Don’t Be That Guy! Developer Security Awareness

http://blog.eisele.net/ @myfear http://myfear.com/+ [email protected] M.Eisele - @myfear - http://blog.eisele.net 2 © msg Applied Technology Research, December 2013

NOT HOW M.Eisele - @myfear - http://blog.eisele.net 3 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 4

BUT WHY M.Eisele - @myfear - http://blog.eisele.net 5 © msg Applied Technology Research, December 2013

Programming Motherf****r! http://programming-motherfucker.com/ M.Eisele - @myfear - http://blog.eisele.net 6 © msg Applied Technology Research, December 2013

M.Eisele - @myfear - http://blog.eisele.net 7 © msg Applied Technology Research, December 2013

NOT EVERY PROGRAMMER IS A SECURITY ENGINEER. M.Eisele - @myfear - http://blog.eisele.net 8 © msg Applied Technology Research, December 2013

http://datalossdb.org/statistics # of incidents worldwide >700% M.Eisele - @myfear - http://blog.eisele.net 9 © msg Applied Technology Research, December 2013

AND EVEN WORSE M.Eisele - @myfear - http://blog.eisele.net 10 © msg Applied Technology Research, December 2013

SECURITY IS NOT ONLY ABOUT PROGRAMMING M.Eisele - @myfear - http://blog.eisele.net 11 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 12 Approach Security attacks 1 2 3 http://www.flickr.com/photos/trois-tetes/417709804/sizes/o/

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 13 EXCERPT attacks … …

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 14 1 2 3 EXAMPLE

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 15 1 2 3 EXAMPLE 3 3

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 16 1 2 3 EXAMPLE

ENDLESS COMBINATIONS M.Eisele - @myfear - http://blog.eisele.net 17 © msg Applied Technology Research, December 2013

THE LIMIT IS THE CREATIVITY OF THE BAD GUYS M.Eisele - @myfear - http://blog.eisele.net 18 © msg Applied Technology Research, December 2013

WHERE To Start? M.Eisele - @myfear - http://blog.eisele.net 19 © msg Applied Technology Research, December 2013 www.defendparis.fr

WHAT Do WE HAVE? M.Eisele - @myfear - http://blog.eisele.net 20 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 21 ARCHITECTURE

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 22 ARCHITECTURE 1 2 3 Design Theory Standards Documents Processes Frameworks Examples Software Standards processes

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 23 http://www.flickr.com/photos/zokuga/6838590065/sizes/l/

WAIT M.Eisele - @myfear - http://blog.eisele.net 24 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 25 application 1 2 3 Specification CODE Design Software

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 26

WAIT M.Eisele - @myfear - http://blog.eisele.net 27 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 28

Burns Down TO THREE AREAS M.Eisele - @myfear - http://blog.eisele.net 29 © msg Applied Technology Research, December 2013

PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 30 © msg Applied Technology Research, December 2013

“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. ” — Bruce Schneier M.Eisele - @myfear - http://blog.eisele.net 31 © msg Applied Technology Research, December 2013

A chain is only as strong as its weakest link M.Eisele - @myfear - http://blog.eisele.net 32 © msg Applied Technology Research, December 2013

PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 33 © msg Applied Technology Research, December 2013

How to secure PEOPLE? M.Eisele - @myfear - http://blog.eisele.net 34 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 35 Stakeholder

DEVELOPERS build awareness. Might offer trainings. M.Eisele - @myfear - http://blog.eisele.net 36 © msg Applied Technology Research, December 2013

How to secure Processes? M.Eisele - @myfear - http://blog.eisele.net 37 © msg Applied Technology Research, December 2013

M.Eisele - @myfear - http://blog.eisele.net 38 © msg Applied Technology Research, December 2013 Methodologies

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 39 Standards

DEVELOPERS Need time For security. Processes give it. M.Eisele - @myfear - http://blog.eisele.net 40 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 41 Example www.microsoft.com/security/sdl/‎

HOW to Secure Software? M.Eisele - @myfear - http://blog.eisele.net 42 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 43 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Crosscutting … in other words:

Million ways to Do it wrong on any Level. M.Eisele - @myfear - http://blog.eisele.net 44 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 45 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Right FOCUS Developers Requirements Use Security Features Secure Implementation

Examples M.Eisele - @myfear - http://blog.eisele.net 46 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 47 infrastructure

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 48 Software

And there is a lot More! M.Eisele - @myfear - http://blog.eisele.net 49 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 50

• Secure Coding Guidelines for the Java Programming Language, Version 4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html • The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Ja va • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519 • OWASP Developer Guide 2013 https://www.owasp.org/index.php/Category:OWASP_Guide_Project M.Eisele - @myfear - http://blog.eisele.net 51 © msg Applied Technology Research, December 2013

© msg Applied Technology Research, December 2013 M.Eisele - @myfear - http://blog.eisele.net 52 • OWASP Appsec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Apache Shiro http://www.infoq.com/articles/apache-shiro • Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html • Java Authentication and Authorization Service (JAAS) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html • Java EE 6 Security in Practice with GlassFish http://www.slideshare.net/myfear/security-in-practice-with-java-ee-6-and-glassfish

SECURITY IS ABOUT Knowledge. M.Eisele - @myfear - http://blog.eisele.net 53 © msg Applied Technology Research, December 2013

“it ain’t what you don’t know that gets you into trouble. it’s what you know for sure that just ain’t so.” — Mark Twain http://www.nativeintelligence.com/ni-free/itsec-quips-03.asp M.Eisele - @myfear - http://blog.eisele.net 54 © msg Applied Technology Research, December 2013

SECURITY Motherf****r! M.Eisele - @myfear - http://blog.eisele.net 55 © msg Applied Technology Research, December 2013

M.Eisele - @myfear - http://blog.eisele.net 56 @myfear blog.eisele.net © msg Applied Technology Research, December 2013