Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don’t Be That Guy! Developer Security Awareness
Search
Markus Eisele
December 04, 2013
Technology
4.4k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Don’t Be That Guy! Developer Security Awareness
Markus Eisele
December 04, 2013
More Decks by Markus Eisele
See All by Markus Eisele
Code Is Cheap. Software Isn’t.
myfear
0
91
JCON Chasing the Main Thread - Adventures in AI Assisted Coding
myfear
0
110
One Microservice Is No Microservice: They Come in Systems [CON6471]
myfear
0
180
Stay Productive While Slicing Up the Monolith [CON6472]
myfear
0
140
NetBeans with WildFly and Openshift
myfear
1
190
50 new features of Java EE 7 @ GeeCon
myfear
4
180
50 Best Features of Java EE 7 @ Jokerconf
myfear
0
760
JavaScript in the Enterprise @Jokerconf
myfear
0
340
50 Best Features of Java EE 7 @ OpenSlava
myfear
0
1.4k
Other Decks in Technology
See All in Technology
美しいコードを書くためにF#を学んでみた話
yud0uhu
1
410
Empower GenAI with Agile - あなたのアジャイルが生成AIのバフになる仕組み
hageyahhoo
1
180
Keeping applications secure by evolving OAuth 2.0 and OpenID Connect
ahus1
PRO
1
160
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
15
110k
Genie Ontologyは銀の弾丸かを考える / Is Genie Ontology a Silver Bullet?
nttcom
0
250
大量データに対しても、生成AIを用いてリーズナブルにデータ加工をしたい!Databricksのai_queryについて調べてみた
kamoshika
1
120
オブザーバビリティ、本当に活用できてる? 〜API連携×生成AIで成熟度を自動評価〜
dmmsre
1
3.1k
クラウド上のデータ復旧で見落としがちな制約: 医療系 SaaS の BCP 設計から得た教訓
kakehashi
PRO
0
3.4k
インフラと開発の垣根を超えていき!〜元AWSインフラエンジニアがAWS開発で奮闘している話〜
hatahata021
2
180
ADDF - ループエンジニアリングするフレームワークを作ったら/I Didn't Set Out to Build Loop Engineering, But ADDF Did
fruitriin
0
120
個人開発で育てる「大規模設計の苗床」 - AI時代の1人開発から始める業務への知識接続 / The Seedbed for Large-Scale Design - From AI-Era Solo Projects to Professional Knowledge
bitkey
PRO
0
170
非定型なドキュメントを効率よくリファクタする 〜えぇ!?仕様書27本の移行が1日で終わったって!?〜
subroh0508
1
370
Featured
See All Featured
Everyday Curiosity
cassininazir
0
250
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
21
1.5k
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
300
The Cult of Friendly URLs
andyhume
79
6.9k
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
210
30 Presentation Tips
portentint
PRO
1
350
A Soul's Torment
seathinner
6
3.1k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.5k
Principles of Awesome APIs and How to Build Them.
keavy
128
18k
How to build a perfect <img>
jonoalderson
1
5.8k
Abbi's Birthday
coloredviolet
3
8.6k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
Transcript
Don’t Be That Guy! Developer Security Awareness
http://blog.eisele.net/ @myfear http://myfear.com/+
[email protected]
M.Eisele - @myfear - http://blog.eisele.net 2
© msg Applied Technology Research, December 2013
NOT HOW M.Eisele - @myfear - http://blog.eisele.net 3 © msg
Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 4
BUT WHY M.Eisele - @myfear - http://blog.eisele.net 5 © msg
Applied Technology Research, December 2013
Programming Motherf****r! http://programming-motherfucker.com/ M.Eisele - @myfear - http://blog.eisele.net 6 ©
msg Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 7 © msg Applied Technology
Research, December 2013
NOT EVERY PROGRAMMER IS A SECURITY ENGINEER. M.Eisele - @myfear
- http://blog.eisele.net 8 © msg Applied Technology Research, December 2013
http://datalossdb.org/statistics # of incidents worldwide >700% M.Eisele - @myfear -
http://blog.eisele.net 9 © msg Applied Technology Research, December 2013
AND EVEN WORSE M.Eisele - @myfear - http://blog.eisele.net 10 ©
msg Applied Technology Research, December 2013
SECURITY IS NOT ONLY ABOUT PROGRAMMING M.Eisele - @myfear -
http://blog.eisele.net 11 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 12 Approach Security attacks 1 2 3 http://www.flickr.com/photos/trois-tetes/417709804/sizes/o/
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 13 EXCERPT attacks … …
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 14 1 2 3 EXAMPLE
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 15 1 2 3 EXAMPLE 3 3
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 16 1 2 3 EXAMPLE
ENDLESS COMBINATIONS M.Eisele - @myfear - http://blog.eisele.net 17 © msg
Applied Technology Research, December 2013
THE LIMIT IS THE CREATIVITY OF THE BAD GUYS M.Eisele
- @myfear - http://blog.eisele.net 18 © msg Applied Technology Research, December 2013
WHERE To Start? M.Eisele - @myfear - http://blog.eisele.net 19 ©
msg Applied Technology Research, December 2013 www.defendparis.fr
WHAT Do WE HAVE? M.Eisele - @myfear - http://blog.eisele.net 20
