confidence 2015: appsec, the untrustable dev - timur khrotko
TRANSCRIPT
AppSec, the untrustable devtimur @ owasp
■ Open Web Application Security Project[s]
o owasp.org, open-source, non-profit o AppSec evangelism
■ OWASP ≠ Top 10 (which is an educational project imo)
■ some projectso ASVS (Application Security Verification Standard)o (T10) Proactive Controlso Testing Guide (TG)o ZAP (Zed Attack Proxy)o dependency-check …
O.W.A.S.P.
untrustable dev
image: deviantart.com, by sefesoft
■ coders will never care about security
○ it can only be a by-product of their gut/tacit practice
■ don’t rely on appsec, detect and handle incidents
■ applications are vulnerable anyway - why?:○ complexity, culture of devs, complicity (yours
also, see culture of audits), mismanagement, immature methodologies and robots
■ for the dev teams who aren't lost:○ secure coding course +dev coaching
+ review of audit findings
abstract / goo.gl/mbrPYO
■ AppSec = QA (security QA, SeQA)
o product + production/dev + support + etc practices
■ don’t buy it w/o threat modeling (risk assessment)
■ AS policy, S-SDLCo design, code, configuration, controls, testingo patch management, support agreement, sec SLA
■ countermeasures: filter, isolate, monitor, respondo waf, sandboxing, dmz, log audit, id(p)s
■ audit/testo va, sast, dast, iast, code review, bl tests, pentest,
ci …
appsec concepts
appsec, the short story
■ application security is created by the developers to meet the set requirements
untrustable quality
image: deviantart.com, by sefesoft
The task of the software development team is to engineer the illusion of
simplicity.
why #1: complexity
image: Bobbi J. Young et al. 2007. Software complexity: how do we bring order to chaos?
why #2: dev culture
image: en.wikipedia, by Klean Denmark
why #3: complicity
image: Thomas van de Weerd
CEO, business, legal
CIO, CISO, CRO, etc.
why #4: appsec mgmt
image: microsoft
why #5: methodologies
image: flickr.com/photos/bagogames/16153704398
trusted devs
image: en.wikipedia
trusted security
image: en.wikipedia, by AlephGamma
tno (trust no one)
image: wikimedia.org, cover art / trust no one / Dave Navarro (c) capitol/emi
threats
image: deviantart.com, by Christopher-Dombres
trust as soc construct
image: (c) playmobil
open sw production culture
■ HB -- a failure of the opensource QA myth
o “OpenSSL is written by monkeys”/ Marco Peereboom, 2009
o “… is a patchwork nightmare”/ Matthew Green, 2013
o “I told you so, la la la, I told you so!”/ Marco Peereboom, 2014 image: XOX
enterprise sw culture
■ “Threats in custom app development: enterprises' lack of security”
o Veracode Inc. blog, 2014 Sep
still untrustable devs
image: en.wikipedia, by Klean Denmark
OWASP Proactive Controls
C1: Parameterize Queries
C2: Encode Data
C3: Validate All Inputs
C4: Implement Appropriate Access Controls
C5: Establish Identity and Authentication Controls
C6: Protect Data and Privacy
C7: Implement Logging, Error Handling and Intrusion Detection
C8: Leverage Security Features of Frameworks and Security Libraries
C9: Include Security-Specific Requirements
C10: Design and Architect Security In
OWASP ASVS
■ AppSec Verification Standard
o “security engineering checklist”o levels (eg. L2): risk --> requirements -->
verification
40-20-40+design
+testing
did you threat-model?!
secure coding course?!
+coaching + re:findings
dev training
audit/va
dev coachin
g
+do incident response!
resource: cut eh bdgt
■ eh (ethical hacking incl webapp assessments) is just another expensive social construct you subscribed too eh culture is just as bad as that of the dev’s
■ relocate and spend more on:
o trainingso S-SDLC, AppSec policy enforcemento threat modeling and IR
■ use appsec specialists with whom your devs can work constructively (eg. coaching)
resource for the smb-s
■ involve a visiting appsec specialist in critical moments
■ have a visiting ciso, at least rarely visiting
■ make one resident member of the dev team security champion (see MS SDL)
■ secure coding courses
appsec synchronized
image: en.wikipedia, by Klean Denmark
next meetup: TBD
meetup.com/owasp-hu
twitter.com/owasp_hu
this prezo: goo.gl/mbrPYO