Builders Vs. Breakers - Head to Head - Defcon SkyTalks 2012

Transcript

1. Builder vs. Breaker Head to Head

2. First, Thank You! •@bluknight •@banasidhe •…and everyone else who makes

   Skytalks possible!!!

3. Who the hell are we? • @claudijd • @mkonda 3

4. Head to Head •Introduce a topic •2 audience members debate

   •Commentary •Audience Votes •Win Beer!!! •Rinse/Repeat

5. Builder Functional Quality Dates Features

6. Breaker I can break into anything! High Risk Vulnerabilities Access

   to Data and Impact

7. Quick Poll: Builder or Breaker?

8. Let’s get in the mood

9. None

10. Breaker “….developers will never learn, never improve because they are

    repeating the same mistakes over and over again” – Breaker on Twitter

11. Builder “…only good at ranting. Zero contribs, and almost zero

    constructive feedbacks but bashing” – Developer reply

12. Well, that was productive So... what got fixed? Where’s the

    patch? Shit’s still broken.

13. Rails and GitHub

14. 14

15. 15 A default in Rails that makes programming faster and

    easier manifests in a concrete security issue for github. So called “Mass Assignment” allows a hash of input to be dynamically set onto a model object unless a restriction is set.

16. “Hackers love Mass Assignment” RailsCast 26 5/2/2007 Rails Issue 3453

    Rails Issue 4062 Rails Issue 3157 Rails Issue 3952 Github Rails Fun 3/2-3/4 2012 2008 2009 2010 2011 2012

17. 17 Who’s fault is this? Who should fix it?

18. 18 Who’s fault is this? Who should fix it?

19. 19 Who’s fault is this? Who should fix it?

20. 20 Who’s fault is this? Who should fix it?

21. None

22. The Cloud makes me more secure

23. OWASP is working

24. If  you  are  a  developer  and  don’t  know  who  OWASP

    is  at  this  point,  it’s  because  you’ve  chosen  not  to. – Breaker

25. A pen-test validates that my app is secure!

26. Breaches are cheaper than secure code

27. 27

28. Should  buyers  explicitly  ask  for security?

29. I am Rugged

30. 30

31. You can’t teach security to developers

32. None

33. Breakers don’t understand development

34. Builder Rampage

35. “it was also coded under major time crunch” “just bear

    in mind it’s essentially a POC not real production-caliber tool” “<braces for impact>” “Am I getting pre-emptively defensive?”

36. Code Review Results • Not standard ruby • Naming conventions

    (case and _ / camel) • File layout • Not abstracted • Input / Options parsing could be shared • Unnecessary imports • Config options externalized / overridden • Rake for gem • Tests • Bundler • Lots of even more nitpicky stuff • Let’s talk about OO

37. Anything weird here?

38. So what do you do?

39. How far do I have to go?

40. 40 “I’m releasing a new vuln today AND I’m including

    a patch” “Look at you making me more responsible, this sucks!!!” “Funny thing was, I found more vulns fixing (building) than breaking”
41. None

42. We don’t really feel this way… •Take a hard stance

    on both sides in an attempt to elicit your participation •Get everyone to come to the same conclusion that the current model is broken • Generate conversation on how we can make it better

43. Breaker Builder

44. Breaker Builder Increase overlap

45. Insecure Direct Object Reference

46. Security Awareness Training is Useless

47. Agile Hurts Security

48. WhiteHat says we don’t know what appsec best practices are.

49. Again, Thank You! •@bluknight •@banasidhe •…and everyone else who makes

    Skytalks possible!!!