how i learned to stop worrying & teach developers · 2016-09-21 · how i learned to stop...

How I Learned to Stop Worrying & Teach Developers

…or “Security Awareness for the Tech-Savvy User”

Perry A. Hemmingsen

Senior Security Analyst, Applications

HealthPartners, Inc.

perry.hemmingsen [at] gmail [dot] com

linkedin.com/in/perryhemmingsen/

Room 12 1:15 pm Wed, May 15 2013

Welcome to Secure360 2013

5/17/2013 How I Learned to Stop Worrying &

Teach Developers 2

Don’t forget to pick up your Certificate of Attendance at the end of each day.

Please complete the Session Survey front and back, and leave it on your seat.

Are you tweeting? #Sec360

Disclaimer

The views and opinions from this point forward may differ from the views and opinions of the HealthPartners organization. The responsibility of all information, techniques and bad jokes contained within lie solely on the author. The presentation you are about to see is merely the compilation of what has worked for the author and his organization. Your mileage may vary.


Teach Developers 3

What I Do

• Senior Security Analyst—HealthPartners, Inc.

• Focus on application security

– Web (Java, .Net, Groovy Grails)

– Mobile (Objective-C, Android/Java, m.)

– SOA (ESB policies)

• Also

– Data encryption

– Internal PKI

– Internal/external vulnerability assessment

– WebApp pen-testing

5/17/2013


4

Security’s Iron Hand


Teach Developers 5

“The Developer”

• Smart, tech-savvy

• Culture of sharing

• Deadlines, milestones

• Close to their code

• Vested in app’s success


Teach Developers 6

“The Developer”


Teach Developers 7

Those Crafty Devs…

• “Can you speak like a coder?”

• Need to know exact details

– What needs to be done?

– Where is the code vulnerable?

– Why should it be modified?

– How does it look when it’s not vulnerable?

• Rely on documentation


Teach Developers 8

Those Crafty Devs…

• Learn the technical language – Explain and understand what you need in

their terms

– Decide where programmers fit in the solution

– Prove you know what you’re talking about

• Develop standards and procedures – Provide consistency

– Following a check-list is quick and easy

– Keep the info fresh


Teach Developers 9

Example Checklist Output Encoding

All encoding is performed on the server.

All output is contextually encoded (HTML entity encoding)

All characters must be encoded unless they are known to be safe for the intended

interpreter (e.g. standard alpha-numeric characters are safe, but special characters like

“<” are not).

o OWASP AntiSamy

o ESAPI

o Prepared Statements (SQL queries)

All output of untrusted data to queries for SQL, XML, and LDAP are contextually

sanitized.

All output of untrusted data to operating system commands are sanitized.

Error messages do not disclose sensitive data.


Teach Developers 10

Sharing is (sometimes) Caring

• Engaged actively in the online community – StackOverflow.com – CodeProject.com – Groups.Google.com – JavaRanch.com

• Want to divulge everything – Do not intend malice – Need context to answer code questions

• Reconnaissance: first step of a pen-test


Teach Developers 11

Sharing is (sometimes) Caring

• Teach “safe” sharing – De-couple code from company

– Avoid using company email for contact

– Forbid protected information • Real-world data

• Company-confidential secrets

• Encourage sharing of security – Hardened common libraries

• OWASP AntiSamy or ESAPI library

• Prepared Statements for SQL queries

– Vetted “generic code” to tackle common issues


Teach Developers 12

Under Pressure

• Wants the app _______

– Now

– Perfect

– To do everything

• Management are likely not developers

• Become victims of Brooks’ Law


Teach Developers 13

Under Pressure

• Need top-down support – Don’t forget to educate the bosses

– Time spent now is time saved later

• Find a champion – Gives coders a local contact

– Intimate with their codebase and environment

– Helps disseminate new information

– All-around good ally to have


Teach Developers 14

Don’t Touch My Code!

• “My code is my baby”

– Criticize my code, you criticize me

• What you want doesn’t make sense

• Might view security as the intruder

– “Iron hand of standards and policies”

– Seen as a roadblock rather than an ally


Teach Developers 15

Don’t Touch My Code!

• No one’s baby is ugly

• Programmers really do want what’s best for their code

• Learn it once, apply it everywhere

• “…as long as it doesn’t make more work”


Teach Developers 16

I Only Want What’s Best for the App

• Love simplicity and elegance

• Interested in the future

– What’s new?

– How can I apply it to make my code better?

– How can I solve the problem more simply?

• Wary that policies may stifle creativity

• Would rather focus on bugs first, security last


Teach Developers 17

I Only Want What’s Best for the App

• Willing to apply best practices, provided they work

• Most security solutions are so good, they’re almost transparent

• If XSS is too hard to mitigate, you may be asking them to fix it incorrectly

• Treat vulnerabilities like functional bugs – No one likes buggy code


Teach Developers 18

Why Focus on Developer Education?


Teach Developers 19



Teach Developers 20


• Developers:

– Write the code

– Understand the problem better than anyone

– Possess the skill set

– More effective and efficient at solving

• Encryption is nice, but worthless if the front door is open

5/17/2013


21

Common Questions

• I thought we had an application firewall… – Belt + Suspenders

– “All or none” signature rule

– Might not catch the crafty adversary

• What if we don’t have an AppSec lead? – Find a developer who has an interest

– Setup time to discuss their processes

– Work together to build a program

5/17/2013


22

Example Curriculum

• OWASP Top 10

– Good place to start

– One vulnerability per month

– Two classes per month

• Morning

• Afternoon

Example Curriculum

• Summary of Vulnerability – Exploitability

– Prevalence

– Detection

– Impact

• Functionality – Overview of exploitation

– Threat agents

– Attack vectors

Example Curriculum

• Current events

– Google News search

– As current as possible (shouldn’t be hard)

• Examples

– Code-level

– Pick your poison

– OWASP can help

Example Curriculum

• Visual example

– Mock-up of attack

– Couple with your code

• Review with questions

– What is the attacker allowed to do?

– What are the restrictions on the attack?

– Where are the points of vulnerability?

– How could we patch the application?

Example Curriculum

• Real world examples

• Find vulnerable website

– Make sure it’s “intentionally vulnerable”

– https://hack.me

– Recon before-hand

– Give an assignment

– Walk around and ask questions

Example Curriculum

• Wrap it up

– What vulnerabilities were the class able to find/exploit?

– High-level description of fix

– Code-level example of fix

– List of resources and further reading

– Questions

Conclusion

• Learn the language

• Find an ally

• Keep up to date on current trends

– Setup or use public “hack-labs”

– Analyze logs for attempted attacks and learn from them

– See “Resources” section for more info


Teach Developers 29

Resources

• OWASP – http://www.owasp.org

• SecurityTube – http://www.securitytube.net/

• CounterHack – A little old, but has hacking challenges – http://www.counterhack.net

• SecurityThoughts – Playgrounds to try your hand at exploiting common

vulnerabilities in a live-feeling environment – https://securitythoughts.wordpress.com/2010/03/22/vul

nerable-web-applications-for-learning/

• HackMe – https://hack.me


Teach Developers 30

www.smbc-comics.com


Teach Developers 31

Contact

Perry A. Hemmingsen

perry.hemmingsen [at] gmail [dot] com

linkedin.com/in/perryhemmingsen


Teach Developers 32

how i learned to stop worrying & teach developers · 2016-09-21 · how i learned to stop...

Documents