Presentation is loading. Please wait.

Presentation is loading. Please wait.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.

Published byNathanial Lavers Modified over 9 years ago

Similar presentations

Presentation on theme: "Don’t Teach Developers Security Caleb Sima Armorize Technologies."— Presentation transcript:

1 Don’t Teach Developers Security Caleb Sima caleb@armorize.com Armorize Technologies

2 Who am I? 1997-2000: Ex-ISSer from X-Force 2000-2007: Founder and CTO of SPI Dynamics 2007-2010: CTO of Application Security at HP Current…: CEO of Armorize Technologies Old Man in Security Now…

3 Yes I Know..

4 Can you fix this Spike?... Can you? Can we do it quick? Can we Spike?

5 Training is Important But.. We focus on the wrong method (Top 10) We focus on the wrong people (developers) Security is a PIA. Turnover sucks Don’t rely on it

6 2010 OWASP Top 10 1.Injection 2.Cross Site Scripting (XSS) 3.Broken Authentication and Session Management 4.Insecure Direct Object References 5.Cross Site Request Forgery (CSRF) 6.Security Misconfiguration 7.Insecure Cryptographic Storage 8.Failure to Restrict URL Access 9.Insufficient Transport Layer Protection 10. Un-validated Redirects and Forwards

7 Training is Important But.. We focus on the wrong method (Top 10) We focus on the wrong people (developers) Security is a PIA. Turnover sucks Don’t rely on it

8 What is wrong with this code?

9 Training is Important But.. We focus on the wrong method (Top 10) We focus on the wrong people (developers) Security is a PIA. Turnover sucks Don’t rely on it Note on PCI

10 Step 1 Start with a security assessment

11 Step 2 Assign and train QA on your 2 issues

12 Step 3 Assign 1 developer on each app team to be the security controller

13 Step 4 Automate this process

14 Future Code Analyses + Remediation Libraries = Code Verification

15 Security, Accuracy and Privacy in Computer Systems - James Martin

16 Reasonableness Test: For example. a charge of $500 might be reasonable on a corporations electricity bill but not on an individuals bill. Consistency Test: In an airline booking to Chicago the trans action may be checked to ensure that the flight number in it does in fact go to Chicago. Special Tests: Dates may be checked to ensure that the month is between I and l2. that the day is between l and 28, 29, 30, or 31. depending upon the month. Self Checking Numbers: The extra digit is derived arithmetically from the other digits.

17 Written in 1973!

18 “To me, security is important. But it's no less important than everything *else* that is also important!” - Linus

19 Caleb Sima caleb@armorize.com www.armorize.com Download Trial of CodeSecure at http://www.armorize.com/codesecure4-beta/ Google: “OWASP ESAPI”, “BSIMM”, “Armorize”,”James Martin” REFERENCES

Download ppt "Don’t Teach Developers Security Caleb Sima Armorize Technologies."

Similar presentations

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.

State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.
OWASP Top-10 2013 Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.

The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Advanced Security Center Overview Northern Illinois University.

Advanced Security Center Overview Northern Illinois University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.

Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Similar presentations

Ads by Google