Hi, here is the presentation I delivered last week at OWASP's AppSec Brazil conference: OWASP Brazil - Making Security Invisible by Becoming the Developer's Best Friends I think I was able to capture how security tends to be seen by developers, how it is currently a TAX on the SDL and how we need to move Application Security into the 'application visibility' space so that we add value to the entire SDL (and create a positive model where the developers want to engage with us) After you read the presentation, check out this video which I recorded also in Brazil: A developer's rant about security professionals (he was one of the developers that was at the audience which really related to the problem of receiving security guidance from security 'consultants' that don't understand his app). The demos showed how O2 allowed this world to exist :) Let me know what you think of it. (info also at my blog http://diniscruz.blogspot.com/2011/10/my-presentation-at-owasp-appsec-brazil.html)

1. The OWASP Foundation
http://www.owasp.org
Making Security Invisible by
Becoming the Developer's
Best Friends
OWASP AppSec Latam 2011 (Brazil)
Dinis Cruz
dinis.cruz@owasp.org

2. Dinis Cruz
Long-time OWASP contributor
OWASP O2 Platform (project)
OWASP Seasons of Code
OWASP Summits (2008 & 2011)
OWASP Training Days
OWASP Books
Helped multiple chapters and conferences
Multiple tools & research at OWASP .NET
Setup Application Security Team at Global Bank
Performed Security Reviews (White and Black box) on 100s of apps
Credited for vulnerability on .NET Framework and vulnerability on Spring MVC
Worked for OunceLabs (now IBM AppScan Source) and made it work
Didn’t joined IBM (after OunceLabs acquisition) and spent 18 months rewriting the
OWASP O2 platform (and making my vision a reality)
Currently at Security Innovation (Boston/Seattle company)

3. Dinis @ Security Innovation
Responsible for the TeamMentor product
i.e. I’m shipping code
SI is going to Commercially Support the
OWASP O2 Platform
with a focus on findings-automation and security-tools-integration
SI is a strong OWASP Supporter
Silver sponsor at AppSec USA
published OWASP TeamMentor Library under CC (Creative Commons)
published OWASP Top 10 e-learning course under CC
helping the clarify the commercial relationship with OWASP’s ecosystem
Sponsored me to come here
3

4. OWASP is Amazing

5. 5

6. 6

7. owasp
band
7

8. Don’t stop asking ‘why not?’
8

9. Don’t stop asking ‘why not?’
Try new ideas:
8

10. Don’t stop asking ‘why not?’
Try new ideas:
Barefoot walking/running
8

11. Don’t stop asking ‘why not?’
Try new ideas:
Barefoot walking/running
8

12. Don’t stop asking ‘why not?’
Try new ideas:
Barefoot walking/running
8

13. I’m a developer

14. Yes
I have shipped code
10

15. O2 PLATFORM
OWASP
TeamMentor
Security Innovation
11

16. I’m going to speak as
the developer of
and a couple other apps:
HacmeBank, JPetstore, Altoro Mutual
12

17. for which security
IS NOT a priority
13

18. it is important
14

19. but not a priority
15

20. In fact I want to
security to be
INVISIBLE
(or transparent)
16

21. As with every other
developer,
I don’t want my app to
have security
vulnerabilities
17

22. So I’m happy to help
the ‘security’ process...
18

23. ... as long as the
workflow ‘works’ for me
and my team
19

24. and at the moment it
doesn’t
20

25. Dear Security
teams / vendors

26. Understand this:
22

27. Features and
Functionality
Rule!
23

28. You (security teams)
are quite in the bottom
of the food chain
24

29. I’m smart
If I wasn’t smart I wouldn’t be working (& paid) as a developer
25

30. If I’m not Smart
don’t tell that to my boss
(specially NOT in a report format)
26

31. If I’m not Smart
Make me Smart!
27

32. Since I’m smart
Make me a HERO
28

33. Actually
In the real world the
issue is usually not
‘smart’ but
‘experience on the
APIs/Framworks used’
29

34. Another important topic
30

35. I’m not a security
expert
31

36. that is YOUR job
32

37. if you want to talk about:
jQuery, Javascript, MVC, Reflection, Hibernate, Struts,
AoP, High performance Algorithms, Compression
techniques, cache management, Agile, Pointers, Code
Patterns, Authorisation Models, QA, User-acceptance-
tests, Use-Cases, UML, SRCUM, StackOverflow, GIT, App
Hosting/Clustering, etc....
33

38. that’s me
34

39. Security
35

40. That’s you
36

41. (btw)
I’m the one
creating value
37

42. I’m the one
making money,
grabbing eyeballs,
creating value
or whatever the business wants to call it
38

43. YOU are a TAX
As positioned today
39

44. which is why I don’t
really like to talk/deal
with you
40

45. Quiz Question:
When was the last time
that developers where
REALLY exited to talk
with Security Teams?
41

46. Yeah I can see the
Queue from here.....
(I think some developers would shoot Security
teams if that was legal)
42

47. Developers dirty
secrets

48. Here are a couple dirty
secrets about ‘most’
development projects
44

49. The devs can’t visualise
how their app works
45

50. e nt)
ag em
m an
(and
The devs can’t visualise
how their app works
45

51. The devs don’t understand
how their app works
46

52. e nt)
ag em
m an
(and
The devs don’t understand
how their app works
46

53. nt) s)
me yer
ge bu
na
ma (and
( and
The devs don’t understand
how their app works
46

