Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Slides:

Advertisements

Similar presentations

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Advertisements

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

SEC835 OWASP Top Ten Project.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.

A Demo of and Preventing XSS in.NET Applications.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Advanced Security Center Overview Northern Illinois University.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Zed Attack Proxy Project Lead

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Security Management prepared by Dean Hipwell, CISSP

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India.

OWASP Cambridge 2 nd December Agenda Networking, food and refreshments Welcome Colin Watson Global Application Security Survey & Benchmarking John.

OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.

Playing Safely in the Cloud Marie Greenberg, CISSP, IAM, IEM Information Security Manager Virginia State Corporation Commission.

Web Applications Testing By Jamie Rougvie Supported by.

OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.

Snakes and Ladders OWASP Newcastle 24 th November 2015.

Deconstructing API Security

Securing Java Applications

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

OWASP London 4 th December Agenda Networking, food and refreshments Welcome Justin Clark Offensive OSINT Christian Martorella and Zigor Zumalde.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Web Application Security

OpenSAMM Best Practices, Lessons from the Trenches

OWASP ASVS for NFTaaS in Financial Services

Web Application Vulnerabilities

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Securing Your Web Application in Azure with a WAF

TOPIC: Web Security (Part-4)

What is the CYBERSECURITY plan for tomorrow?

Vulnerability Chaining Every Low Issue Has its big impact

Penetration Testing following OWASP

Finding and Fighting the Causes of Insecure Applications

Relevance of the OWASP Top 10

1. ASSOCILATE DEGREE PROGRAM Application Attacks SUBMITTED TO: Fatima Ashiq SUBMITTED By: University Of Central Punjab Farooq Sardar (V1F16ASOC0012) Adnan.

Playing Safely in the Cloud

Bill Riggins III OWASP Orlando Co-Chapter Lead

Research for Cyber Security Warwick University Industry Day 2018

OWASP in favor of a more secure world

Riding Someone Else’s Wave with CSRF

امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری

Playing Safely in the Cloud

Finding and Fighting the Causes of Insecure Applications

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Presentation transcript:

Don’t Teach Developers Security Caleb Sima Armorize Technologies

Who am I? : Ex-ISSer from X-Force : Founder and CTO of SPI Dynamics : CTO of Application Security at HP Current…: CEO of Armorize Technologies Old Man in Security Now…

Yes I Know..

Can you fix this Spike?... Can you? Can we do it quick? Can we Spike?

Training is Important But.. We focus on the wrong method (Top 10) We focus on the wrong people (developers) Security is a PIA. Turnover sucks Don’t rely on it

2010 OWASP Top 10 1.Injection 2.Cross Site Scripting (XSS) 3.Broken Authentication and Session Management 4.Insecure Direct Object References 5.Cross Site Request Forgery (CSRF) 6.Security Misconfiguration 7.Insecure Cryptographic Storage 8.Failure to Restrict URL Access 9.Insufficient Transport Layer Protection 10. Un-validated Redirects and Forwards

Training is Important But.. We focus on the wrong method (Top 10) We focus on the wrong people (developers) Security is a PIA. Turnover sucks Don’t rely on it

What is wrong with this code?

Training is Important But.. We focus on the wrong method (Top 10) We focus on the wrong people (developers) Security is a PIA. Turnover sucks Don’t rely on it Note on PCI

Step 1 Start with a security assessment

Step 2 Assign and train QA on your 2 issues

Step 3 Assign 1 developer on each app team to be the security controller

Step 4 Automate this process

Future Code Analyses + Remediation Libraries = Code Verification

Security, Accuracy and Privacy in Computer Systems - James Martin

Reasonableness Test: For example. a charge of $500 might be reasonable on a corporations electricity bill but not on an individuals bill. Consistency Test: In an airline booking to Chicago the trans action may be checked to ensure that the flight number in it does in fact go to Chicago. Special Tests: Dates may be checked to ensure that the month is between I and l2. that the day is between l and 28, 29, 30, or 31. depending upon the month. Self Checking Numbers: The extra digit is derived arithmetically from the other digits.

Written in 1973!

“To me, security is important. But it's no less important than everything *else* that is also important!” - Linus

Caleb Sima Download Trial of CodeSecure at Google: “OWASP ESAPI”, “BSIMM”, “Armorize”,”James Martin” REFERENCES