1 / 19

Don’t Teach Developers Security

Don’t Teach Developers Security. Caleb Sima caleb@armorize.com Armorize Technologies. Who am I?. 1997-2000: Ex- ISSer from X-Force 2000-2007: Founder and CTO of SPI Dynamics 2007-2010: CTO of Application Security at HP Current…: CEO of Armorize Technologies. Old Man in Security Now….

kaemon
Télécharger la présentation

Don’t Teach Developers Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Don’t Teach Developers Security Caleb Sima caleb@armorize.com Armorize Technologies

  2. Who am I? • 1997-2000: Ex-ISSer from X-Force • 2000-2007: Founder and CTO of SPI Dynamics • 2007-2010: CTO of Application Security at HP • Current…: CEO of Armorize Technologies Old Man in Security Now…

  3. Yes I Know..

  4. Can you fix this Spike?... Can you? Can we do it quick? Can we Spike? Development Security

  5. Training is Important But.. • We focus on the wrong method (Top 10) • We focus on the wrong people (developers) • Security is a PIA. • Turnover sucks • Don’t rely on it

  6. 2010 OWASP Top 10 Injection Cross Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Un-validated Redirects and Forwards

  7. Training is Important But.. • We focus on the wrong method (Top 10) • We focus on the wrong people (developers) • Security is a PIA. • Turnover sucks • Don’t rely on it

  8. What is wrong with this code?

  9. Training is Important But.. • We focus on the wrong method (Top 10) • We focus on the wrong people (developers) • Security is a PIA. • Turnover sucks • Don’t rely on it • Note on PCI

  10. Step 1 Start with a security assessment

  11. Step 2 Assign and train QA on your 2 issues

  12. Step 3 Assign 1 developer on each app team to be the security controller

  13. Step 4 Automate this process

  14. Future Code Analyses + Remediation Libraries = Code Verification

  15. Security, Accuracy and Privacy in Computer Systems - James Martin

  16. Reasonableness Test: For example. a charge of $500 might be reasonable on a corporations electricity bill but not on an individuals bill. Consistency Test: In an airline booking to Chicago the trans action may be checked to ensure that the flight number in it does in fact go to Chicago. Special Tests: Dates may be checked to ensure that the month is between I and l2. that the day is between l and 28, 29, 30, or 31. depending upon the month. Self Checking Numbers: The extra digit is derived arithmetically from the other digits.

  17. Written in 1973!

  18. “To me, security is important. But it's no less important than everything *else* that is also important!” - Linus

  19. REFERENCES Google: “OWASP ESAPI”, “BSIMM”, “Armorize”,”James Martin” Caleb Sima caleb@armorize.com www.armorize.com Download Trial of CodeSecure at http://www.armorize.com/codesecure4-beta/

More Related