Ever wondered why coding securely is so difficult? In a non-technical session, learn more about the exponential growth of software and coders, why good code isn't necessarily secure code, how developers think and act, what are the most common mistakes developers make, and what you might be able to do about it. If you are up for it, challenge yourself to locate, identify and fix vulnerabilities within sample code snippets using our 'for-not-technical-people' pseudocode language!
8. - INFORMATION IS BEAUTIFUL
Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
9. 90%
security incidents result from
defects in the design or code
of software
- DEPARTMENT OF HOMELAND SECURITY
Source: https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf
11. Let's look at some code
GET /transfer-money?from,to,amount
database.query => "UPDATE accounts SET balance increment(amount) WHERE
account_number = to"
database.query => "UPDATE accounts SET balance decrement(amount) WHERE
account_number = to"
print "Debit: from -amount, Credit: to +amount"
12. Does this code have
any vulnerabilities?
YES. SEVERAL ACTUALLY!
13. SQL
Injection
WHAT IS IT?
User input used in a
database query without
validation
WHY IS IT BAD?
Execute additional
transactions and actions
Exfilterate data
Connect to other systems on
the network
14. DATA BREACH
77 MILLION RECORDS STOLEN
Sony Hack
"From a single injection, we accessed
EVERYTHING". Passwords, home
addresses and other personal
information was stolen.
Source: https://www.bbc.co.uk/news/business-13636704
16. Good joke, wasn't it?
While you were reading this joke on
your favourite pass time website, I
processed 5 transactions
transferring over 1 billion dollars in
the background!Source: https://www.pinterest.com/pin/777011741929294349/
17. Cross-site
Scripting
(XSS)
WHAT IS IT?
Attack the users of the
application by executing
malicious code on their
browser
WHY IS IT BAD?
Execute unauthorised
transactions and actions
without the user realising
Looks like legitimate traffic
to the website
18. Samy the
worm
SPREAD LIKE WILDFIRE
Fastest spreading virus of all time - 1
million users affected in less than 24
hours
UNPRECEDENTED IMPACT
MySpace had to take the site offline
to remove the worm
Source: https://www.vice.com/en_us/article/wnjwb4/the-myspace-
worm-that-changed-the-internet-forever
19. But wait,
there's
more!
BROKEN ACCESS CONTROL
We never checked if the account belonged
to the user
BUSINESS LOGIC PROBLEMS
Does your account have enough balance?
SENSITIVE DATA EXPOSED
Data between client and server are sent
over plaintext and cached by default
INSUFFICIENT LOGGING &
MONITORING
If something were to go wrong, how would
we find out more details?
22. SQL Injection
prepared_statements
addMoney => "UPDATE accounts SET balance increment(%1) WHERE
account_number = %2"
deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE
account_number = %2"
GET /transfer-money?from,to,amount
database.query => prepared_statements.add_money, amount, to
database.query => prepared_statements.deduct_money, amount, from
print "Debit: from -amount, Credit: to +amount"
23. Cross-site request forgery
configuration
protect_against_csrf
prepared_statements
addMoney => "UPDATE accounts SET balance increment(%1) WHERE
account_number = %2"
deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE
account_number = %2"
GET /transfer-money?from,to,amount
database.query => prepared_statements.add_money, amount, to
database.query => prepared_statements.deduct_money, amount, from
print "Debit: from -amount, Credit: to +amount"
24. Broken access control
configuration
protect_against_csrf
prepared_statements
addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2"
deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2"
getAccount => "SELECT * from accounts WHERE account_number = %1"
POST /transfer-money?from,to,amount
account = database.query => prepared_statements.getAccount, from
if account.user_id != logged_in_user
throw error "Access denied!"
database.query => prepared_statements.add_money, amount, to
database.query => prepared_statements.deduct_money, amount, from
print "Debit: from -amount, Credit: to +amount"
25. Finally looks like this
configuration
log_all_requests
protect_against_csrf
hide_technology_info
do_not_cache_requests
prepared_statements
addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2"
deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2"
getAccount => "SELECT * from accounts WHERE account_number = %1"
configuration
logging
sensitive_info => from, to
POST /transfer-money?from,to,amount
account = database.query => prepared_statements.getAccount, from
if account.user_id != logged_in_user
throw error "Access denied!"
if account.balance < amount
throw error "Not enough balance!"