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 21 ARCHITECTURE
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 22 ARCHITECTURE 1 2 3 Design Theory Standards Documents Processes Frameworks Examples Software Standards processes
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 23 http://www.flickr.com/photos/zokuga/6838590065/sizes/l/
WAIT M.Eisele - @myfear - http://blog.eisele.net 24 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 25 application 1 2 3 Specification CODE Design Software
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 26
WAIT M.Eisele - @myfear - http://blog.eisele.net 27 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 28
Burns Down TO THREE AREAS M.Eisele - @myfear - http://blog.eisele.net
29 © msg Applied Technology Research, December 2013
PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 30 ©
msg Applied Technology Research, December 2013
“If you think technology can solve your security problems, then
you don't understand the problems and you don't understand the technology. ” — Bruce Schneier M.Eisele - @myfear - http://blog.eisele.net 31 © msg Applied Technology Research, December 2013
A chain is only as strong as its weakest link
M.Eisele - @myfear - http://blog.eisele.net 32 © msg Applied Technology Research, December 2013
PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 33 ©
msg Applied Technology Research, December 2013
How to secure PEOPLE? M.Eisele - @myfear - http://blog.eisele.net 34
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 35 Stakeholder
DEVELOPERS build awareness. Might offer trainings. M.Eisele - @myfear -
http://blog.eisele.net 36 © msg Applied Technology Research, December 2013
How to secure Processes? M.Eisele - @myfear - http://blog.eisele.net 37
© msg Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 38 © msg Applied Technology
Research, December 2013 Methodologies
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 39 Standards
DEVELOPERS Need time For security. Processes give it. M.Eisele -
@myfear - http://blog.eisele.net 40 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 41 Example www.microsoft.com/security/sdl/
HOW to Secure Software? M.Eisele - @myfear - http://blog.eisele.net 42
© msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 43 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Crosscutting … in other words:
Million ways to Do it wrong on any Level. M.Eisele
- @myfear - http://blog.eisele.net 44 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 45 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Right FOCUS Developers Requirements Use Security Features Secure Implementation
Examples M.Eisele - @myfear - http://blog.eisele.net 46 © msg Applied
Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 47 infrastructure
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 48 Software
And there is a lot More! M.Eisele - @myfear -
http://blog.eisele.net 49 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 50
• Secure Coding Guidelines for the Java Programming Language, Version
4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html • The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Ja va • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519 • OWASP Developer Guide 2013 https://www.owasp.org/index.php/Category:OWASP_Guide_Project M.Eisele - @myfear - http://blog.eisele.net 51 © msg Applied Technology Research, December 2013
© msg Applied Technology Research, December 2013 M.Eisele - @myfear
- http://blog.eisele.net 52 • OWASP Appsec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Apache Shiro http://www.infoq.com/articles/apache-shiro • Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html • Java Authentication and Authorization Service (JAAS) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html • Java EE 6 Security in Practice with GlassFish http://www.slideshare.net/myfear/security-in-practice-with-java-ee-6-and-glassfish
SECURITY IS ABOUT Knowledge. M.Eisele - @myfear - http://blog.eisele.net 53
© msg Applied Technology Research, December 2013
“it ain’t what you don’t know that gets you into
trouble. it’s what you know for sure that just ain’t so.” — Mark Twain http://www.nativeintelligence.com/ni-free/itsec-quips-03.asp M.Eisele - @myfear - http://blog.eisele.net 54 © msg Applied Technology Research, December 2013
SECURITY Motherf****r! M.Eisele - @myfear - http://blog.eisele.net 55 © msg
Applied Technology Research, December 2013
M.Eisele - @myfear - http://blog.eisele.net 56 @myfear blog.eisele.net © msg
Applied Technology Research, December 2013