N E W E R A O F S O F T W A R E W I T H M O D E R N A P P L I C AT I O N S E C U R I T Y

V E R S I O N 0 . 6 ( 2 7 / F E B / 2 0 1 6 )

O W A S P L O N D O N C H A P T E R

@ D I N I S C R U Z

@ D I N I S C R U Z

• Developer for 25 years

• AppSec for 13 years

• Leader OWASP O2 Platform project

• Head of Application Security at The Hut Group

• Application Security Training for JBI Training

• http://blog.diniscruz.com/

• https://www.linkedin.com/in/diniscruz

Q U A L I T Y

Software Craftsmanship is about

Software Quality

a big problem with the Craftsmanship (and testing) community is:

‘How to define Quality?’

Everybody knows that Quality is key

… but …

‘how to measure Quality?’

My thesis is that

Application Security can be used to define and measure Quality

Application Security is all about the non-functional requirements of software*

* software = apps, websites, web services, apis, tools, build scripts = code

Application Security is all about understanding HOW the software work

* vs how software behaves

Using Application Security

I can measure the quality of software

Because Application Security

measures the unintended side effects of coding

W R I T I N G S E C U R E C O D E M Y T H

“If only software developers had security knowledge they would be able write secure code”

This is a myth because secure code has very little to do with developer’s skills and craftsmanship

Software security (or insecurity) is a consequence of the Software development environment

(namely the business and managers focus)

And I know that this is a myth because

I cannot write ‘secure code’

when I’m programming

T H E P O L L U T I O N A N A L O G Y

T E C H N I C A L D E B T I S A B A D A N A L O G Y

• The developers are the ones who pays the debt

• Population is a much better analogy

• The key is to make the business accept the risk (i.e the debt)

L E T ’ S H A C K ( A L I T T L E B I T ) H T T P : / / M A N I F E S T O . S O F T W A R E C R A F T S M A N S H I P. O R G /

Demo

C U R R E N T S TAT E O F A P P L I C AT I O N I N S E C U R I T Y

How secure is your code?

How insecure is your code?

How many risks/vulnerabilities are you aware of?

J I R A R I S K W O R K F L O W

http://blog.diniscruz.com/2015/12/jira-workflows-for-handing-appsec-risks.html

K E Y C O N C E P T S O F T H I S W O R K F L O W

• All tests should pass all the time

• Tests that check/confirm vulnerabilities should also pass

• The key to make this work is to: Make business owners understand the risks of their decisions (and click on the ‘accept risk’ button)

You have to make sure that it is your boss that gets fired

… he/she should make sure that it is his/hers boss that gets fired …

… all the way to the CTO

(i.e. Board level responsibility)

S E N I O R M A N A G E M E N T O V E R S I G H T

• ‘Security Memo’ (from God)

• Incident response plans

• Emergency response exercises (can you detect them?)

• Cyber Insurance

• Enterprise Cyber Risk management

• Which C-level executive will get fired?

D O E S Y O U R C O M PA N Y / T E A M H AV E :

• AppSec team/person

• Security Champion

• Secure coding standards

• Threat Models

• OWASP contributors

• Secure code reviews

If your answer was not YES to all of them...

then

Your Application WILL have a high number of Security Vulnerabilities

W H Y D O A P P L I C AT I O N S E C U R I T Y ?

Because you care about:

your usersgood engineering your application your company

You have been lucky so far due to lack of commercially focused

attackers

This has been a

Blessing and Curse

You are making an Hedged bet

the

Security of your code vs

Skill and motivation of attacks

will not change in next 2 years

Your hedge bet is that :

Most of you are creating the perfect storm ….

User personalisation +

Digital Payments +

APIs

A large % of your apps users will have malware on their

box

You are as secure as your most unexperienced

developer

W H O I S AT TA C K I N G Y O U

I F T H E AT TA C K E R T E L L S Y O U A B O U T T H E AT TA C K

Y O U S H O U L D T H A N K T H E M

The dangerous ones are the commercially focused

criminals

It’s all about the money

… to hack you …

Buy botnet for $110

How much it cost to be an ‘internal user’

100% Anti-virus non detection guarantee

But the credit cards were protected

R U S S I A N H A C K E R S M O V E D R U B L E R AT E W I T H M A LW A R E

• http://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency-rate-with-malware-group-ib-says

I T I S I N T H E B I L L I O N S

• The real criminals are running highly professional companies, with high quality software Development, Testing, QA, AB testing, etc…

N E W G E N E R AT I O N O F A P P L I C AT I O N S E C U R I T Y T H I N K I N G

• TDD

• Docker

• Test Automation

• Static Analysis

• cleaver Fuzzing

• JIRA Risk workflows

• Kanban

• micro web services visualization, and

• ELK

W E H AV E S O L U T I O N S

O W A S P ! ! ! !

T I P S F O R B U I L D I N G A M O D E R N S E C U R I T Y E N G I N E E R I N G O R G A N I Z AT I O N• https://georgianpartners.com/tips-for-building-a-modern-security-

engineering-organization

H O W T O B U I L D S E C U R E W E B A P P L I C AT I O N• http://blog.knoldus.com/2016/02/03/how-to-build-secure-web-

application/

R E A L W O R L D M U TAT I O N T E S T I N G

• http://pitest.org/

S E C U R I T Y D E V E L O P M E N T L I F E C Y C L E

• https://www.microsoft.com/en-us/sdl/process/design.aspx

S P O T I F Y E N G I N E E R I N G C U LT U R E - PA R T 1• https://labs.spotify.com/2014/03/27/spotify-engineering-culture-

part-1/

• https://spotifylabscom.files.wordpress.com/2014/03/spotify-engineering-culture-part1.jpeg

S P O T I F Y E N G I N E E R I N G C U LT U R E - PA R T 2• https://labs.spotify.com/2014/09/20/spotify-engineering-culture-

part-2/

• https://spotifylabscom.files.wordpress.com/2014/09/spotify-engineering-culture-part2.jpeg

F I N A L T H O U G H T S

U N W R I T T E N R U L E S O F A P I S

“Every API is destined to be connected to the internet”

U N W R I T T E N R U L E S O F A P I S

“All API data wants to be exposed in a Web Page”

“Would you fly in a plane that has the code quality of your APIs”

Thanks, any questions?