011

    View Slide

  114. What I want
    from a security point of view (in red)
    Tuesday, 8 November 2011

    View Slide

  115. I want to know the
    Security implications of
    the multiple APIs &
    frameworks used
    107
    Tuesday, 8 November 2011

    View Slide

  116. Ideally i should only be
    able to use those APIs
    in a SECURE way
    108
    Tuesday, 8 November 2011

    View Slide

  117. I want to know when I
    use those APIs and
    Frameworks insecurely
    109
    Tuesday, 8 November 2011

    View Slide

  118. I want to understand
    the security risk profile
    of my Application!
    110
    Tuesday, 8 November 2011

    View Slide

  119. Making Security
    Invisible
    by becoming the
    developer’s best friend
    Tuesday, 8 November 2011

    View Slide

  120. So how was I able to do
    what I wanted (from
    both a security and
    developer point of view)
    112
    Tuesday, 8 November 2011

    View Slide

  121. using the
    OWASP O2 Platform
    113
    Tuesday, 8 November 2011

    View Slide

  122. DEMO TIME.....
    114
    Tuesday, 8 November 2011

    View Slide

  123. Any questions?
    Tuesday, 8 November 2011

    View Slide

  124. Thanks
    116
    Tuesday, 8 November 2011

    View Slide