Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Builders Vs. Breakers - Head to Head - BSidesChicago 2012

Matt Konda
April 28, 2012
Programming
0
180

Builders Vs. Breakers - Head to Head - BSidesChicago 2012

In this Builders vs. Breakers talk, Jon Claudius and Matt Konda go toe to toe talking about developer and security concerns. The talk was moderated by Dan Schleiffer and given at BSides Chicago in 2012. This was the first talk where the Builder roasted a Breaker by doing some code review.

Matt Konda

April 28, 2012
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
110
Automate All of the Things
mkonda
0
180
Building Rugged Software in a DevOps World
mkonda
0
97
What is Rugged all about?
mkonda
1
81
Real World Security Testing
mkonda
1
95
Security Automation Pipeline
mkonda
1
190
Security Automation Workshop
mkonda
0
53
Rationalizing Security
mkonda
0
53
Application Security Landscape
mkonda
0
74

Other Decks in Programming

See All in Programming
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
560
大規模UIKitベースアプリへのTCAの段階的導入/gradual-adoption-of-tca-in-a-large-scale-uikit-based-app
takehilo
2
200
障害対応を起点としたもっといい開発と運用のサイクル作りのためにできること / Hatena Enginner Seminar #29
polamjag
0
370
Anthropic Cookbook のおすすめレシピ
schroneko
7
1.1k
Milestoner
bkuhlmann
1
410
Kotlin Multiplatform at Stable and Beyond (Android Makers 2024)
zsmb
0
450
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
380
Try creating your own orderedmap
kazamori
1
170
VS Code をプロダクトにどう取り込むか
onomax
1
650
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
400
Next.js App Router
quramy
11
1.7k
Implementing Design Systems in Swift
seyfoyun
1
450

Featured

See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.7k
Atom: Resistance is Futile
akmur
260
25k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Statistics for Hackers
jakevdp
790
220k
How to train your dragon (web standard)
notwaldorf
75
5.2k
4 Signs Your Business is Dying
shpigford
176
21k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
A Tale of Four Properties
chriscoyier
152
22k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
21
1.9k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
A designer walks into a library…
pauljervisheath
201
23k

Transcript

  1. Builder vs. Breaker Head to Head

  2. Head to Head •Introduce a topic •2 audience members debate

    •Commentary •Audience Votes •Win Beer!!! •Repeat

  3. Builder Functional Quality Dates Features

  4. Breaker I’m a badass, of course I’ll own it High

    Risk Vulnerabilities Speed and Coverage

  5. Quick Poll: Builder or Breaker?

  6. Let’s get in the mood

  7. Breaker “The PHP developers will never learn, never improve because

    they are repeating the same mistakes over and over again” – Breaker on Twitter

  8. Builder “… only good at ranting. Zero contribs, and almost

    zero constructive feedbacks but bashing” – Developer reply

  9. Well, that was productive So... what got fixed? Where’s the

    patch? Shit’s still broken.

  10. Rails and GitHub

  11. 11

  12. 12 A default in Rails that makes programming faster and

    easier manifests in a concrete security issue for github. So called “Mass Assignment” allows a hash of input to be dynamically set onto a model object unless a restriction is set.

  13. “Hackers love Mass Assignment” RailsCast 26 5/2/2007 Rails Issue 3453

    Rails Issue 4062 Rails Issue 3157 Rails Issue 3952 Github Rails Fun 3/2-3/4 2012 2008 2009 2010 2011 2012

  14. 14 Who’s fault is this? Who should fix it?

  15. 15 Who’s fault is this? Who should fix it?

  16. 16 Who’s fault is this? Who should fix it?

  17. None

  18. OWASP is working

  19. A pen-test validates that my app is secure!

  20. The Cloud makes me more secure

  21. I trust 3rd party libraries libraries to be secure

  22. 22 From Aspect Security Research

  23. 23

  24. Breaches are cheaper than secure code

  25. 25

  26. Builder Rampage

  27. “it was also coded under major time crunch” “just bear

    in mind it’s essentially a POC not real production-caliber tool” “<braces for impact>” “Am I getting pre-emptively defensive?”

  28. Code Review Results • Not standard ruby • Naming conventions

    (case and _ / camel) • File layout • Not abstracted • Input / Options parsing could be shared • Unnecessary imports • Config options externalized / overridden • Rake for gem • Tests • Bundler • Lots of even more nitpicky stuff • Let’s talk about OO

  29. Anything weird here?

  30. How far do I have to go?

  31. So what do you do?

  32. 32 “I’m releasing a new vuln today AND I’m including

    a patch” “Look at you making me more responsible, this sucks!!!” “Funny thing was, I found more vulns fixing (building) than breaking”
  33. None

  34. Breaker Builder

  35. Breaker Builder Increase overlap