database.query => prepared_statements.add_money, amount, to
database.query => prepared_statements.deduct_money, amount, from
print "Debit: html_escape => from, html_escape => -amount, Credit: html_escape => to, html_escape => +amount"
26. Side by side comparison
configuration
log_all_requests
protect_against_csrf
hide_technology_info
do_not_cache_requests
prepared_statements
addMoney => "UPDATE accounts SET balance increment(%1) WHERE
account_number = %2"
deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE
account_number = %2"
getAccount => "SELECT * from accounts WHERE account_number = %1"
configuration
logging
sensitive_info => from, to
POST /transfer-money?from,to,amount
account = database.query => prepared_statements.getAccount, from
if account.user_id != logged_in_user
throw error "Access denied!"
if account.balance < amount
throw error "Not enough balance!"
database.query => prepared_statements.add_money, amount, to
database.query => prepared_statements.deduct_money, amount, from
print "Debit: html_escape => from, html_escape => -amount, Credit:
html_escape => to, html_escape => +amount"
GET /transfer-money?from,to,amount
database.query => "UPDATE accounts SET balance increment(amount)
WHERE account_number = to"
database.query => "UPDATE accounts SET balance decrement(amount)
WHERE account_number = to"
print "Debit: from -amount, Credit: to +amount"
31. Stand on the
shoulder of
giants
DON'T RE-INVENT THE WHEEL
Avoid implementing security features
yourself, eg. encryption
RELYÂ ONÂ BATTLE-TESTED
ENTERPRISEÂ LIBRARIES
Vetted by security experts, active
developer community, security mindset
32. Stand on the
shoulder of
giants
USE SECURE DEFAULTS
Most enterprise grade libraries come with
a security guide
Read it and create an internal best
practices guide or base library.
Do it once, reap the benefits
over and over again
PATCH AND UPDATE
DEPENDENCIESÂ REGULARLY
Hackers can fingerprint technology stack
Exploit based on known vulnerabilities
33. - NO ONE EVER
"I LOVE UPDATE SCREENS"
Source: fakeupdate.net
34. 60-80%
of a commercial codebase is
typically open source libraries
60% VULNERABLE
of those scanned
EQUIFAX CREDIT
BUREAU
public example of things gone
wrong
Why is
patching
important?
35. Security
automation
CATCH BUGS EARLY
Security bugs are inevitable, provide early feedback
loops through automated testing
REDUCEÂ HUMANÂ EFFORT
ANDÂ SAVEÂ $$$
Low hanging fruit should be caught by machines,
not humans
EMED SECURITYÂ INTO
DEVELOPMENTÂ WORKFLOW
AUTOMATE AND GET OUT
OF THE WAY
Security tools can sometimes be slow. Anything
embedded into the workflow needs to be fast and
pain-free
36. Embed security automation
into the workflow
CODE BUILD TEST DEPLOY
IDE Plugins
Security Unit Tests
Static Source Code
Analysis (SAST)
Software Composition
Analysis (SCA)
Dynamic Application
Security Testing (DAST)
Container Scanning
Runtime Application
Self-Protection (RASP)
Bug Bounties
39. INFRASTRUCTURE DESIGN
Design to minimise attack surface and reduce risk
posture of the application
THREAT MODELLING
Understand the risk level of your application, data
it collects and processes and any regulatory
requirements
SECURITY AUTOMATION
Automate from the start, easier than climbing a
steep hill all at once
Architecture
and design
41. Am I rewarded or
punished for
reporting security
issues?
AVOID A TOXIC WORK
ENVIRONMENT
42. Developer
Training
THREAT LANDSCAPE AND
RESPONSIBLITY
Cost to the business of a security incident, impact
of vulnerabilties and duty to protect customer and
business data
FOCUSÂ ONÂ DEFENSIVEÂ SKILLS
Proactive controls, internal secure coding
guidelines
Don't turn developers into hackers - that's not
their job
SOFTWARE SECURITY
FUNDAMENTALS TRAINING
High level overview for support staff: Business
Analysts, Project Managers, Product Managers etc
43. BUILD ON THE
SHOULDER OF
GIANTS
THINK ABOUT SECURITY
DURING ARCHITECTURE AND
DESIGN PHASE
HOW DO YOU
CODE SECURELY?
EMBED ANDÂ AUTOMATE
SECURITYÂ INÂ THE
DEVELOPMENTÂ WORKFLOW
BUILDÂ AÂ SECURITY
CONSCIOUSÂ CULTUREÂ IN
YOURÂ BUSINESS
PATCH,
PATCH
AND
PATCH
AGAIN