how i learned to stop worrying & teach developers · 2016-09-21 · how i learned to stop...
TRANSCRIPT
How I Learned to Stop Worrying & Teach Developers
…or “Security Awareness for the Tech-Savvy User”
Perry A. Hemmingsen
Senior Security Analyst, Applications
HealthPartners, Inc.
perry.hemmingsen [at] gmail [dot] com
linkedin.com/in/perryhemmingsen/
Room 12 1:15 pm Wed, May 15 2013
Welcome to Secure360 2013
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 2
Don’t forget to pick up your Certificate of Attendance at the end of each day.
Please complete the Session Survey front and back, and leave it on your seat.
Are you tweeting? #Sec360
Disclaimer
The views and opinions from this point forward may differ from the views and opinions of the HealthPartners organization. The responsibility of all information, techniques and bad jokes contained within lie solely on the author. The presentation you are about to see is merely the compilation of what has worked for the author and his organization. Your mileage may vary.
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 3
What I Do
• Senior Security Analyst—HealthPartners, Inc.
• Focus on application security
– Web (Java, .Net, Groovy Grails)
– Mobile (Objective-C, Android/Java, m.)
– SOA (ESB policies)
• Also
– Data encryption
– Internal PKI
– Internal/external vulnerability assessment
– WebApp pen-testing
5/17/2013
How I Learned to Stop Worrying & Teach Developers
4
Security’s Iron Hand
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 5
“The Developer”
• Smart, tech-savvy
• Culture of sharing
• Deadlines, milestones
• Close to their code
• Vested in app’s success
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 6
“The Developer”
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 7
Those Crafty Devs…
• “Can you speak like a coder?”
• Need to know exact details
– What needs to be done?
– Where is the code vulnerable?
– Why should it be modified?
– How does it look when it’s not vulnerable?
• Rely on documentation
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 8
Those Crafty Devs…
• Learn the technical language – Explain and understand what you need in
their terms
– Decide where programmers fit in the solution
– Prove you know what you’re talking about
• Develop standards and procedures – Provide consistency
– Following a check-list is quick and easy
– Keep the info fresh
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 9
Example Checklist Output Encoding
All encoding is performed on the server.
All output is contextually encoded (HTML entity encoding)
All characters must be encoded unless they are known to be safe for the intended
interpreter (e.g. standard alpha-numeric characters are safe, but special characters like
“<” are not).
o OWASP AntiSamy
o ESAPI
o Prepared Statements (SQL queries)
All output of untrusted data to queries for SQL, XML, and LDAP are contextually
sanitized.
All output of untrusted data to operating system commands are sanitized.
Error messages do not disclose sensitive data.
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 10
Sharing is (sometimes) Caring
• Engaged actively in the online community – StackOverflow.com – CodeProject.com – Groups.Google.com – JavaRanch.com
• Want to divulge everything – Do not intend malice – Need context to answer code questions
• Reconnaissance: first step of a pen-test
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 11
Sharing is (sometimes) Caring
• Teach “safe” sharing – De-couple code from company
– Avoid using company email for contact
– Forbid protected information • Real-world data
• Company-confidential secrets
• Encourage sharing of security – Hardened common libraries
• OWASP AntiSamy or ESAPI library
• Prepared Statements for SQL queries
– Vetted “generic code” to tackle common issues
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 12
Under Pressure
• Wants the app _______
– Now
– Perfect
– To do everything
• Management are likely not developers
• Become victims of Brooks’ Law
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 13
Under Pressure
• Need top-down support – Don’t forget to educate the bosses
– Time spent now is time saved later
• Find a champion – Gives coders a local contact
– Intimate with their codebase and environment
– Helps disseminate new information
– All-around good ally to have
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 14
Don’t Touch My Code!
• “My code is my baby”
– Criticize my code, you criticize me
• What you want doesn’t make sense
• Might view security as the intruder
– “Iron hand of standards and policies”
– Seen as a roadblock rather than an ally
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 15
Don’t Touch My Code!
• No one’s baby is ugly
• Programmers really do want what’s best for their code
• Learn it once, apply it everywhere
• “…as long as it doesn’t make more work”
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 16
I Only Want What’s Best for the App
• Love simplicity and elegance
• Interested in the future
– What’s new?
– How can I apply it to make my code better?
– How can I solve the problem more simply?
• Wary that policies may stifle creativity
• Would rather focus on bugs first, security last
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 17
I Only Want What’s Best for the App
• Willing to apply best practices, provided they work
• Most security solutions are so good, they’re almost transparent
• If XSS is too hard to mitigate, you may be asking them to fix it incorrectly
• Treat vulnerabilities like functional bugs – No one likes buggy code
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 18
Why Focus on Developer Education?
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 19
Why Focus on Developer Education?
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 20
Why Focus on Developer Education?
• Developers:
– Write the code
– Understand the problem better than anyone
– Possess the skill set
– More effective and efficient at solving
• Encryption is nice, but worthless if the front door is open
5/17/2013
How I Learned to Stop Worrying & Teach Developers
21
Common Questions
• I thought we had an application firewall… – Belt + Suspenders
– “All or none” signature rule
– Might not catch the crafty adversary
• What if we don’t have an AppSec lead? – Find a developer who has an interest
– Setup time to discuss their processes
– Work together to build a program
5/17/2013
How I Learned to Stop Worrying & Teach Developers
22
Example Curriculum
• OWASP Top 10
– Good place to start
– One vulnerability per month
– Two classes per month
• Morning
• Afternoon
Example Curriculum
• Summary of Vulnerability – Exploitability
– Prevalence
– Detection
– Impact
• Functionality – Overview of exploitation
– Threat agents
– Attack vectors
Example Curriculum
• Current events
– Google News search
– As current as possible (shouldn’t be hard)
• Examples
– Code-level
– Pick your poison
– OWASP can help
Example Curriculum
• Visual example
– Mock-up of attack
– Couple with your code
• Review with questions
– What is the attacker allowed to do?
– What are the restrictions on the attack?
– Where are the points of vulnerability?
– How could we patch the application?
Example Curriculum
• Real world examples
• Find vulnerable website
– Make sure it’s “intentionally vulnerable”
– https://hack.me
– Recon before-hand
– Give an assignment
– Walk around and ask questions
Example Curriculum
• Wrap it up
– What vulnerabilities were the class able to find/exploit?
– High-level description of fix
– Code-level example of fix
– List of resources and further reading
– Questions
Conclusion
• Learn the language
• Find an ally
• Keep up to date on current trends
– Setup or use public “hack-labs”
– Analyze logs for attempted attacks and learn from them
– See “Resources” section for more info
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 29
Resources
• OWASP – http://www.owasp.org
• SecurityTube – http://www.securitytube.net/
• CounterHack – A little old, but has hacking challenges – http://www.counterhack.net
• SecurityThoughts – Playgrounds to try your hand at exploiting common
vulnerabilities in a live-feeling environment – https://securitythoughts.wordpress.com/2010/03/22/vul
nerable-web-applications-for-learning/
• HackMe – https://hack.me
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 30
www.smbc-comics.com
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 31
Contact
Perry A. Hemmingsen
perry.hemmingsen [at] gmail [dot] com
linkedin.com/in/perryhemmingsen
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 32