BSidesLondon 20th April 2011 - Chris John Riley
Chris Sumner, Arron "finux" Finnon and Frank Breedijk
---------------
Why shouting into the security echo chamber does no good! Set to interpretive YMCA dance....
--------------- for more information about the presenters follow them in twitter, @ChrisJohnRiley
TheSuggmeister, @seccubus,@F1nux
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Security YMCA
1. Security YMCA
Why shouting into the security echo chamber does no good!
Are we, as security people reaching the
people we need to reach the
most…developers?
2. Disclaimers
• Be careful what you say on twitter
• This started of as a joke
• We do not represent our employers, these are or
own opinions
• Our survey has NO scientific basis
• Our survey is NOT free of bias
• The outfits are just so
you won’t take us
seriously ;)
Image: YMCA a CC NC image from bogdog Dan’s Flicks stream:
http://www.flickr.com/photos/25689440@N06/2866020311/
3. Points of order
• We have about 25 minutes left in this
presentation
• In this 25 minutes we will try to start a discussion
• Maybe we may even get people to do some real
research
• 10 minutes are reserved for Q&A and YMCA song
• The next 20 slides will auto-advance every 45
seconds…
• This talk is interactive… so interact!
• Why the f*ck did you guys pick this talk? No Really
4. Who are we?
• Chris John Riley
• Arron “F1nux” Finnon
5. Who are we?
• Frank “Seccubus” Breedijk
• Chris “Suggy” Sumner
6. So what is this about?
Raise of hands:
• Who in this room is not working in info security?
• Who in this room has ever presented at a
conference?
• Of those, who presented at a non-security
conference?
• And yet we wonder why “developers don’t get
it?”
7. HTTP Parameter Pollution
• There are multiple ways to send parameters
• Sending parameters with both GET and
POST can lead to interesting results
• This problem has been known for 11 years
• Yet 30% for the Alexa top 5000 sites has at
least on page with this problem*
• Including Microsoft, Google, VMWare,
Facebook, Symantec and Paypal
* Taken from Marco Balduzzi’s talk “HTTP Parameter Pollution Vulnerabilities in Web Applications”
Black Hat Europe 2011
8. So we did a survey
• Not scientific (we’re no scientists)
• Bias introduced (but we’re are biased ;)
• Intended to generate discussion and actual
research
• Writing a survey to prove a point is not good
science
• We do not know if the participants were actually
developers
9. Demographics - Roles
Senior
management or
Sponsor Application
Security Architect Application
Architect Developer
Project Manager
Application
Support
Business Owner
Other
Responses from all over the
geographic spectrum…
Lots from UK and USA
10. Demographics -Experience
more than 15 less than 2 years
years
2 -4 years
10 - 15 years
4 - 10 years
12. What a 12 step program
boils down to…
• Recognize /admit there is a problem
• Accept it needs to be fixed
• Get to know the problem
• Fix the problem
• Learn new rules to avoid the problem
• Help others avoid the problem
13. Admitting/recognizing the problem
• Where do you find most problem when it
comes to securing applications you develop?
– I'm not able spot security issues
• Disagree – 25% 25%
• Somewhat agree – 28% 48%
• Agree – 19%
27%
• Strongly Agree – 1%
• No Answer – 27%
14. Accept that you need to fix it
• Where do you find most problem when it
comes to securing applications you develop?
– Security loses out to features
11
• Disagree – 11% %
63%
• Somewhat agree – 17%
• Agree – 25%
26%
• Strongly Agree – 21%
• No Answer – 26%
15. Investigate the problem
• Where do you find most problem when it
comes to securing applications you develop?
– Understanding information on how to secure
things
• Disagree – 28% 28%
• Somewhat agree – 27% 46%
• Agree – 16%
• Strongly Agree – 3% 26%
• No Answer – 26%
16. Fixing the problem
• Where do you find most problem when it
comes to securing applications you develop?
– Fitting security into the development timeline
7
• Disagree – 7% %
• Somewhat agree – 22% 66%
• Agree – 21%
• Strongly Agree – 23% 27%
• No Answer – 27%
17. Help others avoid the problem
• Where do you find most problem when it
comes to securing applications you develop?
– Finding the right tools to assist in secure
development
• Disagree – 13% 13%
• Somewhat agree – 24% 60%
• Agree – 29%
• Strongly Agree – 7% 27%
• No Answer – 27%
18. Where do you find most problems when it comes to
securing applications you develop?
Disagree "Agree"
66
60 63
60
48
46
1. Make it easier to find the right information & tools
2. Acknowledge the timeline & features issues
28
25
12 11 13
7
Understanding I'm not able spot Finding the correct Fitting security Security loses out Finding the right
information on security issues information into the to features tools to assist in
how to secure development secure
things timeline development
19. Information Sources
How often to you refer to the following information
sources to ensure the security of your applications?
Rarely / Never Regularly / Constantly
31 24
40 45
49 49
60
61 67
51 47
43 43
32
Blogs Social Books Forums Training Best Internal
Networks Material Practice Coding
Guides Guidelines
20. How often to you refer to the following information
sources to ensure the security of your applications?
Rarely / Never Regularly / Constantly
31 24
40 45
49 49
60
61 67
51 47
43 43
32
Blogs Social Books Forums Training Best Practice Internal
Networks Material Guides Coding
Guidelines
We don’t suck We suck
22. Detect / Prevent
When developing applications do you or your
company use any of the following to ensure security
of the applications developed?
35
30
25
20 Code-Review (automated
or manual)
15 Penetration Testing
10
Security Review
5
0
Surprised by code review, do
they mean a Security Code
Review or Quality Review?
23. About tools
• In our survey our audience said: 80.8 % wanted
more tools, however my 2 pence worth (as
usual in security your being over charged), is
that we have too many tools.
• Dare I say too much fragmentation in choice of
tools.
• I wonder about a world with only x1 port
scanner, all training material, all methodologies,
all good practice would reflect the x1 single
tool.
• So my question is, am i officially crazy?
24. And now for the singing and dancing
Image: “Chewbacca wasn't sure they had disco on Kashyyyk but he sure as hell wasn't going to put all that practice at looking like an 'M' go to
waste” a CC NC SA image from harold.loyd’s Flickr stream: http://www.flickr.com/photos/14434912@N07/3503661701/