How to protect your web applications

Magno Logan

magno.logan@owasp.org

OWASP Paraíba Chapter Leader

About Me

Who am I?

• Ex-developer

• Security Analyst

• Chapter Leader

• Investments

• Martial Arts

Paraíba?!

I’m here!

• Caipirinha • Soccer • Samba • Girls

We have it all!

I live where you take vacations, sorry! =)

Agenda

• They are everywhere!

• Testing, testing, testing…

• Guides, tools and much more

• The insecure software lifecycle

• How to solve these problems (maybe?)

They are everywhere!

They are everywhere!

And they have bugs everywhere!

• The cost of a data breach averages $5.5 million or $194 per customer record*

• Companies that take security seriously can reduce the cost per customer by up to 62%

* From a 2011 study by the Ponemon Institute

What are we doing wrong?

• Secure application development is a top priority

• But web applications are still the number one

source of data breaches

• We need to change the mindset of software development

*From a 2011 Forrester Research study: Application Security: 2011 & Beyond

What are we doing wrong?

• We’re in 2012 and SQL Injection is still the biggest issue!

• The first public issue dates from 1998

• SQL Injections can lead to shell access now!

Why these still happens?

Excuses to the problems:

• Security is not important! Money is!

• There is no time!

• Developer’s fault! They are the scape goat of security!

Back to the basics

CIA Triad

Now what?

So, how to protect our apps?! 1. Threat Modeling

2. Security Testing

3. Code Review

4. SDL

Threat Modeling

Threat Modeling

• Structured approach to identify and measure risks

• It defines the security requisites

• Allows the design to address the security issues

• Helps the security testing and code reviews

Threat Modeling Process

1. Identify your assets

2. Create an architectural view

3. Decompose the software

4. Identify, document and classify the threats to your app

(Security) Design Patterns

• Use them! There a lot out there!

• Don’t reinvent the wheel!

• Exception Handling

• Input Validation

• Protected Logging

Development Phase

• Use a guide to implement your security, like the OWASP Developer’s Guide

• Use unit test cases focused on security

• Present security training to developers

• Perform penetration testing and code reviews

OWASP Top 10 2010

Testing, testing, testing…

2011 CWE/SANS Top 25

And more testing…

So what do they do?

• Protect you from common mistakes

• Avoid you from getting hacked by automated tools/scanners and script kiddies

By the way, if you work with AppSec and you never heard of these two docs…

You need to find another job!

How to apply them?

Many FREE resources!

Not just OWASP stuff…

Code reviews

Ok, now what?!

OWASP Code Review Guide

• Code review takes a deeper look into your app

• Things that automated scanners won’t find

• You’ll see the common mistakes devs make

SDL

We fixed the problems. How to stop them?

• Implement a SDL process

• Train your developers about app security

• They don’t need to be experts, at least know how it works and how to protect their apps

Free Docs

Yay! More free stuff…

• OWASP ASVS – verify your security

• OWASP OpenSAMM – create a security program

• OWASP Developer’s Guide – tips to devs

Not yet…

It’s not that simple…

• If we have all that, why aren’t our apps secure?

• Why even the big companies don’t follow the basic rules? Hello Linkedin!

Security Myths

We know, we know…

• Security costs money. Yeah, but so does development, support, operations, etc.

• Security costs money. But it will save you a lot more!

Why most companies still don’t see the value of security until they get hacked?

If it compiles, ship it!

Like Dinis Cruz said at AppSec Latam 2011:

Unless you’ve been hacked before…

If it compiles,

Ship it!

That’s the motto in most dev companies

ISLC

The real picture (Developer’s view)

• They don’t like the security teams

• They already work on a tight schedule

• Security will increase their programming time

The ideal world

How it should be…

• Dev and infosec should work together

• Security practices and implementations should be included in the schedule time

• It will increase the apps protection and decrease the amount of bugs and work

Conclusions

In a nutshell… • Security is not a plugin, it’s a process.

• Test everything, every time they change.

• Allocate time for security testing within your

project

• Never assume security controls are effective

OWASP Floripa Day

Conferences

15 e 16 de Setembro

https://www.owasp.org/index.php/OWASP_Floripa_Day_2012

AppSec Brazil 2012

Conferences

OWASP AppSec Brazil 2012

In November in João Pessoa!

Questions?

@magnologan

@owasppb

References Wagner Elias. “Testar não é suficiente, tem que fazer direito!”.

YSTS 2012 Dinis Cruz. “Making Security Invisible by Becoming the

Developer's Best Friends”. OWASP AppSec Latam 2011 Building Secure Web Applications Infographic -

http://www.veracode.com/blog/2012/06/building-secure-web-applications-infographic/

OWASP - www.owasp.org