bhack 2012 - how to protect your web applications
DESCRIPTION
BHack 2012 - How to protect your web applications Junho de 2012 em Belo Horizonte, MG http://bhack.com.br/TRANSCRIPT
About Me
Who am I? !• Ex-developer • Security Analyst • Chapter Leader • Martial Arts • Investments
Agenda !• They are everywhere!
• Testing, testing, testing…
• Guides, tools and much more
• The insecure software lifecycle
• How to solve these problems
e
They are everywhere!
And they have bugs everywhere! !• The cost of a data breach averages $5.5
million or $194 per customer record* !
• Companies that take security seriously can reduce the cost per customer by up to 62%
!!!!* From a 2011 study by the Ponemon Institute
So, how to protect them?! !1. Security Testing
!2. Code Review
!3. SDL
OWASP Top 10 2010
Testing, testing, testing…
And more testing… 2011 CWE/SANS Top 25
So what do they do? !• Protect you from common mistakes !
• Avoid you from getting hacked by automated tools/scanners and script kiddies !By the way, if you work with AppSec and you
never heard of these two docs…
You need to find another job!
Many more FREE resources!Not just OWASP stuff…
Ok, now what?! OWASP Code Review Guide
!• Code review takes a deeper look into your
app !
• Things that automated scanners won’t find !
• You’ll see the common mistakes devs make
We fixed the problems. How to stop them? !• Implement a SDL process !
• Train your developers about app security !
• They don’t need to be experts, at least know how it works and how to protect their apps
Yay! More free stuff… !• OWASP ASVS – verify your security !
• OWASP OpenSAMM – create a security program !
• OWASP Developer’s Guide – tips to devs
It’s not that simple… !• If we have all that, why aren’t our apps
secure? !
• Why even the big companies don’t follow the basic rules? Hello Linkedin!
We know, we know… !• Security costs money. Yeah, but so does
development, support, operations, etc. !
• Security costs money. But it will save you a lot more! !
Why most companies still don’t see the value of security until they get hacked?
Like Dinis Cruz said at AppSec Latam 2011: !
Unless you’ve been hacked before… !
If it compiles, Ship it!
!That’s the motto in most dev companies
The real picture (Developer’s view) !• They don’t like the security teams !
• They already work on a tight schedule !
• Security will increase their programming time
How it should be… !• Dev and infosec should work together !
• Security practices and implementations should be included in the schedule time !
• It will increase the apps protection and decrease the amount of bugs and work
In a nutshell… !• Security is not a plugin, it’s a process. !
• Test everything, every time they change. !
• Allocate time for security testing within your project !
• Never assume security controls are effective
!!
Questions? !!
@magnologan @owasppb
References !Wagner Elias. “Testar não é suficiente, tem que fazer
direito!”. YSTS 2012 !Dinis Cruz. “Making Security Invisible by Becoming the
Developer's Best Friends”. OWASP AppSec Latam 2011 !Building Secure Web Applications Infographic - http://
www.veracode.com/blog/2012/06/building-secure-web-applications-infographic/
!OWASP - www.owasp.org