Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security from Inception

Security from Inception

From Chicago Coder Conference 2015, a talk about building security controls into an Agile project.

Matt Konda

May 14, 2015

More Decks by Matt Konda

Other Decks in Technology


  1. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: Training Coaching Code Review Plugged in to SDLC Consulting Assessments
  2. Feature: person is restricted from accessing A project they do

    not own Scenario: person accesses a project  that is not theirs  Given a new project created by a user When a different person attempts to access the project Then the system should prevent access
  3. Given(/^a new project created by a user$/) do uuid =

    SecureRandom.uuid @user1 = "fb_user_1_#{uuid}@jemurai.com" register_as_user(@user1, "password") new_project("Insecure Direct Object Reference #{uuid}", "Forceful Browsing Desc") @url = current_url end When(/^a different person attempts to access the project$/) do logout(@user1) uuid = SecureRandom.uuid @user2 = "fb_user_2_#{uuid}@jemurai.com" register_as_user(@user2, "password") end Then(/^the system should prevent access$/) do visit @url expect(page).not_to have_content "Forceful Browsing Desc" end
  4. simplified Steps • injection: inject commands into fields and detect

    functions being called. • XSS: inject scripts into fields and detect that alerts are thrown • Mass assignment: set raw form data and send it to see how the server responds • csrf: alter csrf token and send otherwise valid request • headers: interact with system and verify that headers are being set • Sensitive Data: open session cookie and inspect

    • • SECURITY ruggeddev.org @ruggeddev rugged
  6. Summary • Villain Person from Inception • baseline Security Requirements

    Up Front • Story Review for Security: acceptance criteria • Security Requirements included in stories PRE estimation • Incremental Code Review • Share Tools: planning, collaboration, build • Testing • Participate in Standup • operational and monitoring guide • Facilitate - ask questions - stay involved
  7. Resources • owasp top 10 • OWASP ZAP • OWASP

    Dependency Check • OWASP WebGoat