How to protect your web applications
Magno Logan
OWASP Paraíba Chapter Leader
About Me
Who am I?
• Ex-developer
• Security Analyst
• Chapter Leader
• Investments
• Martial Arts
Paraíba?!
I’m here!
• Caipirinha • Soccer • Samba • Girls
We have it all!
I live where you take vacations, sorry! =)
Agenda
• They are everywhere!
• Testing, testing, testing…
• Guides, tools and much more
• The insecure software lifecycle
• How to solve these problems (maybe?)
They are everywhere!
They are everywhere!
And they have bugs everywhere!
• The cost of a data breach averages $5.5 million or $194 per customer record*
• Companies that take security seriously can reduce the cost per customer by up to 62%
* From a 2011 study by the Ponemon Institute
What are we doing wrong?
• Secure application development is a top priority
• But web applications are still the number one
source of data breaches
• We need to change the mindset of software development
*From a 2011 Forrester Research study: Application Security: 2011 & Beyond
What are we doing wrong?
• We’re in 2012 and SQL Injection is still the biggest issue!
• The first public issue dates from 1998
• SQL Injections can lead to shell access now!
Why these still happens?
Excuses to the problems:
• Security is not important! Money is!
• There is no time!
• Developer’s fault! They are the scape goat of security!
Back to the basics
CIA Triad
Now what?
So, how to protect our apps?! 1. Threat Modeling
2. Security Testing
3. Code Review
4. SDL
Threat Modeling
Threat Modeling
• Structured approach to identify and measure risks
• It defines the security requisites
• Allows the design to address the security issues
• Helps the security testing and code reviews
Threat Modeling Process
1. Identify your assets
2. Create an architectural view
3. Decompose the software
4. Identify, document and classify the threats to your app
(Security) Design Patterns
• Use them! There a lot out there!
• Don’t reinvent the wheel!
• Exception Handling
• Input Validation
• Protected Logging
Development Phase
• Use a guide to implement your security, like the OWASP Developer’s Guide
• Use unit test cases focused on security
• Present security training to developers
• Perform penetration testing and code reviews
OWASP Top 10 2010
Testing, testing, testing…
2011 CWE/SANS Top 25
And more testing…
So what do they do?
• Protect you from common mistakes
• Avoid you from getting hacked by automated tools/scanners and script kiddies
By the way, if you work with AppSec and you never heard of these two docs…
You need to find another job!
How to apply them?
Many FREE resources!
Not just OWASP stuff…
Code reviews
Ok, now what?!
OWASP Code Review Guide
• Code review takes a deeper look into your app
• Things that automated scanners won’t find
• You’ll see the common mistakes devs make
SDL
We fixed the problems. How to stop them?
• Implement a SDL process
• Train your developers about app security
• They don’t need to be experts, at least know how it works and how to protect their apps
Free Docs
Yay! More free stuff…
• OWASP ASVS – verify your security
• OWASP OpenSAMM – create a security program
• OWASP Developer’s Guide – tips to devs
Not yet…
It’s not that simple…
• If we have all that, why aren’t our apps secure?
• Why even the big companies don’t follow the basic rules? Hello Linkedin!
Security Myths
We know, we know…
• Security costs money. Yeah, but so does development, support, operations, etc.
• Security costs money. But it will save you a lot more!
Why most companies still don’t see the value of security until they get hacked?
If it compiles, ship it!
Like Dinis Cruz said at AppSec Latam 2011:
Unless you’ve been hacked before…
If it compiles,
Ship it!
That’s the motto in most dev companies
ISLC
The real picture (Developer’s view)
• They don’t like the security teams
• They already work on a tight schedule
• Security will increase their programming time
The ideal world
How it should be…
• Dev and infosec should work together
• Security practices and implementations should be included in the schedule time
• It will increase the apps protection and decrease the amount of bugs and work
Conclusions
In a nutshell… • Security is not a plugin, it’s a process.
• Test everything, every time they change.
• Allocate time for security testing within your
project
• Never assume security controls are effective
OWASP Floripa Day
Conferences
15 e 16 de Setembro
https://www.owasp.org/index.php/OWASP_Floripa_Day_2012
AppSec Brazil 2012
Conferences
OWASP AppSec Brazil 2012
In November in João Pessoa!
Questions?
@magnologan
@owasppb
References Wagner Elias. “Testar não é suficiente, tem que fazer direito!”.
YSTS 2012 Dinis Cruz. “Making Security Invisible by Becoming the
Developer's Best Friends”. OWASP AppSec Latam 2011 Building Secure Web Applications Infographic -
http://www.veracode.com/blog/2012/06/building-secure-web-applications-infographic/
OWASP - www.owasp.org