Builders Vs. Breakers - Gameshow Edition - BSidesChicago 2011

Transcript

1. Builder  vs.  Breaker Gameshow  Edi4on

2. GameShow  Edi4on • Debate  a  ques4on  –  a  few  minutes

    each • 1-­‐2  Audience  members  provides  input • Audience  Votes • Loser  Drinks • Repeat • Live  tweet  your  ques4ons  to  @buildvsbreak

3. Builder • Functional Quality Dates Features

4. Breaker • I’m a badass, of course I’ll own it

   High Risk Vulnerabilities Speed and Coverage

5. Quick  Poll:  Builder  or  Breaker?

6. So,  where’s  the  conflict? Builder Breaker Communica4on? Dev Lead VP

    Eng CISO IT  Audit CIO Accountability

7. Builder Breaker Dev Lead VP  Eng CISO IT  Audit CIO

   Cost  Center Profit  Center
8. None

9. Builder “Problem.  Infosec  pros,  pentesters  etc.  are  more interested  in

    #appsec  than  programmers.  How  to change  that?  <  will  not  change” –  Builder’s  Tweet

10. Builder “Agile:  Most  security  guys  are  useless” –  Builder’s  Tweet

11. Breaker “If  you  are  a  developer  and  don’t  know  who

     OWASP  is at  this  point,  it’s  because  you’ve  chosen  not  to.” –  Breaker’s  Tweet

12. Breaker “…  the  developer  who  did  this  should  be  taken

     out  into the  street  and  beaten  …” –  Breaker  at  Thotcon
13. None

14. Is  WAF  good  or  bad?

15. Should  buyers  explicitly  ask  for  security?

16. Can  you  teach  security  to  developers?

17. Hypothe4cal  System • Time  +  Expense  System  in  RoR •

    Bug  exists  where  a  user  can  approve  their  own expenses  exposed  via  res`ul  call  but  not  in  UI • Business  opportunity  to  make  the  system mul4-­‐tenant  and  sell  to  mul4ple  customers

18. Pick  the  best  one: •Scanning •Pen  tes4ng •WAF •Code  Review

    •Training •Sta4c  Analysis

19. Feature or Security Fix?

20. [insert silver bullet image here]

21. The  Fixer

22. Does  “The  Fixer”  solve  the  problem?

23. Security  in  the  SDLC Blah Blah Blah Blah Blah Security

     Guru

24. Does  security  &  agile  work?

25. However, This  isn't  what  we  actually  think…

26. Real  Goals • Take  hard  stance  on  both  sides  in

     an  adempt to  elicit  audience  par4cipa4on • Get  everyone  to  come  to  the  conclusion  that the  current  model  is  broken • Generate  conversa4on  on  how  we  can  make  it beder

27. What  are  we  doing? • Cross  between  The  Fixer  and

     MS  SDL • Talking  with  broader  group  of  developers • Cost  /  Value  models (Results  TBD)

28. Share  your  story (yes,  audience  par4cipa4on)

29. None