Making Security Invisible by Becoming the Developer's Best Friends

Transcript

1. The OWASP Foundation http://www.owasp.org Making Security Invisible by Becoming the

   Developer's Best Friends OWASP AppSec Latam 2011 (Brazil) Dinis Cruz [email protected] Tuesday, 8 November 2011

2. Dinis Cruz Long-time OWASP contributor OWASP O2 Platform (project) OWASP

   Seasons of Code OWASP Summits (2008 & 2011) OWASP Training Days OWASP Books Helped multiple chapters and conferences Multiple tools & research at OWASP .NET Setup Application Security Team at Global Bank Performed Security Reviews (White and Black box) on 100s of apps Credited for vulnerability on .NET Framework and vulnerability on Spring MVC Worked for OunceLabs (now IBM AppScan Source) and made it work Didn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting the OWASP O2 platform (and making my vision a reality) Currently at Security Innovation (Boston/Seattle company) Tuesday, 8 November 2011

3. Dinis @ Security Innovation Responsible for the TeamMentor product i.e.

   I’m shipping code SI is going to Commercially Support the OWASP O2 Platform with a focus on findings-automation and security-tools-integration SI is a strong OWASP Supporter Silver sponsor at AppSec USA published OWASP TeamMentor Library under CC (Creative Commons) published OWASP Top 10 e-learning course under CC helping the clarify the commercial relationship with OWASP’s ecosystem Sponsored me to come here 3 Tuesday, 8 November 2011

4. OWASP is Amazing Tuesday, 8 November 2011

5. 5 Tuesday, 8 November 2011

6. 6 Tuesday, 8 November 2011

7. owasp band 7 Tuesday, 8 November 2011

8. Don’t stop asking ‘why not?’ 8 Tuesday, 8 November 2011

9. Don’t stop asking ‘why not?’ Try new ideas: 8 Tuesday,

   8 November 2011

10. Don’t stop asking ‘why not?’ Try new ideas: 8 Barefoot

    walking/running Tuesday, 8 November 2011

11. Don’t stop asking ‘why not?’ Try new ideas: 8 Barefoot

    walking/running Tuesday, 8 November 2011

12. Don’t stop asking ‘why not?’ Try new ideas: 8 Barefoot

    walking/running Tuesday, 8 November 2011

13. I’m a developer Tuesday, 8 November 2011

14. Yes I have shipped code 10 Tuesday, 8 November 2011

15. 11 O2 PLATFORM OWASP TeamMentor Security Innovation Tuesday, 8 November

    2011

16. I’m going to speak as the developer of 12 and

    a couple other apps: HacmeBank, JPetstore, Altoro Mutual Tuesday, 8 November 2011

17. for which security IS NOT a priority 13 Tuesday, 8

    November 2011

18. it is important 14 Tuesday, 8 November 2011

19. but not a priority 15 Tuesday, 8 November 2011

20. In fact I want to security to be INVISIBLE (or

    transparent) 16 Tuesday, 8 November 2011

21. As with every other developer, I don’t want my app

    to have security vulnerabilities 17 Tuesday, 8 November 2011

22. So I’m happy to help the ‘security’ process... 18 Tuesday,

    8 November 2011

23. ... as long as the workflow ‘works’ for me and

    my team 19 Tuesday, 8 November 2011

24. and at the moment it doesn’t 20 Tuesday, 8 November

    2011

25. Dear Security teams / vendors Tuesday, 8 November 2011

26. Understand this: 22 Tuesday, 8 November 2011

27. Features and Functionality Rule! 23 Tuesday, 8 November 2011

28. You (security teams) are quite in the bottom of the

    food chain 24 Tuesday, 8 November 2011

29. I’m smart If I wasn’t smart I wouldn’t be working

    (& paid) as a developer 25 Tuesday, 8 November 2011

30. If I’m not Smart don’t tell that to my boss

    (specially NOT in a report format) 26 Tuesday, 8 November 2011

31. If I’m not Smart Make me Smart! 27 Tuesday, 8

    November 2011

32. Since I’m smart Make me a HERO 28 Tuesday, 8

    November 2011

33. Actually In the real world the issue is usually not

    ‘smart’ but ‘experience on the APIs/Framworks used’ 29 Tuesday, 8 November 2011

34. Another important topic 30 Tuesday, 8 November 2011

35. I’m not a security expert 31 Tuesday, 8 November 2011

36. that is YOUR job 32 Tuesday, 8 November 2011

37. if you want to talk about: jQuery, Javascript, MVC, Reflection,

    Hibernate, Struts, AoP, High performance Algorithms, Compression techniques, cache management, Agile, Pointers, Code Patterns, Authorisation Models, QA, User-acceptance- tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App Hosting/Clustering, etc.... 33 Tuesday, 8 November 2011

