Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Builders Vs. Breakers - Head to Head - BSidesCh...

Matt Konda
April 28, 2012
Programming
0
190

Builders Vs. Breakers - Head to Head - BSidesChicago 2012

In this Builders vs. Breakers talk, Jon Claudius and Matt Konda go toe to toe talking about developer and security concerns. The talk was moderated by Dan Schleiffer and given at BSides Chicago in 2012. This was the first talk where the Builder roasted a Breaker by doing some code review.

Matt Konda

April 28, 2012
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
130
Automate All of the Things
mkonda
0
190
Building Rugged Software in a DevOps World
mkonda
0
100
What is Rugged all about?
mkonda
1
82
Real World Security Testing
mkonda
1
100
Security Automation Pipeline
mkonda
1
190
Security Automation Workshop
mkonda
0
56
Rationalizing Security
mkonda
0
60
Application Security Landscape
mkonda
0
91

Other Decks in Programming

See All in Programming
カンファレンスの「アレ」Webでなんとかしませんか? / Conference “thing” Why don't you do something about it on the Web?
dero1to
1
120
Figma Dev Modeで変わる!Flutterの開発体験
watanave
0
160
Quine, Polyglot, 良いコード
qnighy
4
650
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
[Do iOS '24] Ship your app on a Friday...and enjoy your weekend!
polpielladev
0
120
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
Functional Event Sourcing using Sekiban
tomohisa
0
110
cmp.Or に感動した
otakakot
3
260
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
260
Missing parts when designing and implementing Android UI
ericksli
0
220
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
480
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
210

Featured

See All Featured
A better future with KSS
kneath
238
17k
Agile that works and the tools we love
rasmusluckow
327
21k
10 Git Anti Patterns You Should be Aware of
lemiorhan
655
59k
Making Projects Easy
brettharned
115
5.9k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Visualization
eitanlees
145
15k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Done Done
chrislema
181
16k

Transcript

  1. Builder vs. Breaker Head to Head

  2. Head to Head •Introduce a topic •2 audience members debate

    •Commentary •Audience Votes •Win Beer!!! •Repeat

  3. Builder Functional Quality Dates Features

  4. Breaker I’m a badass, of course I’ll own it High

    Risk Vulnerabilities Speed and Coverage

  5. Quick Poll: Builder or Breaker?

  6. Let’s get in the mood

  7. Breaker “The PHP developers will never learn, never improve because

    they are repeating the same mistakes over and over again” – Breaker on Twitter

  8. Builder “… only good at ranting. Zero contribs, and almost

    zero constructive feedbacks but bashing” – Developer reply

  9. Well, that was productive So... what got fixed? Where’s the

    patch? Shit’s still broken.

  10. Rails and GitHub

  11. 11

  12. 12 A default in Rails that makes programming faster and

    easier manifests in a concrete security issue for github. So called “Mass Assignment” allows a hash of input to be dynamically set onto a model object unless a restriction is set.

  13. “Hackers love Mass Assignment” RailsCast 26 5/2/2007 Rails Issue 3453

    Rails Issue 4062 Rails Issue 3157 Rails Issue 3952 Github Rails Fun 3/2-3/4 2012 2008 2009 2010 2011 2012

  14. 14 Who’s fault is this? Who should fix it?

  15. 15 Who’s fault is this? Who should fix it?

  16. 16 Who’s fault is this? Who should fix it?

  17. None

  18. OWASP is working

  19. A pen-test validates that my app is secure!

  20. The Cloud makes me more secure

  21. I trust 3rd party libraries libraries to be secure

  22. 22 From Aspect Security Research

  23. 23

  24. Breaches are cheaper than secure code

  25. 25

  26. Builder Rampage

  27. “it was also coded under major time crunch” “just bear

    in mind it’s essentially a POC not real production-caliber tool” “<braces for impact>” “Am I getting pre-emptively defensive?”

  28. Code Review Results • Not standard ruby • Naming conventions

    (case and _ / camel) • File layout • Not abstracted • Input / Options parsing could be shared • Unnecessary imports • Config options externalized / overridden • Rake for gem • Tests • Bundler • Lots of even more nitpicky stuff • Let’s talk about OO

  29. Anything weird here?

  30. How far do I have to go?

  31. So what do you do?

  32. 32 “I’m releasing a new vuln today AND I’m including

    a patch” “Look at you making me more responsible, this sucks!!!” “Funny thing was, I found more vulns fixing (building) than breaking”
  33. None

  34. Breaker Builder

  35. Breaker Builder Increase overlap