Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Making Security Invisible by Becoming the Developer's Best Friends

Making Security Invisible by Becoming the Developer's Best Friends

Here is the presentation I delivered in Oct 2011 at OWASP's AppSec Brazil conference:

I think I was able to capture how security tends to be seen by developers, how it is currently a TAX on the SDL and how we need to move Application Security into the 'application visibility' space so that we add value to the entire SDL (and create a positive model where the developers want to engage with us)

After you read the presentation, check out this video which I recorded also in Brazil: "A developer's rant about security professionals" http://www.youtube.com/watch?v=HYEPYSF32kQ (he was one of the developers that was at the audience which really related to the problem of receiving security guidance from security 'consultants' that don't understand his app).

The demos showed how the O2 Platform (http://o2platform.com) allowed this world to exist :)

A4feaf677b2b99720f7f1cdce82df4e3?s=128

diniscruz

April 07, 2012
Tweet

Transcript

  1. The OWASP Foundation http://www.owasp.org Making Security Invisible by Becoming the

    Developer's Best Friends OWASP AppSec Latam 2011 (Brazil) Dinis Cruz dinis.cruz@owasp.org Tuesday, 8 November 2011
  2. Dinis Cruz Long-time OWASP contributor OWASP O2 Platform (project) OWASP

    Seasons of Code OWASP Summits (2008 & 2011) OWASP Training Days OWASP Books Helped multiple chapters and conferences Multiple tools & research at OWASP .NET Setup Application Security Team at Global Bank Performed Security Reviews (White and Black box) on 100s of apps Credited for vulnerability on .NET Framework and vulnerability on Spring MVC Worked for OunceLabs (now IBM AppScan Source) and made it work Didn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting the OWASP O2 platform (and making my vision a reality) Currently at Security Innovation (Boston/Seattle company) Tuesday, 8 November 2011
  3. Dinis @ Security Innovation Responsible for the TeamMentor product i.e.

    I’m shipping code SI is going to Commercially Support the OWASP O2 Platform with a focus on findings-automation and security-tools-integration SI is a strong OWASP Supporter Silver sponsor at AppSec USA published OWASP TeamMentor Library under CC (Creative Commons) published OWASP Top 10 e-learning course under CC helping the clarify the commercial relationship with OWASP’s ecosystem Sponsored me to come here 3 Tuesday, 8 November 2011
  4. OWASP is Amazing Tuesday, 8 November 2011

  5. 5 Tuesday, 8 November 2011

  6. 6 Tuesday, 8 November 2011

  7. owasp band 7 Tuesday, 8 November 2011

  8. Don’t stop asking ‘why not?’ 8 Tuesday, 8 November 2011

  9. Don’t stop asking ‘why not?’ Try new ideas: 8 Tuesday,

    8 November 2011
  10. Don’t stop asking ‘why not?’ Try new ideas: 8 Barefoot

    walking/running Tuesday, 8 November 2011
  11. Don’t stop asking ‘why not?’ Try new ideas: 8 Barefoot

    walking/running Tuesday, 8 November 2011
  12. Don’t stop asking ‘why not?’ Try new ideas: 8 Barefoot

    walking/running Tuesday, 8 November 2011
  13. I’m a developer Tuesday, 8 November 2011

  14. Yes I have shipped code 10 Tuesday, 8 November 2011

  15. 11 O2 PLATFORM OWASP TeamMentor Security Innovation Tuesday, 8 November

    2011
  16. I’m going to speak as the developer of 12 and

    a couple other apps: HacmeBank, JPetstore, Altoro Mutual Tuesday, 8 November 2011
  17. for which security IS NOT a priority 13 Tuesday, 8

    November 2011
  18. it is important 14 Tuesday, 8 November 2011

  19. but not a priority 15 Tuesday, 8 November 2011

  20. In fact I want to security to be INVISIBLE (or

    transparent) 16 Tuesday, 8 November 2011
  21. As with every other developer, I don’t want my app

    to have security vulnerabilities 17 Tuesday, 8 November 2011
  22. So I’m happy to help the ‘security’ process... 18 Tuesday,

    8 November 2011
  23. ... as long as the workflow ‘works’ for me and

    my team 19 Tuesday, 8 November 2011
  24. and at the moment it doesn’t 20 Tuesday, 8 November

    2011
  25. Dear Security teams / vendors Tuesday, 8 November 2011

  26. Understand this: 22 Tuesday, 8 November 2011

  27. Features and Functionality Rule! 23 Tuesday, 8 November 2011

  28. You (security teams) are quite in the bottom of the

    food chain 24 Tuesday, 8 November 2011
  29. I’m smart If I wasn’t smart I wouldn’t be working

    (& paid) as a developer 25 Tuesday, 8 November 2011
  30. If I’m not Smart don’t tell that to my boss

