bhack 2012 - how to protect your web applications

How to protect your web applications

Magno Logan magno.logan@owasp.org

OWASP Paraíba Chapter Leader

About Me

Who am I? !• Ex-developer • Security Analyst • Chapter Leader • Martial Arts • Investments

Agenda !• They are everywhere!

• Testing, testing, testing…

• Guides, tools and much more

• The insecure software lifecycle

• How to solve these problems

e

They are everywhere!

And they have bugs everywhere! !• The cost of a data breach averages $5.5

million or $194 per customer record* !

• Companies that take security seriously can reduce the cost per customer by up to 62%

!!!!* From a 2011 study by the Ponemon Institute

So, how to protect them?! !1. Security Testing

!2. Code Review

!3. SDL

OWASP Top 10 2010

Testing, testing, testing…

And more testing… 2011 CWE/SANS Top 25

So what do they do? !• Protect you from common mistakes !

• Avoid you from getting hacked by automated tools/scanners and script kiddies !By the way, if you work with AppSec and you

never heard of these two docs…

You need to find another job!

Many more FREE resources!Not just OWASP stuff…

Ok, now what?! OWASP Code Review Guide

!• Code review takes a deeper look into your

app !

• Things that automated scanners won’t find !

• You’ll see the common mistakes devs make

We fixed the problems. How to stop them? !• Implement a SDL process !

• Train your developers about app security !

• They don’t need to be experts, at least know how it works and how to protect their apps

Yay! More free stuff… !• OWASP ASVS – verify your security !

• OWASP OpenSAMM – create a security program !

• OWASP Developer’s Guide – tips to devs

It’s not that simple… !• If we have all that, why aren’t our apps

secure? !

• Why even the big companies don’t follow the basic rules? Hello Linkedin!

We know, we know… !• Security costs money. Yeah, but so does

development, support, operations, etc. !

• Security costs money. But it will save you a lot more! !

Why most companies still don’t see the value of security until they get hacked?

Like Dinis Cruz said at AppSec Latam 2011: !

Unless you’ve been hacked before… !

If it compiles, Ship it!

!That’s the motto in most dev companies

The real picture (Developer’s view) !• They don’t like the security teams !

• They already work on a tight schedule !

• Security will increase their programming time

How it should be… !• Dev and infosec should work together !

• Security practices and implementations should be included in the schedule time !

• It will increase the apps protection and decrease the amount of bugs and work

In a nutshell… !• Security is not a plugin, it’s a process. !

• Test everything, every time they change. !

• Allocate time for security testing within your project !

• Never assume security controls are effective

!!

Questions? !!

@magnologan @owasppb

References !Wagner Elias. “Testar não é suficiente, tem que fazer

direito!”. YSTS 2012 !Dinis Cruz. “Making Security Invisible by Becoming the

Developer's Best Friends”. OWASP AppSec Latam 2011 !Building Secure Web Applications Infographic - http://

www.veracode.com/blog/2012/06/building-secure-web-applications-infographic/

!OWASP - www.owasp.org