Slide 1

Slide 1 text

Don’t Be That Guy! Developer Security Awareness

Slide 2

Slide 2 text

http://blog.eisele.net/ @myfear http://myfear.com/+ [email protected] M.Eisele - @myfear - http://blog.eisele.net 2 © msg Applied Technology Research, December 2013

Slide 3

Slide 3 text

NOT HOW M.Eisele - @myfear - http://blog.eisele.net 3 © msg Applied Technology Research, December 2013

Slide 4

Slide 4 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 4

Slide 5

Slide 5 text

BUT WHY M.Eisele - @myfear - http://blog.eisele.net 5 © msg Applied Technology Research, December 2013

Slide 6

Slide 6 text

Programming Motherf****r! http://programming-motherfucker.com/ M.Eisele - @myfear - http://blog.eisele.net 6 © msg Applied Technology Research, December 2013

Slide 7

Slide 7 text

M.Eisele - @myfear - http://blog.eisele.net 7 © msg Applied Technology Research, December 2013

Slide 8

Slide 8 text

NOT EVERY PROGRAMMER IS A SECURITY ENGINEER. M.Eisele - @myfear - http://blog.eisele.net 8 © msg Applied Technology Research, December 2013

Slide 9

Slide 9 text

http://datalossdb.org/statistics # of incidents worldwide >700% M.Eisele - @myfear - http://blog.eisele.net 9 © msg Applied Technology Research, December 2013

Slide 10

Slide 10 text

AND EVEN WORSE M.Eisele - @myfear - http://blog.eisele.net 10 © msg Applied Technology Research, December 2013

Slide 11

Slide 11 text

SECURITY IS NOT ONLY ABOUT PROGRAMMING M.Eisele - @myfear - http://blog.eisele.net 11 © msg Applied Technology Research, December 2013

Slide 12

Slide 12 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 12 Approach Security attacks 1 2 3 http://www.flickr.com/photos/trois-tetes/417709804/sizes/o/

Slide 13

Slide 13 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 13 EXCERPT attacks … …

Slide 14

Slide 14 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 14 1 2 3 EXAMPLE

Slide 15

Slide 15 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 15 1 2 3 EXAMPLE 3 3

Slide 16

Slide 16 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 16 1 2 3 EXAMPLE

Slide 17

Slide 17 text

ENDLESS COMBINATIONS M.Eisele - @myfear - http://blog.eisele.net 17 © msg Applied Technology Research, December 2013

Slide 18

Slide 18 text

THE LIMIT IS THE CREATIVITY OF THE BAD GUYS M.Eisele - @myfear - http://blog.eisele.net 18 © msg Applied Technology Research, December 2013

Slide 19

Slide 19 text

WHERE To Start? M.Eisele - @myfear - http://blog.eisele.net 19 © msg Applied Technology Research, December 2013 www.defendparis.fr

Slide 20

Slide 20 text

WHAT Do WE HAVE? M.Eisele - @myfear - http://blog.eisele.net 20 © msg Applied Technology Research, December 2013

Slide 21

Slide 21 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 21 ARCHITECTURE

Slide 22

Slide 22 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 22 ARCHITECTURE 1 2 3 Design Theory Standards Documents Processes Frameworks Examples Software Standards processes

Slide 23

Slide 23 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 23 http://www.flickr.com/photos/zokuga/6838590065/sizes/l/

Slide 24

Slide 24 text

WAIT M.Eisele - @myfear - http://blog.eisele.net 24 © msg Applied Technology Research, December 2013

Slide 25

Slide 25 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 25 application 1 2 3 Specification CODE Design Software

Slide 26

Slide 26 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 26

Slide 27

Slide 27 text

WAIT M.Eisele - @myfear - http://blog.eisele.net 27 © msg Applied Technology Research, December 2013

Slide 28

Slide 28 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 28

Slide 29

Slide 29 text

Burns Down TO THREE AREAS M.Eisele - @myfear - http://blog.eisele.net 29 © msg Applied Technology Research, December 2013

Slide 30

Slide 30 text

PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 30 © msg Applied Technology Research, December 2013