38. that’s me 34 Tuesday, 8 November 2011

39. Security 35 Tuesday, 8 November 2011

40. That’s you 36 Tuesday, 8 November 2011

41. (btw) I’m the one creating value 37 Tuesday, 8 November

    2011

42. I’m the one making money, grabbing eyeballs, creating value or

    whatever the business wants to call it 38 Tuesday, 8 November 2011

43. YOU are a TAX As positioned today 39 Tuesday, 8

    November 2011

44. which is why I don’t really like to talk/deal with

    you 40 Tuesday, 8 November 2011

45. Quiz Question: When was the last time that developers where

    REALLY exited to talk with Security Teams? 41 Tuesday, 8 November 2011

46. Yeah I can see the Queue from here..... (I think

    some developers would shoot Security teams if that was legal) 42 Tuesday, 8 November 2011

47. Developers dirty secrets Tuesday, 8 November 2011

48. Here are a couple dirty secrets about ‘most’ development projects

    44 Tuesday, 8 November 2011

49. The devs can’t visualise how their app works 45 Tuesday,

    8 November 2011

50. The devs can’t visualise how their app works 45 (and

    management) Tuesday, 8 November 2011

51. The devs don’t understand how their app works 46 Tuesday,

    8 November 2011

52. The devs don’t understand how their app works 46 (and

    management) Tuesday, 8 November 2011

53. The devs don’t understand how their app works 46 (and

    management) (and buyers) Tuesday, 8 November 2011

54. The devs don’t understand how their app works 46 (and

    management) (and buyers) (and users) Tuesday, 8 November 2011

55. In practice what does this mean? 47 Tuesday, 8 November

    2011

56. it means that they can’t quickly answer questions like: 48

    Tuesday, 8 November 2011

57. what are the URLs? 49 Tuesday, 8 November 2011

58. what data do you expect to receive from the web?

    50 Tuesday, 8 November 2011

59. what data CAN be submitted from the web 51 Tuesday,

    8 November 2011

60. what is the data-binding behaviour of the Frameworks used (case

    point MVC Frameworks) 52 Tuesday, 8 November 2011

61. Where is my Data Validation layer 53 Tuesday, 8 November

    2011

62. Who and what connects to the databases/assets 54 Tuesday, 8

    November 2011

63. Where are my assets? 55 Tuesday, 8 November 2011

64. Where is the Credit Card data? 56 Tuesday, 8 November

    2011

65. What are the connections between the managed layers (C# &

    Java) and unmanaged layers (C/C++)? 57 Tuesday, 8 November 2011

66. What happens at the Javascript layer? 58 Tuesday, 8 November

    2011

67. (easier question) What is the real CALL FLOW of a

    request (from the web to the backend and back to the web) 59 Tuesday, 8 November 2011

68. (harder question) What is the real TAINT FLOW of a

    request (from the web to the backend and back to the web) 60 Tuesday, 8 November 2011

69. (much harder question) What is the real TAINT (with CONTROL)

    FLOW of a request (from the web to the backend and back to the web) 61 Tuesday, 8 November 2011

70. Bottom line: (*unless we have been attacked before) 62 Tuesday,

    8 November 2011

71. If it compiles Ship it! (I see this behaviour at

    a lot of dev shops) 63 Tuesday, 8 November 2011

72. Bottom line: (*If we have been attacked before) 64 Tuesday,

    8 November 2011

73. If it compiles (and passes the ‘security tools’) Send it

    to the ‘Security Team’ (who now have funds to hire their own staff) 65 Tuesday, 8 November 2011

