Presentation is loading. Please wait.

Presentation is loading. Please wait.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Similar presentations


Presentation on theme: "Don’t Teach Developers Security Caleb Sima Armorize Technologies."— Presentation transcript:

1 Don’t Teach Developers Security Caleb Sima Armorize Technologies

2 Who am I? : Ex-ISSer from X-Force : Founder and CTO of SPI Dynamics : CTO of Application Security at HP Current…: CEO of Armorize Technologies Old Man in Security Now…

3 Yes I Know..

4 Can you fix this Spike?... Can you? Can we do it quick? Can we Spike?

5 Training is Important But.. We focus on the wrong method (Top 10) We focus on the wrong people (developers) Security is a PIA. Turnover sucks Don’t rely on it

6 2010 OWASP Top 10 1.Injection 2.Cross Site Scripting (XSS) 3.Broken Authentication and Session Management 4.Insecure Direct Object References 5.Cross Site Request Forgery (CSRF) 6.Security Misconfiguration 7.Insecure Cryptographic Storage 8.Failure to Restrict URL Access 9.Insufficient Transport Layer Protection 10. Un-validated Redirects and Forwards

7 Training is Important But.. We focus on the wrong method (Top 10) We focus on the wrong people (developers) Security is a PIA. Turnover sucks Don’t rely on it

8 What is wrong with this code?

9 Training is Important But.. We focus on the wrong method (Top 10) We focus on the wrong people (developers) Security is a PIA. Turnover sucks Don’t rely on it Note on PCI

10 Step 1 Start with a security assessment

11 Step 2 Assign and train QA on your 2 issues

12 Step 3 Assign 1 developer on each app team to be the security controller

13 Step 4 Automate this process

14 Future Code Analyses + Remediation Libraries = Code Verification

15 Security, Accuracy and Privacy in Computer Systems - James Martin

16 Reasonableness Test: For example. a charge of $500 might be reasonable on a corporations electricity bill but not on an individuals bill. Consistency Test: In an airline booking to Chicago the trans action may be checked to ensure that the flight number in it does in fact go to Chicago. Special Tests: Dates may be checked to ensure that the month is between I and l2. that the day is between l and 28, 29, 30, or 31. depending upon the month. Self Checking Numbers: The extra digit is derived arithmetically from the other digits.

17 Written in 1973!

18 “To me, security is important. But it's no less important than everything *else* that is also important!” - Linus

19 Caleb Sima Download Trial of CodeSecure at Google: “OWASP ESAPI”, “BSIMM”, “Armorize”,”James Martin” REFERENCES


Download ppt "Don’t Teach Developers Security Caleb Sima Armorize Technologies."

Similar presentations


Ads by Google