Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Don’t Be That Guy! Developer Security Awareness

0fb625aef5a5feebdc02614a92e3af5e?s=47 Markus Eisele
December 04, 2013

Don’t Be That Guy! Developer Security Awareness

0fb625aef5a5feebdc02614a92e3af5e?s=128

Markus Eisele

December 04, 2013
Tweet

Transcript

  1. Don’t Be That Guy! Developer Security Awareness

  2. http://blog.eisele.net/ @myfear http://myfear.com/+ markus@eisele.net M.Eisele - @myfear - http://blog.eisele.net 2

    © msg Applied Technology Research, December 2013
  3. NOT HOW M.Eisele - @myfear - http://blog.eisele.net 3 © msg

    Applied Technology Research, December 2013
  4. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 4
  5. BUT WHY M.Eisele - @myfear - http://blog.eisele.net 5 © msg

    Applied Technology Research, December 2013
  6. Programming Motherf****r! http://programming-motherfucker.com/ M.Eisele - @myfear - http://blog.eisele.net 6 ©

    msg Applied Technology Research, December 2013
  7. M.Eisele - @myfear - http://blog.eisele.net 7 © msg Applied Technology

    Research, December 2013
  8. NOT EVERY PROGRAMMER IS A SECURITY ENGINEER. M.Eisele - @myfear

    - http://blog.eisele.net 8 © msg Applied Technology Research, December 2013
  9. http://datalossdb.org/statistics # of incidents worldwide >700% M.Eisele - @myfear -

    http://blog.eisele.net 9 © msg Applied Technology Research, December 2013
  10. AND EVEN WORSE M.Eisele - @myfear - http://blog.eisele.net 10 ©

    msg Applied Technology Research, December 2013
  11. SECURITY IS NOT ONLY ABOUT PROGRAMMING M.Eisele - @myfear -

    http://blog.eisele.net 11 © msg Applied Technology Research, December 2013
  12. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 12 Approach Security attacks 1 2 3 http://www.flickr.com/photos/trois-tetes/417709804/sizes/o/
  13. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 13 EXCERPT attacks … …
  14. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 14 1 2 3 EXAMPLE
  15. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 15 1 2 3 EXAMPLE 3 3
  16. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 16 1 2 3 EXAMPLE
  17. ENDLESS COMBINATIONS M.Eisele - @myfear - http://blog.eisele.net 17 © msg

    Applied Technology Research, December 2013
  18. THE LIMIT IS THE CREATIVITY OF THE BAD GUYS M.Eisele

    - @myfear - http://blog.eisele.net 18 © msg Applied Technology Research, December 2013
  19. WHERE To Start? M.Eisele - @myfear - http://blog.eisele.net 19 ©

    msg Applied Technology Research, December 2013 www.defendparis.fr
  20. WHAT Do WE HAVE? M.Eisele - @myfear - http://blog.eisele.net 20

    © msg Applied Technology Research, December 2013
  21. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 21 ARCHITECTURE
  22. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 22 ARCHITECTURE 1 2 3 Design Theory Standards Documents Processes Frameworks Examples Software Standards processes
  23. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 23 http://www.flickr.com/photos/zokuga/6838590065/sizes/l/
  24. WAIT M.Eisele - @myfear - http://blog.eisele.net 24 © msg Applied

    Technology Research, December 2013
  25. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 25 application 1 2 3 Specification CODE Design Software
  26. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 26
  27. WAIT M.Eisele - @myfear - http://blog.eisele.net 27 © msg Applied

    Technology Research, December 2013
  28. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 28
  29. Burns Down TO THREE AREAS M.Eisele - @myfear - http://blog.eisele.net

    29 © msg Applied Technology Research, December 2013
  30. PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 30 ©

    msg Applied Technology Research, December 2013
  31. “If you think technology can solve your security problems, then

    you don't understand the problems and you don't understand the technology. ” — Bruce Schneier M.Eisele - @myfear - http://blog.eisele.net 31 © msg Applied Technology Research, December 2013
  32. A chain is only as strong as its weakest link

    M.Eisele - @myfear - http://blog.eisele.net 32 © msg Applied Technology Research, December 2013
  33. PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 33 ©

    msg Applied Technology Research, December 2013
  34. How to secure PEOPLE? M.Eisele - @myfear - http://blog.eisele.net 34

    © msg Applied Technology Research, December 2013
  35. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 35 Stakeholder
  36. DEVELOPERS build awareness. Might offer trainings. M.Eisele - @myfear -

    http://blog.eisele.net 36 © msg Applied Technology Research, December 2013
  37. How to secure Processes? M.Eisele - @myfear - http://blog.eisele.net 37

    © msg Applied Technology Research, December 2013
  38. M.Eisele - @myfear - http://blog.eisele.net 38 © msg Applied Technology

    Research, December 2013 Methodologies
  39. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 39 Standards
  40. DEVELOPERS Need time For security. Processes give it. M.Eisele -

    @myfear - http://blog.eisele.net 40 © msg Applied Technology Research, December 2013
  41. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 41 Example www.microsoft.com/security/sdl/‎
  42. HOW to Secure Software? M.Eisele - @myfear - http://blog.eisele.net 42

    © msg Applied Technology Research, December 2013
  43. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 43 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Crosscutting … in other words:
  44. Million ways to Do it wrong on any Level. M.Eisele

    - @myfear - http://blog.eisele.net 44 © msg Applied Technology Research, December 2013
  45. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 45 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Right FOCUS Developers Requirements Use Security Features Secure Implementation
  46. Examples M.Eisele - @myfear - http://blog.eisele.net 46 © msg Applied

    Technology Research, December 2013
  47. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 47 infrastructure
  48. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 48 Software
  49. And there is a lot More! M.Eisele - @myfear -

    http://blog.eisele.net 49 © msg Applied Technology Research, December 2013
  50. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 50
  51. • Secure Coding Guidelines for the Java Programming Language, Version

    4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html • The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Ja va • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519 • OWASP Developer Guide 2013 https://www.owasp.org/index.php/Category:OWASP_Guide_Project M.Eisele - @myfear - http://blog.eisele.net 51 © msg Applied Technology Research, December 2013
  52. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 52 • OWASP Appsec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Apache Shiro http://www.infoq.com/articles/apache-shiro • Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html • Java Authentication and Authorization Service (JAAS) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html • Java EE 6 Security in Practice with GlassFish http://www.slideshare.net/myfear/security-in-practice-with-java-ee-6-and-glassfish
  53. SECURITY IS ABOUT Knowledge. M.Eisele - @myfear - http://blog.eisele.net 53

    © msg Applied Technology Research, December 2013
  54. “it ain’t what you don’t know that gets you into

    trouble. it’s what you know for sure that just ain’t so.” — Mark Twain http://www.nativeintelligence.com/ni-free/itsec-quips-03.asp M.Eisele - @myfear - http://blog.eisele.net 54 © msg Applied Technology Research, December 2013
  55. SECURITY Motherf****r! M.Eisele - @myfear - http://blog.eisele.net 55 © msg

    Applied Technology Research, December 2013
  56. M.Eisele - @myfear - http://blog.eisele.net 56 @myfear blog.eisele.net © msg

    Applied Technology Research, December 2013