![Teaching Secure Coding
[Discussion] - Are we doing it wrong?](https://image.slidesharecdn.com/securitytraining-111029094309-phpapp01/85/Secure-Coding-Are-we-doing-it-wrong-1-320.jpg)
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (18)
Similar a Secure Coding - Are we doing it wrong
Similar a Secure Coding - Are we doing it wrong (20)
Último
Último (20)
Secure Coding - Are we doing it wrong
- 1. Teaching Secure Coding [Discussion] - Are we doing it wrong?
- 2. Who are you? • Bryn Salisbury (@bryns) • Welsh born and Hertfordshire based. • IT Security Consultant by day. • Podcaster, Blogger, Twitter-er (is that even a word?) and adequate photographer • First time at Barcamp London (quite excited).
- 3. IT Security • Been working in IT for around 12 years. • IT Security full time for the last 5 • Penetration testing and security scanning • PCI QSA
- 4. PCI Data Security Standard • Global Security Standard for the handling of credit card (and some debit card) data. • Breaks down into 12 requirements (everything from firewalls to HR). • Rules on applications (web and otherwise) development. • Requires the development of secure coding guidelines, as well as a teaching programme. • Sets minimum standards to keep credit card data safe.
- 5. What is Secure Development? • A set of methods that, when used, can reduce the ability of hostile parties to exploit your application(s). • In web applications, these are commonly Input Validation (e.g. Cross Site Scripting), Injection (e.g. SQL Injection)
- 6. Is it really that necessary? • Absolutely... 85% of the data breaches in 2009-2010 were as a result of web application compromises. • Defensive devices such as IPS/IDS and WAF are not always effective. • Heavy fines for loss of data - €50,000 initial, €75,000/month for failure to remediate the breach. see: http://www.7safe.com/breach_report/Breach_report_2010.pdf
- 7. Secure Coding: Are we teaching it wrong?
- 9. “If we taught people to drive the same way we teach them secure coding, we’d have a lot more wrecked cards and dead bodies to clean up” @securityninja
- 10. Are we doing it wrong? • I’ve always had the tendency to want to demonstrate the worst case scenario. • Easier to show off “exploitable” code and a lot more impressive. • Examples of the ‘right way’ are technology dependant. • Hadn’t even occurred to me that the training wasn’t what they needed (or wanted).
- 11. What would the right way look like?
- 12. What would the right way look like? • The idea of showing how it should be done is appealing • Gives clear and concise guidance to the coder • Easier to track and audit in the long term • See @securityninja’s RSA talk - http:// slideshare.net/securityninja/injecting- simplicity-not-sql-rsa-europe-2010
- 13. What would the right way look like? • Ultimately, I think that the perfect program needs to: • Educate, but not be patronising to the developers. • Give them enough information to work with, but not overload them. • Be straightforward enough that the principles can be applied to any language. • It should definitely carry the full support of the management.
- 14. I know, I’ll blog about it!
- 15. Blog Response • Wrote it up a few days ago: http:// www.randomlyevil.org.uk/2011/10/26/datblygu- diogel-secure-development/ • Opinions appear to be evenly divided - some arguing that coders need to see how bad it gets. • Another suggesting the coders only need to know what they should do, the rest is up to the pen-testers.
- 16. Let’s throw it to the floor...
- 17. Let’s keep the discussion going...
- 18. Let’s keep the discussion going! • After the talk... • At the bar... • On the blog: http:// www.randomlyevil.org.uk/2011/10/26/ datblygu-diogel-secure-development/ • On Twitter... I’m @bryns • On Google+... I’m Bryn Salisbury
- 19. Diolch yn Fawr! @bryns
Notas del editor
- \n
- \n
- \n
- \n
- \n
- \n
- It was during a PCI audit that the guy I was interviewing said the following to me...\n
- He suggested that we put the cart before the horse, and that we’re much more keen to spend time showing how things could go wrong, instead of how to do it right.\n\nIt was a bit of a revelation...\n
- He suggested that we put the cart before the horse, and that we’re much more keen to spend time showing how things could go wrong, instead of how to do it right.\n\nIt was a bit of a revelation...\n
- Let’s face it, who doesn’t enjoy a bit of schadenfreude?\n\nThings happening properly don’t make for interesting demonstrations - “Oh look, it presented a graceful error message... how... Zzzzzz” versus “ZOMG! Look! I found an XSS, so if you log into the website, it emails out the user’s credentials to the attacker! that’s SOOOO COOL!”\n\nFrankly, I’d rather claw out my own eyeballs than try to go through every single web technology finding the right way to do things like handle input validation, connect to stored procedures and alike.\n\nSadly, the feedback all came back as positive, and people kept telling me how entertaining the whole thing was. I suppose a bit like an Angelina Jolie movie... no one really pays attention to the plot.\n
- Honestly? I don’t know...\n\n\n\n
- So @securityninja tells me all about the security training he gives, and I start to think “Isn’t it a lot nicer to be positive?” \n\nShow people how it should be done, rather than saying “cor... look at this loser! he doesn’t even know how to validate his inputs! LOL”.\n\nThere’s no ambiguity when it comes to writing production code, the coder is told “this is the way it ought to be”. Easier for them to integrate into their workflow.\n\nCode reviews for compliance become a lot easier, if you’ve set the rules, the coders know that’s the only way you get your code accepted is if it follows the path you’ve set. Becomes easier to record the developer’s training, and give more specific support.\n
- I thought... how could I get more input on this issue from people in the know?\n
- \n
- After a little bit of lost in translation (you’ll see the comments)...\n\n\n
- The reason I bring it to you guys is this... I don’t want to be *that* kind of security consultant... you know, the one who only wants to sell your boss the latest copy of Symantec’s latest doo-dah. \n\nI take the view that the safer your applications are, the safer my data is likely to be.\n\nSo, what do you lot think? Do you like the sound of @securityninja’s principles? Is it better to show the right way? or scare people with the wrong? Is it better to teach principles? or secure by exception?\n\n\n
- \n
- \n
- \n
- \n