54. nt) s)
me yer
ge bu se rs)
n a u
d ma (and (a nd
( an
The devs don’t understand
how their app works
46

55. In practice what does
this mean?
47

56. it means that they can’t
quickly answer questions like:
48

57. what are the URLs?
49

58. what data do you
expect to receive from
the web?
50

59. what data CAN be
submitted from the web
51

60. what is the data-binding
behaviour of the
Frameworks used
(case point MVC Frameworks)
52

61. Where is my Data
Validation layer
53

62. Who and what connects
to the databases/assets
54

63. Where are my assets?
55

64. Where is the
Credit Card data?
56

65. What are the connections
between the managed layers
(C# & Java) and unmanaged
layers (C/C++)?
57

66. What happens at the
Javascript layer?
58

67. (easier question)
What is the real
CALL FLOW
of a request
(from the web to the backend and back to the web)
59

68. (harder question)
What is the real
TAINT FLOW
of a request
(from the web to the backend and back to the web)
60

69. (much harder question)
What is the real
TAINT (with CONTROL) FLOW
of a request
(from the web to the backend and back to the web)
61

70. Bottom line:
(*unless we have been attacked before)
62

71. If it compiles
Ship it!
(I see this behaviour at a lot of dev shops)
63

72. Bottom line:
(*If we have been attacked before)
64

73. If it compiles
(and passes the ‘security tools’)
Send it to the
‘Security Team’
(who now have funds to hire their own staff)
65

74. Dealing with
Security

75. I care about my users
67

76. And exploitation of
security vulnerabilities
affects them
68

77. So by-proxy I care
about security
69

78. But the current
workflow between
developers and security
teams is....
70

79. F****d
71

80. or more politically
correct
72

81. Highly inefficient
73

82. and that is on
companies WITH
internal security teams
& awareness
74

83. It is even worse for the
rest
75

84. We need a new
paradigm
76

85. One where ‘application
security’ ADDs value to
the Business
77

86. One where ‘Application
Security’ practices are
deeply embedded into
the SDL
78

87. One where ‘Application
Security’ practices are
invisible/transparent to
99% of the parties
involved
(the 1% are the ones directly involved in security, such as
security teams, devs,architects, CISO, etc...)
79

88. but before we get to
the solution, lets set the
stage....
80

89. As a developer , this is
What I don’t want

90. I don't want to:
receive a PDF (or portal)
with security findings
82

91. I don't want to:
receive a tool result
with partial (or zero)
context about my app
83

92. I don't want to:
spent time sorting out
the False positives
created by tools
84

93. I don't want to:
have tons of bugs filled
into my bug tracking
system
85

94. I don't want to:
receive non-automated
findings
(that will force me to spend
time replicating the issue)
86

95. I don't want to:
receive no information
on the impact of the
‘proposed fix’
the ‘blast ratio’ of a fix
i.e. how much s*** will break
87

96. I don't want to:
be ‘lectured’ by a
‘security expert’ that
doesn’t understand my
application
88

97. I don't want to:
I don’t want to be told
to ‘go to school’
usually framed as
“we need to give ‘security education’ to
developers”
89

98. Got that?
90

99. I don’t think that
(even if they tried)
‘security consultants’
couldn’t OFEND more
the developers than
they do today
91

100. What I want

101. I want to know the
implications of the
multiple APIs &
frameworks used
93

102. Ideally I should be able
to use those APIs is the
most efficient way
94

103. I want to know when I
use those APIs and
Frameworks incorrectly
95

104. I want to understand
my Application!
96

105. Can YOU do that?
97

106. Can you help me to
understand my
Application?
98

107. because,
as a developer
99

108. if you can help me to
understand my
Application ...
100

109. ... you add value to my
world....
101

110. if you don’t help me to
understand how my
Application works
102

111. you are a TAX that I
have to Pay
or an INSURANCE that I
have to Pay
103

112. Did you noticed the lack
of ‘security’ in the last
slides?
:)
104

113. let’s try this again
105

114. What I want
from a security point of view (in red)

115. I want to know the
Security implications of
the multiple APIs &
frameworks used
107

116. Ideally i should only be
able to use those APIs
in a SECURE way
108

117. I want to know when I
use those APIs and
Frameworks insecurely
109

118. I want to understand
the security risk profile
of my Application!
110

119. Making Security
Invisible
by becoming the
developer’s best friend

120. So how was I able to do
what I wanted (from
both a security and
developer point of view)
112

121. using the
OWASP O2 Platform
113

122. DEMO TIME.....
114

123. Any questions?

124. Thanks
116