How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying...
Transcript of How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying...
![Page 1: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/1.jpg)
How I Learned to Stop Worrying & Teach Developers
…or “Security Awareness for the Tech-Savvy User”
Perry A. Hemmingsen
Senior Security Analyst, Applications
HealthPartners, Inc.
perry.hemmingsen [at] gmail [dot] com
linkedin.com/in/perryhemmingsen/
Room 12 1:15 pm Wed, May 15 2013
![Page 2: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/2.jpg)
Welcome to Secure360 2013
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 2
Don’t forget to pick up your Certificate of Attendance at the end of each day.
Please complete the Session Survey front and back, and leave it on your seat.
Are you tweeting? #Sec360
![Page 3: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/3.jpg)
Disclaimer
The views and opinions from this point forward may differ from the views and opinions of the HealthPartners organization. The responsibility of all information, techniques and bad jokes contained within lie solely on the author. The presentation you are about to see is merely the compilation of what has worked for the author and his organization. Your mileage may vary.
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 3
![Page 4: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/4.jpg)
What I Do
• Senior Security Analyst—HealthPartners, Inc.
• Focus on application security
– Web (Java, .Net, Groovy Grails)
– Mobile (Objective-C, Android/Java, m.)
– SOA (ESB policies)
• Also
– Data encryption
– Internal PKI
– Internal/external vulnerability assessment
– WebApp pen-testing
5/17/2013
How I Learned to Stop Worrying & Teach Developers
4
![Page 5: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/5.jpg)
Security’s Iron Hand
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 5
![Page 6: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/6.jpg)
“The Developer”
• