SlideShare a Scribd company logo

How to code securely: a crash course for non-coders

•
•
Jaap Karan Singh
Jaap Karan Singh

Ever wondered why coding securely is so difficult? In a non-technical session, learn more about the exponential growth of software and coders, why good code isn't necessarily secure code, how developers think and act, what are the most common mistakes developers make, and what you might be able to do about it. If you are up for it, challenge yourself to locate, identify and fix vulnerabilities within sample code snippets using our 'for-not-technical-people' pseudocode language!

Technology
1 of 43
Download to read offline
Jaap Karan Singh Co-Founder & Chief Singh @ Secure Code Warrior How to code securely: A crash course for non-coders
Everything is powered by technology
TECHNOLOGY LETS YOU AVOID NAGGING PHONE CALLS FROM YOUR PARTNER... Source: https://www.pinterest.com/pin/678214025109991726/
We are not a bank, we are a technology company with a banking license - EVERY BANK EVER
What's behind all this technology? 111 BN NEW LINES OF CODE EVERY YEAR 22 M DEVELOPERS
Cyber security is now mainstream No longer guys with hoodies lurking in the shadows
Consumer trust is everything DIGITAL BANKING AND CYBER SECURITY
- INFORMATION IS BEAUTIFUL Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
90% security incidents result from defects in the design or code of software - DEPARTMENT OF HOMELAND SECURITY Source: https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf
Are developers unaware or is security really hard?! IT'S THE LATTER.
Let's look at some code GET /transfer-money?from,to,amount database.query => "UPDATE accounts SET balance increment(amount) WHERE account_number = to" database.query => "UPDATE accounts SET balance decrement(amount) WHERE account_number = to" print "Debit: from -amount, Credit: to +amount"
Does this code have any vulnerabilities? YES. SEVERAL ACTUALLY!
SQL Injection WHAT IS IT? User input used in a database query without validation WHY IS IT BAD? Execute additional transactions and actions Exfilterate data Connect to other systems on the network
DATA BREACH 77 MILLION RECORDS STOLEN Sony Hack "From a single injection, we accessed EVERYTHING". Passwords, home addresses and other personal information was stolen. Source: https://www.bbc.co.uk/news/business-13636704
Cross-site Request Forgery WHAT IS IT? Replay actions on behalf of a logged in user WHY IS IT BAD? Unauthorised Attack typically hidden so user does not realise
Good joke, wasn't it? While you were reading this joke on your favourite pass time website, I processed 5 transactions transferring over 1 billion dollars in the background!Source: https://www.pinterest.com/pin/777011741929294349/
Cross-site Scripting (XSS) WHAT IS IT? Attack the users of the application by executing malicious code on their browser WHY IS IT BAD? Execute unauthorised transactions and actions without the user realising Looks like legitimate traffic to the website
Samy the worm SPREAD LIKE WILDFIRE Fastest spreading virus of all time - 1 million users affected in less than 24 hours UNPRECEDENTED IMPACT MySpace had to take the site offline to remove the worm Source: https://www.vice.com/en_us/article/wnjwb4/the-myspace- worm-that-changed-the-internet-forever
But wait, there's more! BROKEN ACCESS CONTROL We never checked if the account belonged to the user BUSINESS LOGIC PROBLEMS Does your account have enough balance? SENSITIVE DATA EXPOSED Data between client and server are sent over plaintext and cached by default INSUFFICIENT LOGGING & MONITORING If something were to go wrong, how would we find out more details?
Let's look at the numbers 4 LINES OF CODE 7 VULNERABILITIES We could have kept going, but you get the point
Let's fix the vulnerabilities and secure our code
SQL Injection prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" GET /transfer-money?from,to,amount database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
Cross-site request forgery configuration protect_against_csrf prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" GET /transfer-money?from,to,amount database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
Broken access control configuration protect_against_csrf prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
Finally looks like this configuration log_all_requests protect_against_csrf hide_technology_info do_not_cache_requests prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" configuration logging sensitive_info => from, to POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" if account.balance < amount throw error "Not enough balance!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: html_escape => from, html_escape => -amount, Credit: html_escape => to, html_escape => +amount"
Side by side comparison configuration log_all_requests protect_against_csrf hide_technology_info do_not_cache_requests prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" configuration logging sensitive_info => from, to POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" if account.balance < amount throw error "Not enough balance!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: html_escape => from, html_escape => -amount, Credit: html_escape => to, html_escape => +amount" GET /transfer-money?from,to,amount database.query => "UPDATE accounts SET balance increment(amount) WHERE account_number = to" database.query => "UPDATE accounts SET balance decrement(amount) WHERE account_number = to" print "Debit: from -amount, Credit: to +amount"
3.5x more code needed to make it secure
To do things right, you would need superheroes Normal coders don't stand a chance!
Developers don't think about security all day We need to make security easy and accessible FUN FACT
How do we scale secure coding?
Stand on the shoulder of giants DON'T RE-INVENT THE WHEEL Avoid implementing security features yourself, eg. encryption RELY ON BATTLE-TESTED ENTERPRISE LIBRARIES Vetted by security experts, active developer community, security mindset
Stand on the shoulder of giants USE SECURE DEFAULTS Most enterprise grade libraries come with a security guide Read it and create an internal best practices guide or base library. Do it once, reap the benefits over and over again PATCH AND UPDATE DEPENDENCIES REGULARLY Hackers can fingerprint technology stack Exploit based on known vulnerabilities
- NO ONE EVER "I LOVE UPDATE SCREENS" Source: fakeupdate.net
60-80% of a commercial codebase is typically open source libraries 60% VULNERABLE of those scanned EQUIFAX CREDIT BUREAU public example of things gone wrong Why is patching important?
Security automation CATCH BUGS EARLY Security bugs are inevitable, provide early feedback loops through automated testing REDUCE HUMAN EFFORT AND SAVE $$$ Low hanging fruit should be caught by machines, not humans EMED SECURITY INTO DEVELOPMENT WORKFLOW AUTOMATE AND GET OUT OF THE WAY Security tools can sometimes be slow. Anything embedded into the workflow needs to be fast and pain-free
Embed security automation into the workflow CODE BUILD TEST DEPLOY IDE Plugins Security Unit Tests Static Source Code Analysis (SAST) Software Composition Analysis (SCA) Dynamic Application Security Testing (DAST) Container Scanning Runtime Application Self-Protection (RASP) Bug Bounties
Architecture and design SOLID FOUNDATIONS TO SET YOURSELF UP FOR SECURITY SUCCESS
30x more costly to fix defects after release compared to design phase 30x Source: ftp://ftp.software.ibm.com/software/rational/info/do-more/RAW14109USEN.pdf
INFRASTRUCTURE DESIGN Design to minimise attack surface and reduce risk posture of the application THREAT MODELLING Understand the risk level of your application, data it collects and processes and any regulatory requirements SECURITY AUTOMATION Automate from the start, easier than climbing a steep hill all at once Architecture and design
Security awareness and culture
Am I rewarded or punished for reporting security issues? AVOID A TOXIC WORK ENVIRONMENT
Developer Training THREAT LANDSCAPE AND RESPONSIBLITY Cost to the business of a security incident, impact of vulnerabilties and duty to protect customer and business data FOCUS ON DEFENSIVE SKILLS Proactive controls, internal secure coding guidelines Don't turn developers into hackers - that's not their job SOFTWARE SECURITY FUNDAMENTALS TRAINING High level overview for support staff: Business Analysts, Project Managers, Product Managers etc
BUILD ON THE SHOULDER OF GIANTS THINK ABOUT SECURITY DURING ARCHITECTURE AND DESIGN PHASE HOW DO YOU CODE SECURELY? EMBED AND AUTOMATE SECURITY IN THE DEVELOPMENT WORKFLOW BUILD A SECURITY CONSCIOUS CULTURE IN YOUR BUSINESS PATCH, PATCH AND PATCH AGAIN

