Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The anarchists guide to application security

The anarchists guide to application security

Presented by Laura Bell (SafeStack) at Etsy Code as Craft, New York

Laura Bell

July 20, 2015
Tweet

More Decks by Laura Bell

Other Decks in Technology

Transcript

  1. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

     [email protected]   h6p:/ /safestack.io   The anarchist’s guide to application security
  2. Doing  this  securely  is… Hard   Expensive   Not  MVP

      Someone  else’s  problem   Boring   Pointless  
  3. QQ

  4. In  this  talk   The  Rules Lies  we  tell  ourselves

     when  avoiding  security   The  RealiHes The  reality  of  applica7on  security  from  7ny  startups  to  giant  corpora7ons   The  RecommendaHons Moving  from  ra7onal  avoidance  to  ge:ng  stuff  done  
  5.   Follow  industry  best  pracHce.     You  need  to

     have  a  special  <insert  item>  to  do  security.     Excellent  developers  naturally  produce  secure  applicaHons.     If  you  have  never  been  hacked,  it  will  never  happen.     Our  framework  doesn’t  have  these  issues.
  6. Reality 93%  organizaHons  use  poor  quality,   shared  passwords  and

     do  not  change  them   when  people  leave
  7. Reality We  are  linguisHcally  lazy  when  it   comes  to

     security. e.g.  use  the  abbr.  AUTH  to  mean  both   Authen'ca'on  and  Authoriza'on. These  do  not  mean  the  same  thing.
  8. FOLLOW     INDUSTRY  BEST  PRACTICE   APPLICATION  SECURITY  CULTURE

     SMELL ‘Best  pracKces’  is  a  nonsense  term  that  introduces  intenKonal   ambiguity.   Over  80%  of  applicaKon  development  organizaKons  fail  at  basic   security  pracKces  such  as  password  management,  data   protecKon  and  resilience.   THE  REALITY  
  9. YOU  NEED  TO  HAVE  A  SPECIAL     <INSERT  ITEM>

     TO  DO  SECURITY   APPLICATION  SECURITY  CULTURE  SMELL
  10. code  base  development   IniKal  idea   Product  launch  

    Maturity  IniKaKves   do  security  stuff  
  11. Reality Many  security  border  devices  never  make   it  out

     of  ‘learning’  or  ‘monitoring’   configuraHons
  12. Reality Many  security  checks,  jobs  or  tests  can  be  

    scripted  or  completed  with  regex  Kung-­‐Fu
  13. YOU  NEED  TO  HAVE  A  SPECIAL     <INSERT  ITEM>

     TO  DO  SECURITY   APPLICATION  SECURITY  CULTURE  SMELL We  don’t  need  special  devices,  certs  or  tricks  to  do   applicaKon  security.   Trying,  failing  and  learning  will  serve  us  much  beYer.   THE  REALITY
  14. EXCELLENT  DEVELOPERS  NATURALLY   PRODUCE  SECURE  APPLICATIONS   APPLICATION  SECURITY

     CULTURE  SMELL Development  prowess  and  security  knowledge  are  not   implicitly  related   AccepKng  we  are  vulnerable  and  that  we  don’t  know  the   answers  is  important.   THE  REALITY
  15. IF  YOU  HAVE  NEVER  BEEN  HACKED,     IT  WILL

     NEVER  HAPPEN   APPLICATION  SECURITY  CULTURE  SMELL
  16. Reality The  best  people  to  spot  when  something   is

     strange  in  an  app  are  those  who  built  it
  17. IF  YOU  HAVE  NEVER  BEEN  HACKED,     IT  WILL

     NEVER  HAPPEN   APPLICATION  SECURITY  CULTURE  SMELL Most  organizaKons  wouldn’t  know  if  they  had  been   compromised,  why  they  would  be  aYacked  or  how  to   respond.     THE  REALITY
  18. Reality If  you  don’t  have  legacy  code  to  deal  with,

      you  are  creaHng  legacy  code  for  your   replacement
  19. OUR  FRAMEWORK  DOESN’T     HAVE  THESE  ISSUES   APPLICATION

     SECURITY  CULTURE  SMELL We  don’t  know  what  our  apps  are  made  of  and  our   ability  to  keep  them  updated  reduces  with  Kme   THE  REALITY
  20. SORT  OUT  THE  BASICS. NO  EXCUSES PASSWORD   MANAGEMENT BACKUPS

    ROLES PERMISSIONS LANGUAGE PROTECTING   PRODUCTION   DATA
  21. UNDERSTAND  YOUR  RISKS   BUILD  FOR  SURVIVAL INCIDENT   RESPONSE

    RESPONSIBLE   DISCLOSURE BACKUPS  AND   RECOVERY VERSION   CONTROL
  22. TL;DR   The  Rules Lies  we  tell  ourselves  when  avoiding

     security   The  RealiHes The  reality  of  applica7on  security  from  7ny  startups  to  giant  corpora7ons   The  RecommendaHons Moving  from  ra7onal  avoidance  to  ge:ng  stuff  done  
  23. QQ