Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Don’t Be That Guy! Developer Security Awareness

Don’t Be That Guy! Developer Security Awareness

Markus Eisele

December 04, 2013
Tweet

More Decks by Markus Eisele

Other Decks in Technology

Transcript

  1. NOT HOW M.Eisele - @myfear - http://blog.eisele.net 3 © msg

    Applied Technology Research, December 2013
  2. BUT WHY M.Eisele - @myfear - http://blog.eisele.net 5 © msg

    Applied Technology Research, December 2013
  3. NOT EVERY PROGRAMMER IS A SECURITY ENGINEER. M.Eisele - @myfear

    - http://blog.eisele.net 8 © msg Applied Technology Research, December 2013
  4. http://datalossdb.org/statistics # of incidents worldwide >700% M.Eisele - @myfear -

    http://blog.eisele.net 9 © msg Applied Technology Research, December 2013
  5. AND EVEN WORSE M.Eisele - @myfear - http://blog.eisele.net 10 ©

    msg Applied Technology Research, December 2013
  6. SECURITY IS NOT ONLY ABOUT PROGRAMMING M.Eisele - @myfear -

    http://blog.eisele.net 11 © msg Applied Technology Research, December 2013
  7. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 12 Approach Security attacks 1 2 3 http://www.flickr.com/photos/trois-tetes/417709804/sizes/o/
  8. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 13 EXCERPT attacks … …
  9. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 15 1 2 3 EXAMPLE 3 3
  10. THE LIMIT IS THE CREATIVITY OF THE BAD GUYS M.Eisele

    - @myfear - http://blog.eisele.net 18 © msg Applied Technology Research, December 2013
  11. WHERE To Start? M.Eisele - @myfear - http://blog.eisele.net 19 ©

    msg Applied Technology Research, December 2013 www.defendparis.fr
  12. WHAT Do WE HAVE? M.Eisele - @myfear - http://blog.eisele.net 20

    © msg Applied Technology Research, December 2013
  13. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 22 ARCHITECTURE 1 2 3 Design Theory Standards Documents Processes Frameworks Examples Software Standards processes
  14. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 23 http://www.flickr.com/photos/zokuga/6838590065/sizes/l/
  15. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 25 application 1 2 3 Specification CODE Design Software
  16. Burns Down TO THREE AREAS M.Eisele - @myfear - http://blog.eisele.net

    29 © msg Applied Technology Research, December 2013
  17. PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 30 ©

    msg Applied Technology Research, December 2013
  18. “If you think technology can solve your security problems, then

    you don't understand the problems and you don't understand the technology. ” — Bruce Schneier M.Eisele - @myfear - http://blog.eisele.net 31 © msg Applied Technology Research, December 2013
  19. A chain is only as strong as its weakest link

    M.Eisele - @myfear - http://blog.eisele.net 32 © msg Applied Technology Research, December 2013
  20. PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 33 ©

    msg Applied Technology Research, December 2013
  21. How to secure PEOPLE? M.Eisele - @myfear - http://blog.eisele.net 34

    © msg Applied Technology Research, December 2013
  22. DEVELOPERS build awareness. Might offer trainings. M.Eisele - @myfear -

    http://blog.eisele.net 36 © msg Applied Technology Research, December 2013
  23. How to secure Processes? M.Eisele - @myfear - http://blog.eisele.net 37

    © msg Applied Technology Research, December 2013
  24. DEVELOPERS Need time For security. Processes give it. M.Eisele -

    @myfear - http://blog.eisele.net 40 © msg Applied Technology Research, December 2013
  25. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 41 Example www.microsoft.com/security/sdl/‎
  26. HOW to Secure Software? M.Eisele - @myfear - http://blog.eisele.net 42

    © msg Applied Technology Research, December 2013
  27. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 43 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Crosscutting … in other words:
  28. Million ways to Do it wrong on any Level. M.Eisele

    - @myfear - http://blog.eisele.net 44 © msg Applied Technology Research, December 2013
  29. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 45 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Right FOCUS Developers Requirements Use Security Features Secure Implementation
  30. And there is a lot More! M.Eisele - @myfear -

    http://blog.eisele.net 49 © msg Applied Technology Research, December 2013
  31. • Secure Coding Guidelines for the Java Programming Language, Version

    4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html • The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Ja va • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519 • OWASP Developer Guide 2013 https://www.owasp.org/index.php/Category:OWASP_Guide_Project M.Eisele - @myfear - http://blog.eisele.net 51 © msg Applied Technology Research, December 2013
  32. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 52 • OWASP Appsec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Apache Shiro http://www.infoq.com/articles/apache-shiro • Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html • Java Authentication and Authorization Service (JAAS) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html • Java EE 6 Security in Practice with GlassFish http://www.slideshare.net/myfear/security-in-practice-with-java-ee-6-and-glassfish
  33. SECURITY IS ABOUT Knowledge. M.Eisele - @myfear - http://blog.eisele.net 53

    © msg Applied Technology Research, December 2013
  34. “it ain’t what you don’t know that gets you into

    trouble. it’s what you know for sure that just ain’t so.” — Mark Twain http://www.nativeintelligence.com/ni-free/itsec-quips-03.asp M.Eisele - @myfear - http://blog.eisele.net 54 © msg Applied Technology Research, December 2013