Recommended

Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughSecureAuth
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 

Recommended

Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughSecureAuth
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10Arthur Shvetsov
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013n|u - The Open Security Community
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Hybrid website security from Indusface
Hybrid website security from IndusfaceHybrid website security from Indusface
Hybrid website security from IndusfaceInfosys
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019Miguel Angel FalcĂłn MuĂąoz
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015mahchiev
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1TelefĂłnica
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesYair Amit
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 

More Related Content

What's hot

The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Hybrid website security from Indusface
Hybrid website security from IndusfaceHybrid website security from Indusface
Hybrid website security from IndusfaceInfosys
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015mahchiev
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1TelefĂłnica
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesYair Amit
 

What's hot (20)

The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
Hybrid website security from Indusface
Hybrid website security from IndusfaceHybrid website security from Indusface
Hybrid website security from Indusface
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015Widespread security flaws in web application development 2015
Widespread security flaws in web application development 2015
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
iOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious ProfilesiOS Security: The Never-Ending Story of Malicious Profiles
iOS Security: The Never-Ending Story of Malicious Profiles
 

Similar to How to code securely: a crash course for non-coders

Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 
ITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarDaniel Versola
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber SecurityChris Watts
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs💻 Javier Garza
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issuesebusinessmantra
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Staying Safe on the Computer and Online
Staying Safe on the Computer and OnlineStaying Safe on the Computer and Online
Staying Safe on the Computer and Onlinecat509
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer OverviewScott Suhy
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundaryDean Iacovelli
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 

Similar to How to code securely: a crash course for non-coders (20)

Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
IP-guard Catalog
IP-guard CatalogIP-guard Catalog
IP-guard Catalog
 
ITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security Seminar
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
 
Security & Compliance for Startups
Security & Compliance for StartupsSecurity & Compliance for Startups
Security & Compliance for Startups
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
ProjectReport_Finalversion
ProjectReport_FinalversionProjectReport_Finalversion
ProjectReport_Finalversion
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issues
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Staying Safe on the Computer and Online
Staying Safe on the Computer and OnlineStaying Safe on the Computer and Online
Staying Safe on the Computer and Online
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer Overview
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

How to code securely: a crash course for non-coders

  • 1. Jaap Karan Singh Co-Founder & Chief Singh @ Secure Code Warrior How to code securely: A crash course for non-coders
  • 2. Everything is powered by technology
  • 3. TECHNOLOGY LETS YOU AVOID NAGGING PHONE CALLS FROM YOUR PARTNER... Source: https://www.pinterest.com/pin/678214025109991726/
  • 4. We are not a bank, we are a technology company with a banking license - EVERY BANK EVER
  • 5. What's behind all this technology? 111 BN NEW LINES OF CODE EVERY YEAR 22 M DEVELOPERS
  • 6. Cyber security is now mainstream No longer guys with hoodies lurking in the shadows
  • 7. Consumer trust is everything DIGITAL BANKING AND CYBER SECURITY
  • 8. - INFORMATION IS BEAUTIFUL Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  • 9. 90% security incidents result from defects in the design or code of software - DEPARTMENT OF HOMELAND SECURITY Source: https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf
  • 10. Are developers unaware or is security really hard?! IT'S THE LATTER.
  • 11. Let's look at some code GET /transfer-money?from,to,amount database.query => "UPDATE accounts SET balance increment(amount) WHERE account_number = to" database.query => "UPDATE accounts SET balance decrement(amount) WHERE account_number = to" print "Debit: from -amount, Credit: to +amount"
  • 12. Does this code have any vulnerabilities? YES. SEVERAL ACTUALLY!
  • 13. SQL Injection WHAT IS IT? User input used in a database query without validation WHY IS IT BAD? Execute additional transactions and actions Exfilterate data Connect to other systems on the network
  • 14. DATA BREACH 77 MILLION RECORDS STOLEN Sony Hack "From a single injection, we accessed EVERYTHING". Passwords, home addresses and other personal information was stolen. Source: https://www.bbc.co.uk/news/business-13636704
  • 15. Cross-site Request Forgery WHAT IS IT? Replay actions on behalf of a logged in user WHY IS IT BAD? Unauthorised Attack typically hidden so user does not realise
  • 16. Good joke, wasn't it? While you were reading this joke on your favourite pass time website, I processed 5 transactions transferring over 1 billion dollars in the background!Source: https://www.pinterest.com/pin/777011741929294349/
  • 17. Cross-site Scripting (XSS) WHAT IS IT? Attack the users of the application by executing malicious code on their browser WHY IS IT BAD? Execute unauthorised transactions and actions without the user realising Looks like legitimate traffic to the website
  • 18. Samy the worm SPREAD LIKE WILDFIRE Fastest spreading virus of all time - 1 million users affected in less than 24 hours UNPRECEDENTED IMPACT MySpace had to take the site offline to remove the worm Source: https://www.vice.com/en_us/article/wnjwb4/the-myspace- worm-that-changed-the-internet-forever
  • 19. But wait, there's more! BROKEN ACCESS CONTROL We never checked if the account belonged to the user BUSINESS LOGIC PROBLEMS Does your account have enough balance? SENSITIVE DATA EXPOSED Data between client and server are sent over plaintext and cached by default INSUFFICIENT LOGGING & MONITORING If something were to go wrong, how would we find out more details?
  • 20. Let's look at the numbers 4 LINES OF CODE 7 VULNERABILITIES We could have kept going, but you get the point
  • 21. Let's fix the vulnerabilities and secure our code
  • 22. SQL Injection prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" GET /transfer-money?from,to,amount database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
  • 23. Cross-site request forgery configuration protect_against_csrf prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" GET /transfer-money?from,to,amount database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
  • 24. Broken access control configuration protect_against_csrf prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
  • 25. Finally looks like this configuration log_all_requests protect_against_csrf hide_technology_info do_not_cache_requests prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" configuration logging sensitive_info => from, to POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" if account.balance < amount throw error "Not enough balance!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: html_escape => from, html_escape => -amount, Credit: html_escape => to, html_escape => +amount"
