5. Agenda
• They are everywhere!
• Testing, testing, testing…
• Guides, tools and much more
• The insecure software lifecycle
• How to solve these problems (maybe?)
7. They are everywhere!
And they have bugs everywhere!
• The cost of a data breach averages $5.5
million or $194 per customer record*
• Companies that take security seriously can
reduce the cost per customer by up to 62%
* From a 2011 study by the Ponemon Institute
8. What are we doing wrong?
• Secure application development is a top priority
• But web applications are still the number one
source of data breaches
• We need to change the mindset of software
development
*From a 2011 Forrester Research study: Application Security: 2011 & Beyond
9. What are we doing wrong?
• We’re in 2012 and SQL Injection is still the
biggest issue!
• The first public issue dates from 1998
• SQL Injections can lead to shell access now!
10.
11. Why these still happens?
Excuses to the problems:
• Security is not important! Money is!
• There is no time!
• Developer’s fault! They are the scape goat of
security!
15. Threat Modeling
• Structured approach to identify and measure
risks
• It defines the security requisites
• Allows the design to address the security issues
• Helps the security testing and code reviews
16. Threat Modeling Process
1. Identify your assets
2. Create an architectural view
3. Decompose the software
4. Identify, document and classify the threats to
your app
17. (Security) Design Patterns
• Use them! There a lot out there!
• Don’t reinvent the wheel!
• Exception Handling
• Input Validation
• Protected Logging
18. Development Phase
• Use a guide to implement your security, like
the OWASP Developer’s Guide
• Use unit test cases focused on security
• Present security training to developers
• Perform penetration testing and code reviews
21. So what do they do?
• Protect you from common mistakes
• Avoid you from getting hacked by automated
tools/scanners and script kiddies
By the way, if you work with AppSec and you never
heard of these two docs…
23. How to apply them?
Many FREE resources!
Not just OWASP stuff…
24. Code reviews
Ok, now what?!
OWASP Code Review Guide
• Code review takes a deeper look into your app
• Things that automated scanners won’t find
• You’ll see the common mistakes devs make
25. SDL
We fixed the problems. How to stop them?
• Implement a SDL process
• Train your developers about app security
• They don’t need to be experts, at least know
how it works and how to protect their apps
26. Free Docs
Yay! More free stuff…
• OWASP ASVS – verify your security
• OWASP OpenSAMM – create a security
program
• OWASP Developer’s Guide – tips to devs
27. Not yet…
It’s not that simple…
• If we have all that, why aren’t our apps
secure?
• Why even the big companies don’t follow the
basic rules? Hello Linkedin!
28. Security Myths
We know, we know…
• Security costs money. Yeah, but so does
development, support, operations, etc.
• Security costs money. But it will save you a lot
more!
Why most companies still don’t see the value of
security until they get hacked?
29. If it compiles, ship it!
Like Dinis Cruz said at AppSec Latam 2011:
Unless you’ve been hacked before…
If it compiles,
Ship it!
That’s the motto in most dev companies
30. ISLC
The real picture (Developer’s view)
• They don’t like the security teams
• They already work on a tight schedule
• Security will increase their programming time
31. The ideal world
How it should be…
• Dev and infosec should work together
• Security practices and implementations should be
included in the schedule time
• It will increase the apps protection and decrease
the amount of bugs and work
32. Conclusions
In a nutshell…
• Security is not a plugin, it’s a process.
• Test everything, every time they change.
• Allocate time for security testing within your
project
• Never assume security controls are effective
36. References
Wagner Elias. “Testar não é suficiente, tem que fazer direito!”.
YSTS 2012
Dinis Cruz. “Making Security Invisible by Becoming the
Developer's Best Friends”. OWASP AppSec Latam 2011
Building Secure Web Applications Infographic -
http://www.veracode.com/blog/2012/06/building-secure-
web-applications-infographic/
OWASP - www.owasp.org