74. Dealing with Security Tuesday, 8 November 2011

75. I care about my users 67 Tuesday, 8 November 2011

76. And exploitation of security vulnerabilities affects them 68 Tuesday, 8

    November 2011

77. So by-proxy I care about security 69 Tuesday, 8 November

    2011

78. But the current workflow between developers and security teams is....

    70 Tuesday, 8 November 2011

79. F****d 71 Tuesday, 8 November 2011

80. or more politically correct 72 Tuesday, 8 November 2011

81. Highly inefficient 73 Tuesday, 8 November 2011

82. and that is on companies WITH internal security teams &

    awareness 74 Tuesday, 8 November 2011

83. It is even worse for the rest 75 Tuesday, 8

    November 2011

84. We need a new paradigm 76 Tuesday, 8 November 2011

85. One where ‘application security’ ADDs value to the Business 77

    Tuesday, 8 November 2011

86. One where ‘Application Security’ practices are deeply embedded into the

    SDL 78 Tuesday, 8 November 2011

87. One where ‘Application Security’ practices are invisible/transparent to 99% of

    the parties involved (the 1% are the ones directly involved in security, such as security teams, devs,architects, CISO, etc...) 79 Tuesday, 8 November 2011

88. but before we get to the solution, lets set the

    stage.... 80 Tuesday, 8 November 2011

89. As a developer , this is What I don’t want

    Tuesday, 8 November 2011

90. receive a PDF (or portal) with security findings 82 I

    don't want to: Tuesday, 8 November 2011

91. receive a tool result with partial (or zero) context about

    my app 83 I don't want to: Tuesday, 8 November 2011

92. spent time sorting out the False positives created by tools

    84 I don't want to: Tuesday, 8 November 2011

93. have tons of bugs filled into my bug tracking system

    85 I don't want to: Tuesday, 8 November 2011

94. receive non-automated findings (that will force me to spend time

    replicating the issue) 86 I don't want to: Tuesday, 8 November 2011

95. receive no information on the impact of the ‘proposed fix’

    the ‘blast ratio’ of a fix i.e. how much s*** will break 87 I don't want to: Tuesday, 8 November 2011

96. be ‘lectured’ by a ‘security expert’ that doesn’t understand my

    application 88 I don't want to: Tuesday, 8 November 2011

97. I don’t want to be told to ‘go to school’

    usually framed as “we need to give ‘security education’ to developers” 89 I don't want to: Tuesday, 8 November 2011

98. Got that? 90 Tuesday, 8 November 2011

99. I don’t think that (even if they tried) ‘security consultants’

    couldn’t OFEND more the developers than they do today 91 Tuesday, 8 November 2011

100. What I want Tuesday, 8 November 2011

101. I want to know the implications of the multiple APIs

     & frameworks used 93 Tuesday, 8 November 2011

102. Ideally I should be able to use those APIs is

     the most efficient way 94 Tuesday, 8 November 2011

103. I want to know when I use those APIs and

     Frameworks incorrectly 95 Tuesday, 8 November 2011

104. I want to understand my Application! 96 Tuesday, 8 November

     2011

105. Can YOU do that? 97 Tuesday, 8 November 2011

106. Can you help me to understand my Application? 98 Tuesday,

     8 November 2011

107. because, as a developer 99 Tuesday, 8 November 2011

108. if you can help me to understand my Application ...

     100 Tuesday, 8 November 2011

109. ... you add value to my world.... 101 Tuesday, 8

     November 2011

110. if you don’t help me to understand how my Application

     works 102 Tuesday, 8 November 2011

111. you are a TAX that I have to Pay or

     an INSURANCE that I have to Pay 103 Tuesday, 8 November 2011

112. Did you noticed the lack of ‘security’ in the last

     slides? :) 104 Tuesday, 8 November 2011

113. let’s try this again 105 Tuesday, 8 November 2011

114. What I want from a security point of view (in

     red) Tuesday, 8 November 2011

115. I want to know the Security implications of the multiple

     APIs & frameworks used 107 Tuesday, 8 November 2011

116. Ideally i should only be able to use those APIs

     in a SECURE way 108 Tuesday, 8 November 2011

117. I want to know when I use those APIs and

     Frameworks insecurely 109 Tuesday, 8 November 2011

118. I want to understand the security risk profile of my

     Application! 110 Tuesday, 8 November 2011

119. Making Security Invisible by becoming the developer’s best friend Tuesday,

     8 November 2011

120. So how was I able to do what I wanted

     (from both a security and developer point of view) 112 Tuesday, 8 November 2011

121. using the OWASP O2 Platform 113 Tuesday, 8 November 2011

122. DEMO TIME..... 114 Tuesday, 8 November 2011

123. Any questions? Tuesday, 8 November 2011

124. Thanks 116 Tuesday, 8 November 2011