Don’t Be That Guy! Developer Security Awareness

Transcript

1. Don’t Be That Guy! Developer Security Awareness

2. http://blog.eisele.net/ @myfear http://myfear.com/+ [email protected] M.Eisele - @myfear - http://blog.eisele.net 2

   © msg Applied Technology Research, December 2013

3. NOT HOW M.Eisele - @myfear - http://blog.eisele.net 3 © msg

   Applied Technology Research, December 2013

4. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

   - http://blog.eisele.net 4

5. BUT WHY M.Eisele - @myfear - http://blog.eisele.net 5 © msg

   Applied Technology Research, December 2013

6. Programming Motherf****r! http://programming-motherfucker.com/ M.Eisele - @myfear - http://blog.eisele.net 6 ©

   msg Applied Technology Research, December 2013

7. M.Eisele - @myfear - http://blog.eisele.net 7 © msg Applied Technology

   Research, December 2013

8. NOT EVERY PROGRAMMER IS A SECURITY ENGINEER. M.Eisele - @myfear

   - http://blog.eisele.net 8 © msg Applied Technology Research, December 2013

9. http://datalossdb.org/statistics # of incidents worldwide >700% M.Eisele - @myfear -

   http://blog.eisele.net 9 © msg Applied Technology Research, December 2013

10. AND EVEN WORSE M.Eisele - @myfear - http://blog.eisele.net 10 ©

    msg Applied Technology Research, December 2013

11. SECURITY IS NOT ONLY ABOUT PROGRAMMING M.Eisele - @myfear -

    http://blog.eisele.net 11 © msg Applied Technology Research, December 2013

12. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 12 Approach Security attacks 1 2 3 http://www.flickr.com/photos/trois-tetes/417709804/sizes/o/

13. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 13 EXCERPT attacks … …

14. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 14 1 2 3 EXAMPLE

15. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 15 1 2 3 EXAMPLE 3 3

16. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 16 1 2 3 EXAMPLE

17. ENDLESS COMBINATIONS M.Eisele - @myfear - http://blog.eisele.net 17 © msg

    Applied Technology Research, December 2013

18. THE LIMIT IS THE CREATIVITY OF THE BAD GUYS M.Eisele

    - @myfear - http://blog.eisele.net 18 © msg Applied Technology Research, December 2013

19. WHERE To Start? M.Eisele - @myfear - http://blog.eisele.net 19 ©

    msg Applied Technology Research, December 2013 www.defendparis.fr

20. WHAT Do WE HAVE? M.Eisele - @myfear - http://blog.eisele.net 20

    © msg Applied Technology Research, December 2013

21. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 21 ARCHITECTURE

22. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 22 ARCHITECTURE 1 2 3 Design Theory Standards Documents Processes Frameworks Examples Software Standards processes

23. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 23 http://www.flickr.com/photos/zokuga/6838590065/sizes/l/

24. WAIT M.Eisele - @myfear - http://blog.eisele.net 24 © msg Applied

    Technology Research, December 2013

25. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 25 application 1 2 3 Specification CODE Design Software

26. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 26

27. WAIT M.Eisele - @myfear - http://blog.eisele.net 27 © msg Applied

    Technology Research, December 2013

28. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 28

29. Burns Down TO THREE AREAS M.Eisele - @myfear - http://blog.eisele.net

    29 © msg Applied Technology Research, December 2013

30. PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 30 ©

    msg Applied Technology Research, December 2013

31. “If you think technology can solve your security problems, then

    you don't understand the problems and you don't understand the technology. ” — Bruce Schneier M.Eisele - @myfear - http://blog.eisele.net 31 © msg Applied Technology Research, December 2013

32. A chain is only as strong as its weakest link

    M.Eisele - @myfear - http://blog.eisele.net 32 © msg Applied Technology Research, December 2013

33. PEOPLE PROCESS TECH M.Eisele - @myfear - http://blog.eisele.net 33 ©

    msg Applied Technology Research, December 2013

34. How to secure PEOPLE? M.Eisele - @myfear - http://blog.eisele.net 34

    © msg Applied Technology Research, December 2013

35. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 35 Stakeholder

36. DEVELOPERS build awareness. Might offer trainings. M.Eisele - @myfear -

    http://blog.eisele.net 36 © msg Applied Technology Research, December 2013

37. How to secure Processes? M.Eisele - @myfear - http://blog.eisele.net 37

    © msg Applied Technology Research, December 2013

38. M.Eisele - @myfear - http://blog.eisele.net 38 © msg Applied Technology

    Research, December 2013 Methodologies

39. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 39 Standards

40. DEVELOPERS Need time For security. Processes give it. M.Eisele -

    @myfear - http://blog.eisele.net 40 © msg Applied Technology Research, December 2013

41. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 41 Example www.microsoft.com/security/sdl/‎

42. HOW to Secure Software? M.Eisele - @myfear - http://blog.eisele.net 42

    © msg Applied Technology Research, December 2013

43. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 43 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Crosscutting … in other words:

44. Million ways to Do it wrong on any Level. M.Eisele

    - @myfear - http://blog.eisele.net 44 © msg Applied Technology Research, December 2013

45. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 45 Infrastructure Software Application Landscape Enterprise- Services Business IT-Security-Architecture Right FOCUS Developers Requirements Use Security Features Secure Implementation

46. Examples M.Eisele - @myfear - http://blog.eisele.net 46 © msg Applied

    Technology Research, December 2013

47. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 47 infrastructure

48. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 48 Software

49. And there is a lot More! M.Eisele - @myfear -

    http://blog.eisele.net 49 © msg Applied Technology Research, December 2013

50. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 50

51. • Secure Coding Guidelines for the Java Programming Language, Version

    4.0 http://www.oracle.com/technetwork/java/seccodeguide-139067.html • The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Ja va • Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519 • OWASP Developer Guide 2013 https://www.owasp.org/index.php/Category:OWASP_Guide_Project M.Eisele - @myfear - http://blog.eisele.net 51 © msg Applied Technology Research, December 2013

52. © msg Applied Technology Research, December 2013 M.Eisele - @myfear

    - http://blog.eisele.net 52 • OWASP Appsec Tutorial Series https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series • Apache Shiro http://www.infoq.com/articles/apache-shiro • Java Cryptography Architecture (JCA) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html • Java Authentication and Authorization Service (JAAS) Reference Guide http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASRefGuide.html • Java EE 6 Security in Practice with GlassFish http://www.slideshare.net/myfear/security-in-practice-with-java-ee-6-and-glassfish

53. SECURITY IS ABOUT Knowledge. M.Eisele - @myfear - http://blog.eisele.net 53

    © msg Applied Technology Research, December 2013

54. “it ain’t what you don’t know that gets you into

    trouble. it’s what you know for sure that just ain’t so.” — Mark Twain http://www.nativeintelligence.com/ni-free/itsec-quips-03.asp M.Eisele - @myfear - http://blog.eisele.net 54 © msg Applied Technology Research, December 2013

55. SECURITY Motherf****r! M.Eisele - @myfear - http://blog.eisele.net 55 © msg

    Applied Technology Research, December 2013

56. M.Eisele - @myfear - http://blog.eisele.net 56 @myfear blog.eisele.net © msg

    Applied Technology Research, December 2013