The anarchists guide to application security

Transcript

1. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

    [email protected]   h6p:/ /safestack.io   The anarchist’s guide to application security

2. the  world  is  a  terrible  place

3. the  internet  is  a  festering  pool   of  toxic  waste

4. None

5. somebody  probably  wants  to  do   BAD  THINGS  to  your

    applicaHon
6. None

7. the  security  situaHon  is   beyond  hope

8. None

9. we  can  build  amazing  things

10. None
11. None
12. None

13. Doing  this  securely  is… Hard   Expensive   Not  MVP

      Someone  else’s  problem   Boring   Pointless  

14. QQ

15. I  am  a  professional  cat  herder

16. None

17. In  this  talk   The  Rules Lies  we  tell  ourselves

     when  avoiding  security   The  RealiHes The  reality  of  applica7on  security  from  7ny  startups  to  giant  corpora7ons   The  RecommendaHons Moving  from  ra7onal  avoidance  to  ge:ng  stuff  done  

18. THE  RULES   The  operaHng  culture  of  insecure  applicaHons

19.   Follow  industry  best  pracHce.     You  need  to

     have  a  special  <insert  item>  to  do  security.     Excellent  developers  naturally  produce  secure  applicaHons.     If  you  have  never  been  hacked,  it  will  never  happen.     Our  framework  doesn’t  have  these  issues.

20. SCREW  THE  RULES

21. APPLICATION     SECURITY     CULTURE     SMELLS

      RULES  

22. THE  REALITIES   Cultural  findings  from  an  applicaHon  security  wrangler

23. FOLLOW     INDUSTRY  BEST  PRACTICE   APPLICATION  SECURITY  CULTURE

     SMELL

24. Reality Nobody  on  earth  knows  what  ‘industry   best  pracHce’

     means.  Seriously.

25. Reality 93%  organizaHons  use  poor  quality,   shared  passwords  and

     do  not  change  them   when  people  leave

26. Reality 80%  organizaHons  use  producHon  data  in   test  environments

27. Reality A6ackers  will  almost  always  take  the   easiest  route

     to  reach  their  objecHve.

28. Reality We  are  linguisHcally  lazy  when  it   comes  to

     security. e.g.  use  the  abbr.  AUTH  to  mean  both   Authen'ca'on  and  Authoriza'on. These  do  not  mean  the  same  thing.

29. FOLLOW     INDUSTRY  BEST  PRACTICE   APPLICATION  SECURITY  CULTURE

     SMELL ‘Best  pracKces’  is  a  nonsense  term  that  introduces  intenKonal   ambiguity.   Over  80%  of  applicaKon  development  organizaKons  fail  at  basic   security  pracKces  such  as  password  management,  data   protecKon  and  resilience.   THE  REALITY  

30. YOU  NEED  TO  HAVE  A  SPECIAL     <INSERT  ITEM>

     TO  DO  SECURITY   APPLICATION  SECURITY  CULTURE  SMELL

31. Reality Not  all  organizaHons  have  infrastructure   teams  or  security

     specialists

32. code  base  development   IniKal  idea   Product  launch  

    Maturity  IniKaKves   do  security  stuff  

33. Reality Many  security  border  devices  never  make   it  out

     of  ‘learning’  or  ‘monitoring’   configuraHons
34. None

35. Reality Many  security  checks,  jobs  or  tests  can  be  

    scripted  or  completed  with  regex  Kung-­‐Fu

36. Reality Border  devices  and  external  scans  are  the   end

     of  the  process.
37. None

38. Reality Most  security  specialists  do  not  have   special  cerHficates

     or  qualificaHons.