  • 26. Side by side comparison configuration log_all_requests protect_against_csrf hide_technology_info do_not_cache_requests prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" configuration logging sensitive_info => from, to POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" if account.balance < amount throw error "Not enough balance!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: html_escape => from, html_escape => -amount, Credit: html_escape => to, html_escape => +amount" GET /transfer-money?from,to,amount database.query => "UPDATE accounts SET balance increment(amount) WHERE account_number = to" database.query => "UPDATE accounts SET balance decrement(amount) WHERE account_number = to" print "Debit: from -amount, Credit: to +amount"
  • 27. 3.5x more code needed to make it secure
  • 28. To do things right, you would need superheroes Normal coders don't stand a chance!
  • 29. Developers don't think about security all day We need to make security easy and accessible FUN FACT
  • 30. How do we scale secure coding?
  • 31. Stand on the shoulder of giants DON'T RE-INVENT THE WHEEL Avoid implementing security features yourself, eg. encryption RELY ON BATTLE-TESTED ENTERPRISE LIBRARIES Vetted by security experts, active developer community, security mindset
  • 32. Stand on the shoulder of giants USE SECURE DEFAULTS Most enterprise grade libraries come with a security guide Read it and create an internal best practices guide or base library. Do it once, reap the benefits over and over again PATCH AND UPDATE DEPENDENCIES REGULARLY Hackers can fingerprint technology stack Exploit based on known vulnerabilities
  • 33. - NO ONE EVER "I LOVE UPDATE SCREENS" Source: fakeupdate.net
  • 34. 60-80% of a commercial codebase is typically open source libraries 60% VULNERABLE of those scanned EQUIFAX CREDIT BUREAU public example of things gone wrong Why is patching important?
  • 35. Security automation CATCH BUGS EARLY Security bugs are inevitable, provide early feedback loops through automated testing REDUCE HUMAN EFFORT AND SAVE $$$ Low hanging fruit should be caught by machines, not humans EMED SECURITY INTO DEVELOPMENT WORKFLOW AUTOMATE AND GET OUT OF THE WAY Security tools can sometimes be slow. Anything embedded into the workflow needs to be fast and pain-free
  • 36. Embed security automation into the workflow CODE BUILD TEST DEPLOY IDE Plugins Security Unit Tests Static Source Code Analysis (SAST) Software Composition Analysis (SCA) Dynamic Application Security Testing (DAST) Container Scanning Runtime Application Self-Protection (RASP) Bug Bounties
  • 37. Architecture and design SOLID FOUNDATIONS TO SET YOURSELF UP FOR SECURITY SUCCESS
  • 38. 30x more costly to fix defects after release compared to design phase 30x Source: ftp://ftp.software.ibm.com/software/rational/info/do-more/RAW14109USEN.pdf
  • 39. INFRASTRUCTURE DESIGN Design to minimise attack surface and reduce risk posture of the application THREAT MODELLING Understand the risk level of your application, data it collects and processes and any regulatory requirements SECURITY AUTOMATION Automate from the start, easier than climbing a steep hill all at once Architecture and design
  • 41. Am I rewarded or punished for reporting security issues? AVOID A TOXIC WORK ENVIRONMENT
  • 42. Developer Training THREAT LANDSCAPE AND RESPONSIBLITY Cost to the business of a security incident, impact of vulnerabilties and duty to protect customer and business data FOCUS ON DEFENSIVE SKILLS Proactive controls, internal secure coding guidelines Don't turn developers into hackers - that's not their job SOFTWARE SECURITY FUNDAMENTALS TRAINING High level overview for support staff: Business Analysts, Project Managers, Product Managers etc
  • 43. BUILD ON THE SHOULDER OF GIANTS THINK ABOUT SECURITY DURING ARCHITECTURE AND DESIGN PHASE HOW DO YOU CODE SECURELY? EMBED AND AUTOMATE SECURITY IN THE DEVELOPMENT WORKFLOW BUILD A SECURITY CONSCIOUS CULTURE IN YOUR BUSINESS PATCH, PATCH AND PATCH AGAIN