    (specially NOT in a report format) 26 Tuesday, 8 November 2011
  31. If I’m not Smart Make me Smart! 27 Tuesday, 8

    November 2011
  32. Since I’m smart Make me a HERO 28 Tuesday, 8

    November 2011
  33. Actually In the real world the issue is usually not

    ‘smart’ but ‘experience on the APIs/Framworks used’ 29 Tuesday, 8 November 2011
  34. Another important topic 30 Tuesday, 8 November 2011

  35. I’m not a security expert 31 Tuesday, 8 November 2011

  36. that is YOUR job 32 Tuesday, 8 November 2011

  37. if you want to talk about: jQuery, Javascript, MVC, Reflection,

    Hibernate, Struts, AoP, High performance Algorithms, Compression techniques, cache management, Agile, Pointers, Code Patterns, Authorisation Models, QA, User-acceptance- tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App Hosting/Clustering, etc.... 33 Tuesday, 8 November 2011
  38. that’s me 34 Tuesday, 8 November 2011

  39. Security 35 Tuesday, 8 November 2011

  40. That’s you 36 Tuesday, 8 November 2011

  41. (btw) I’m the one creating value 37 Tuesday, 8 November

    2011
  42. I’m the one making money, grabbing eyeballs, creating value or

    whatever the business wants to call it 38 Tuesday, 8 November 2011
  43. YOU are a TAX As positioned today 39 Tuesday, 8

    November 2011
  44. which is why I don’t really like to talk/deal with

    you 40 Tuesday, 8 November 2011
  45. Quiz Question: When was the last time that developers where

    REALLY exited to talk with Security Teams? 41 Tuesday, 8 November 2011
  46. Yeah I can see the Queue from here..... (I think

    some developers would shoot Security teams if that was legal) 42 Tuesday, 8 November 2011
  47. Developers dirty secrets Tuesday, 8 November 2011

  48. Here are a couple dirty secrets about ‘most’ development projects

    44 Tuesday, 8 November 2011
  49. The devs can’t visualise how their app works 45 Tuesday,

    8 November 2011
  50. The devs can’t visualise how their app works 45 (and

    management) Tuesday, 8 November 2011
  51. The devs don’t understand how their app works 46 Tuesday,

    8 November 2011
  52. The devs don’t understand how their app works 46 (and

    management) Tuesday, 8 November 2011
  53. The devs don’t understand how their app works 46 (and

    management) (and buyers) Tuesday, 8 November 2011
  54. The devs don’t understand how their app works 46 (and

    management) (and buyers) (and users) Tuesday, 8 November 2011
  55. In practice what does this mean? 47 Tuesday, 8 November

    2011
  56. it means that they can’t quickly answer questions like: 48

    Tuesday, 8 November 2011
  57. what are the URLs? 49 Tuesday, 8 November 2011

  58. what data do you expect to receive from the web?

    50 Tuesday, 8 November 2011
  59. what data CAN be submitted from the web 51 Tuesday,

    8 November 2011
  60. what is the data-binding behaviour of the Frameworks used (case

    point MVC Frameworks) 52 Tuesday, 8 November 2011
  61. Where is my Data Validation layer 53 Tuesday, 8 November

    2011
  62. Who and what connects to the databases/assets 54 Tuesday, 8

    November 2011
  63. Where are my assets? 55 Tuesday, 8 November 2011

  64. Where is the Credit Card data? 56 Tuesday, 8 November

    2011
  65. What are the connections between the managed layers (C# &

    Java) and unmanaged layers (C/C++)? 57 Tuesday, 8 November 2011
  66. What happens at the Javascript layer? 58 Tuesday, 8 November

    2011
  67. (easier question) What is the real CALL FLOW of a

    request (from the web to the backend and back to the web) 59 Tuesday, 8 November 2011
  68. (harder question) What is the real TAINT FLOW of a

    request (from the web to the backend and back to the web) 60 Tuesday, 8 November 2011
  69. (much harder question) What is the real TAINT (with CONTROL)

    FLOW of a request (from the web to the backend and back to the web) 61 Tuesday, 8 November 2011
  70. Bottom line: (*unless we have been attacked before) 62 Tuesday,

    8 November 2011
  71. If it compiles Ship it! (I see this behaviour at

    a lot of dev shops) 63 Tuesday, 8 November 2011
  72. Bottom line: (*If we have been attacked before) 64 Tuesday,

    8 November 2011
  73. If it compiles (and passes the ‘security tools’) Send it

    to the ‘Security Team’ (who now have funds to hire their own staff) 65 Tuesday, 8 November 2011
  74. Dealing with Security Tuesday, 8 November 2011

  75. I care about my users 67 Tuesday, 8 November 2011

  76. And exploitation of security vulnerabilities affects them 68 Tuesday, 8

    November 2011
  77. So by-proxy I care about security 69 Tuesday, 8 November

    2011
  78. But the current workflow between developers and security teams is....

    70 Tuesday, 8 November 2011
  79. F****d 71 Tuesday, 8 November 2011

  80. or more politically correct 72 Tuesday, 8 November 2011

  81. Highly inefficient 73 Tuesday, 8 November 2011

  82. and that is on companies WITH internal security teams &

    awareness 74 Tuesday, 8 November 2011
  83. It is even worse for the rest 75 Tuesday, 8

    November 2011
  84. We need a new paradigm 76 Tuesday, 8 November 2011

  85. One where ‘application security’ ADDs value to the Business 77

    Tuesday, 8 November 2011
  86. One where ‘Application Security’ practices are deeply embedded into the

    SDL 78 Tuesday, 8 November 2011
  87. One where ‘Application Security’ practices are invisible/transparent to 99% of

    the parties involved (the 1% are the ones directly involved in security, such as security teams, devs,architects, CISO, etc...) 79 Tuesday, 8 November 2011
  88. but before we get to the solution, lets set the

    stage.... 80 Tuesday, 8 November 2011
  89. As a developer , this is What I don’t want

    Tuesday, 8 November 2011
  90. receive a PDF (or portal) with security findings 82 I

    don't want to: Tuesday, 8 November 2011
  91. receive a tool result with partial (or zero) context about

    my app 83 I don't want to: Tuesday, 8 November 2011
  92. spent time sorting out the False positives created by tools

    84 I don't want to: Tuesday, 8 November 2011
  93. have tons of bugs filled into my bug tracking system

    85 I don't want to: Tuesday, 8 November 2011
  94. receive non-automated findings (that will force me to spend time

    replicating the issue) 86 I don't want to: Tuesday, 8 November 2011
  95. receive no information on the impact of the ‘proposed fix’

    the ‘blast ratio’ of a fix i.e. how much s*** will break 87 I don't want to: Tuesday, 8 November 2011
  96. be ‘lectured’ by a ‘security expert’ that doesn’t understand my

    application 88 I don't want to: Tuesday, 8 November 2011
  97. I don’t want to be told to ‘go to school’

    usually framed as “we need to give ‘security education’ to developers” 89 I don't want to: Tuesday, 8 November 2011
  98. Got that? 90 Tuesday, 8 November 2011

  99. I don’t think that (even if they tried) ‘security consultants’

    couldn’t OFEND more the developers than they do today 91 Tuesday, 8 November 2011
  100. What I want Tuesday, 8 November 2011

  101. I want to know the implications of the multiple APIs

    & frameworks used 93 Tuesday, 8 November 2011
  102. Ideally I should be able to use those APIs is

    the most efficient way 94 Tuesday, 8 November 2011
  103. I want to know when I use those APIs and

    Frameworks incorrectly 95 Tuesday, 8 November 2011
  104. I want to understand my Application! 96 Tuesday, 8 November

    2011
  105. Can YOU do that? 97 Tuesday, 8 November 2011

  106. Can you help me to understand my Application? 98 Tuesday,

    8 November 2011
  107. because, as a developer 99 Tuesday, 8 November 2011

  108. if you can help me to understand my Application ...

    100 Tuesday, 8 November 2011
  109. ... you add value to my world.... 101 Tuesday, 8

    November 2011
  110. if you don’t help me to understand how my Application

    works 102 Tuesday, 8 November 2011
  111. you are a TAX that I have to Pay or

    an INSURANCE that I have to Pay 103 Tuesday, 8 November 2011
  112. Did you noticed the lack of ‘security’ in the last

    slides? :) 104 Tuesday, 8 November 2011
  113. let’s try this again 105 Tuesday, 8 November 2011

  114. What I want from a security point of view (in

    red) Tuesday, 8 November 2011
  115. I want to know the Security implications of the multiple

    APIs & frameworks used 107 Tuesday, 8 November 2011
  116. Ideally i should only be able to use those APIs

    in a SECURE way 108 Tuesday, 8 November 2011
  117. I want to know when I use those APIs and

    Frameworks insecurely 109 Tuesday, 8 November 2011
  118. I want to understand the security risk profile of my

    Application! 110 Tuesday, 8 November 2011
  119. Making Security Invisible by becoming the developer’s best friend Tuesday,

    8 November 2011
  120. So how was I able to do what I wanted

    (from both a security and developer point of view) 112 Tuesday, 8 November 2011
  121. using the OWASP O2 Platform 113 Tuesday, 8 November 2011

  122. DEMO TIME..... 114 Tuesday, 8 November 2011

  123. Any questions? Tuesday, 8 November 2011

  124. Thanks 116 Tuesday, 8 November 2011