Slide 31

Slide 31 text

“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. ” — Bruce Schneier M.Eisele - @myfear - http://blog.eisele.net 31 © msg Applied Technology Research, December 2013

Slide 32

Slide 32 text

A chain is only as strong as its weakest link M.Eisele - @myfear - http://blog.eisele.net 32 © msg Applied Technology Research, December 2013

Slide 33

Slide 33 text

PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 33 © msg Applied Technology Research, December 2013

Slide 34

Slide 34 text

How to secure PEOPLE? M.Eisele - @myfear - http://blog.eisele.net 34 © msg Applied Technology Research, December 2013

Slide 35

Slide 35 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 35 Stakeholder

Slide 36

Slide 36 text

DEVELOPERS build awareness. Might offer trainings. M.Eisele - @myfear - http://blog.eisele.net 36 © msg Applied Technology Research, December 2013

Slide 37

Slide 37 text

How to secure Processes? M.Eisele - @myfear - http://blog.eisele.net 37 © msg Applied Technology Research, December 2013

Slide 38

Slide 38 text

M.Eisele - @myfear - http://blog.eisele.net 38 © msg Applied Technology Research, December 2013 Methodologies

Slide 39

Slide 39 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 39 Standards

Slide 40

Slide 40 text

DEVELOPERS Need time For security. Processes give it. M.Eisele - @myfear - http://blog.eisele.net 40 © msg Applied Technology Research, December 2013

Slide 41

Slide 41 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 41 Example www.microsoft.com/security/sdl/‎

Slide 42

Slide 42 text

HOW to Secure Software? M.Eisele - @myfear - http://blog.eisele.net 42 © msg Applied Technology Research, December 2013

Slide 43

Slide 43 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 43 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Crosscutting … in other words:

Slide 44

Slide 44 text

Million ways to Do it wrong on any Level. M.Eisele - @myfear - http://blog.eisele.net 44 © msg Applied Technology Research, December 2013

Slide 45

Slide 45 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 45 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Right FOCUS Developers Requirements Use Security Features Secure Implementation

Slide 46

Slide 46 text

Examples M.Eisele - @myfear - http://blog.eisele.net 46 © msg Applied Technology Research, December 2013

Slide 47

Slide 47 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 47 infrastructure

Slide 48

Slide 48 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 48 Software

Slide 49

Slide 49 text

And there is a lot More! M.Eisele - @myfear - http://blog.eisele.net 49 © msg Applied Technology Research, December 2013

Slide 50

Slide 50 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 50

Slide 51

Slide 51 text

• Secure Coding Guidelines for the Java Programming Language, Version 4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html • The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Ja va • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519 • OWASP Developer Guide 2013 https://www.owasp.org/index.php/Category:OWASP_Guide_Project M.Eisele - @myfear - http://blog.eisele.net 51 © msg Applied Technology Research, December 2013

Slide 52

Slide 52 text

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 52 • OWASP Appsec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Apache Shiro http://www.infoq.com/articles/apache-shiro • Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html • Java Authentication and Authorization Service (JAAS) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html • Java EE 6 Security in Practice with GlassFish http://www.slideshare.net/myfear/security-in-practice-with-java-ee-6-and-glassfish

Slide 53

Slide 53 text

SECURITY IS ABOUT Knowledge. M.Eisele - @myfear - http://blog.eisele.net 53 © msg Applied Technology Research, December 2013

Slide 54

Slide 54 text

“it ain’t what you don’t know that gets you into trouble. it’s what you know for sure that just ain’t so.” — Mark Twain http://www.nativeintelligence.com/ni-free/itsec-quips-03.asp M.Eisele - @myfear - http://blog.eisele.net 54 © msg Applied Technology Research, December 2013

Slide 55

Slide 55 text

SECURITY Motherf****r! M.Eisele - @myfear - http://blog.eisele.net 55 © msg Applied Technology Research, December 2013

Slide 56

Slide 56 text

M.Eisele - @myfear - http://blog.eisele.net 56 @myfear blog.eisele.net © msg Applied Technology Research, December 2013