2013 michael coates-javaone
-
Upload
michael-coates -
Category
Technology
-
view
2.491 -
download
2
description
Transcript of 2013 michael coates-javaone
Scaling Web Security - Tools, Processes and Techniques to Enable Security At Scale
About Me
“The global cost of cybercrime is greater than the combined effect on the global economy of trafficking in marijuana, heroin and cocaine”
theregister.co.ukSept 7, 2011
Reality
Data Loss & Breaches
Verizon Data Breach Report 2013 datalossdb.org/statistics
Data Loss & Breaches
Verizon Data Breach Report 2013 datalossdb.org/statistics
The Supposed Security Program• “Security is everyone’s job…”• “Security training is the answer…”• “It’s easy, just use encoding…”• “Companies that care about security wouldn’t
have those vulnerabilities…”
Two Facts about Security Programs
1) Fixing a single security bug:
1) Fixing a single security bug:Easy
1) Fixing a single security bug:Easy (generally)
2) Ensuring no critical bugs are introduced to software
2) Ensuring no critical bugs are introduced to software
• While moving fast
2) Ensuring no critical bugs are introduced to software
• While moving fast• With minimal impact to developers
2) Ensuring no critical bugs are introduced to software
• While moving fast• With minimal impact to developers• Within an agile or constant deployment model
2) Ensuring no critical bugs are introduced to software
• While moving fast• With minimal impact to developers• Within an agile or constant deployment model• Across thousands of developers, multiple sites
and services, and numerous new lines of code
2) Ensuring no critical bugs are introduced to software
• While moving fast• With minimal impact to developers• Within an agile or constant deployment model• Across thousands of developers, multiple sites
and services, and numerous new lines of code
Hard
The Goal• Eliminate all possible security bugs?• Keep company out of the headlines?• Protect data?• Ensure uptime?• The real goal – manage risk
RETHINKING SECURITY PROGRAMSEliminate the Security Professional
You can’t solve security by throwing bodies at the problem
Security Professionals– Expensive– Hard to find– Competition for employment
Humans Don’t Scale Well
Security Throughout SDLC
Development• Developer Training• Coding Guidelines– Cheat Sheets– Concise, Usable
owasp.org/index.php/Cheat_Sheets
Development• Security Libraries & Services– Abstract away internals of security code– Standardized security libraries• OWASP ESAPI – an example of what you should build
within your organization
– Web services for security
Automation• Dynamic security analysis
built for developers– Report what can be found
>95% accuracy– Skip issues where
accuracy is low– Accurate Tool > Tool which
requires security team
wiki.mozilla.org/Security/Projects/Minion
Automation• Static / Dynamic Analysis – Careful – security resource may be required– Can scale if homogenous environment
• Security X as a Service– Yes! The Future!
QA• Security validation within QA• Functional testing of forms + basic sec tests
• Follow patterns of current QA– Pass / Fail– Self contained testing – no need for security evaluation
“><script>alert(‘problem’)</script>
Organizational Strategy• Embedding security
inside dev team– team effort to ship– real time collaboration– eliminates “us” vs
“them”– build alliance
Dev Team
Dev Team
Dev Team
Organizational Strategy• Scaling via Security Champions• Primary Role: Developer
Secondary: Security • Scales Effectively• Liaison to security team
Dev Team
Dev Team
Post Release - Bounty Programs!• Engage Security Community
https://bugcrowd.com/list-of-bug-bounty-programs/
Post Release – Defend That App• Detect and repel common
attacks – Web Application Firewall
• Detect and repel custom attacks at business layer – Integrated application defense– OWASP AppSensor
owasp.org/index.php/OWASP_AppSensor_Projectcrosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf
Post Release – Defend That App• Scale!– Attack blocking?
Automated only– No human analysis in
critical path.
How to Use Security Expertise• Security strategy, risk programs, architecture &
design
• Tackle new problems, determine how to automate them
• Build scalable security resources & services
Key Points• Security is not just an activity conducted by a
single team• A strategic security program gains incremental
wins at every step• Build everything for scaling• Automate first, human SMEs only when required