39. YOU  NEED  TO  HAVE  A  SPECIAL     <INSERT  ITEM>

     TO  DO  SECURITY   APPLICATION  SECURITY  CULTURE  SMELL We  don’t  need  special  devices,  certs  or  tricks  to  do   applicaKon  security.   Trying,  failing  and  learning  will  serve  us  much  beYer.   THE  REALITY

40. EXCELLENT  DEVELOPERS  NATURALLY   PRODUCE  SECURE  APPLICATIONS   APPLICATION  SECURITY

     CULTURE  SMELL

41. Reality Few  developers  or  engineers  already  have   applicaHon  security

     experience

42. Reality Security  risk  changes  between   organizaHons  and  applicaHons

43. Reality Ego  is  a  really  big  problem  in  security

44. EXCELLENT  DEVELOPERS  NATURALLY   PRODUCE  SECURE  APPLICATIONS   APPLICATION  SECURITY

     CULTURE  SMELL Development  prowess  and  security  knowledge  are  not   implicitly  related   AccepKng  we  are  vulnerable  and  that  we  don’t  know  the   answers  is  important.   THE  REALITY

45. IF  YOU  HAVE  NEVER  BEEN  HACKED,     IT  WILL

     NEVER  HAPPEN   APPLICATION  SECURITY  CULTURE  SMELL

46. Reality Average  Hme  before  a  compromise  is   idenHfied  –

     18  months

47. Reality Security  problems  and  a6acks  can  be  seen   in

     non-­‐security  logs

48. Reality The  best  people  to  spot  when  something   is

     strange  in  an  app  are  those  who  built  it

49. Reality SomeHmes  geing  a6acked  isn’t  personal

50. IF  YOU  HAVE  NEVER  BEEN  HACKED,     IT  WILL

     NEVER  HAPPEN   APPLICATION  SECURITY  CULTURE  SMELL Most  organizaKons  wouldn’t  know  if  they  had  been   compromised,  why  they  would  be  aYacked  or  how  to   respond.     THE  REALITY

51. OUR  FRAMEWORK  DOESN’T     HAVE  THESE  ISSUES   APPLICATION

     SECURITY  CULTURE  SMELL

52. Reality We  use  far  more  technologies,  languages   and  frameworks

     than  ever  before
53. None

54. Reality Even  with  the  knowledge  that  security   vulnerability  exists,

     we  will  choose  not  to   patch/update

55. Reality If  you  don’t  have  legacy  code  to  deal  with,

      you  are  creaHng  legacy  code  for  your   replacement

56. OUR  FRAMEWORK  DOESN’T     HAVE  THESE  ISSUES   APPLICATION

     SECURITY  CULTURE  SMELL We  don’t  know  what  our  apps  are  made  of  and  our   ability  to  keep  them  updated  reduces  with  Kme   THE  REALITY

57. THE  RECOMMENDATIONS   No  more  drama,  no  more  excuses,  no

     more  rules

58. SORT  OUT  THE  BASICS. NO  EXCUSES PASSWORD   MANAGEMENT BACKUPS

    ROLES PERMISSIONS LANGUAGE PROTECTING   PRODUCTION   DATA

59. USE  AUTOMATION  EVERYWHERE   REDUCE  COMPLEXITY REDUCE  FRAGILITY   REDUCE

     HUMAN  MISTAKES

60. USE  YOUR  EXISTING  SOFTWARE   DEVELOPMENT  LIFECYCLE (BE  HONEST  IF

     YOU  DON’T  HAVE  ONE  YET)

61. UNDERSTAND  YOUR  RISKS   BUILD  FOR  SURVIVAL INCIDENT   RESPONSE

    RESPONSIBLE   DISCLOSURE BACKUPS  AND   RECOVERY VERSION   CONTROL

62. EVERYBODY EDUCATED EMPOWERED ACCOUNTABLE

63. TL;DR   The  Rules Lies  we  tell  ourselves  when  avoiding

     security   The  RealiHes The  reality  of  applica7on  security  from  7ny  startups  to  giant  corpora7ons   The  RecommendaHons Moving  from  ra7onal  avoidance  to  ge:ng  stuff  done  

64. the  world  is  a  terrible  place

65. QQ

66. go  do  something  about  it

67. Laura Bell Founder  and  Lead  Consultant  -­‐  SafeStack @lady_nerd  

     [email protected]   h6p:/ /safestack.io   Questions?