6. Still! Breaches by SQLi into 2015
3rd most common attack
type (after DDoS and
Malware)
7. Do you scan
your apps for
cybersecurity
vulnerabilities
before making
them available?
No
40%
How much do
you budget
towards securing
mobile apps
built for
customers?
$0
9. “It seems that
application security is
just not considered to
be as important as
network security, even
though vulnerabilities in
applications are
consistently being
exploited by hackers of
all types in order to
access network
resources and data.” Michael Cobb in SearchSecurity
11. Time to Market
Duh.
Are You Under Pressure to Release New
Applications Faster, and Why?
Yes, Customer demand
Yes, Competitive actions
Yes, Revenue shortfalls
No
Sorry, I was just f*&%ing with you, it’s YES
60%
60%
19%
6%
6%
12. Training? What Training?
No "secure development
lifecycle" in the vast majority of
universities' degree program
How many years of software
development experience do
you have?
>12 years!
34%
4-12 years!
30%
How much previous application
security training have you
received?
None
30%
<1 day
20%
>3 days
25%
1-3 days
25%
21. Quality Today
• Patterns, frameworks, and good
design
• Do it early, do it often (and automate
it)
• High quality people make high quality
software
• It’s everyone’s responsibility
Doing it right is actually quicker in the end!
27. Know your stack!
Your Code
Frameworks
Languages
Third Party Services
OSS
“Technical
debt”
2
28. Know your app
• Store a password
• Login a user
• Upload a photo
• Display user contributed content
• Concatenate strings
• What’s secret? Credentials for DB access,
machine accts, etc. – “Principle of Least
Privilege”
What data is moving where?
2
29. Agile Quality == Agile Security
Add
security to
your
“definition
of done”
3
30. Tools (help) scale the process
“Incorporate static analysis into the code review
process in order to make code review more efficient
and more consistent.”
3
IDE’s with
“checkers”
“Near-real-
time” tools
Build tools
IntelliJ
Klocwork, Codiscope,
Coverity
Brakeman
31. Culture; the toughest part
1. Even a little security
is better than none.
Don't wait for a “big
initiative”
2. Don’t make security
a “special event”
3. Get trained! Train
Champions.
4. Have a plan for
when something
does go wrong
4