Top 10 Developer Security Misconceptions

Slide 1

Slide 1 text

Top 10 Developer Security Misconceptions alert(‘Chris Cornutt @ php|tek 2013’); Wednesday, May 15, 2013

Slide 2

Slide 2 text

Wednesday, May 15, 2013

Slide 3

Slide 3 text

Code Reviews? Wednesday, May 15, 2013

Slide 4

Slide 4 text

Security Code Reviews? Wednesday, May 15, 2013

Slide 5

Slide 5 text

“Make it Work” vs “Make it Secure” Wednesday, May 15, 2013

Slide 6

Slide 6 text

“Make it Work Securely” Wednesday, May 15, 2013

Slide 7

Slide 7 text

I Don’t Know Enough Plenty of Training Resources (free/paid) Conferences Read, read and read some more... Wednesday, May 15, 2013

Slide 8

Slide 8 text

Wednesday, May 15, 2013

Slide 9

Slide 9 text

It’s Too Hard Start Small (bits & pieces) A scan is worth one thousand words One exploit at a time Wednesday, May 15, 2013

Slide 10

Slide 10 text

I Can Secure It Later “Later” never comes It’s too big later Secure Development Life Cycle Wednesday, May 15, 2013

Slide 11

Slide 11 text

Secure Development Lifecycle Gathering Requirements System Design Implementation/Development Veriﬁcation Release of Tested/Veriﬁed Product Wednesday, May 15, 2013

Slide 12

Slide 12 text

Image copyright Microsoft, Inc Wednesday, May 15, 2013

Slide 13

Slide 13 text

I Can Secure It Later Plan security in from the start Security is not bugﬁxing “Later” never comes It’s too big later Secure Development Life Cycle Wednesday, May 15, 2013

Slide 14

Slide 14 text

But My * Handles That For Me Misplaced trust in 3rd party tools Investigation Validated and popular Security policy deﬁnition Wednesday, May 15, 2013

Slide 15

Slide 15 text

Management Won’t Support It Integrated with development Share statistics on common vulnerabilities Find your own exploits...with a patch QA and development are both responsible Wednesday, May 15, 2013

Slide 16

Slide 16 text

Wednesday, May 15, 2013

Slide 17

Slide 17 text

Why Would Someone Hack Us? Too small Unimportant Attack platform Shared passwords and account information Low hanging fruit Wednesday, May 15, 2013

Slide 18

Slide 18 text

My Application’s Internal... Internal threats are larger No excuse for lax measures Loose password/access policies Development data sources with prod data Trust. Wednesday, May 15, 2013

Slide 19

Slide 19 text

We Use * So We’re Secure Cryptography Access control Firewalls Web Application Firewalls Framework of choice Wednesday, May 15, 2013

Slide 20

Slide 20 text

Security People Are Crazy “Them” “Developers don’t know about security” QA vs Security Testing Rules, rules, rules... ...and Reasons Integration, not Segregation Wednesday, May 15, 2013

Slide 21

Slide 21 text

It’s Not My Job Worst. Excuse. Ever. Network Admin... Security is your job Sysadmin... Security is your job Developer... Security is your job “Defense in Depth” Wednesday, May 15, 2013

Slide 22

Slide 22 text

Architecture Development Testing Environments Processes & Policies SECURITY Wednesday, May 15, 2013

Slide 23

Slide 23 text

Questions? Chris Cornutt @enygma @websecquickﬁx http://websec.io http://joind.in/8164 http://bit.ly/top10-devsec-tek13 Wednesday, May 15, 2013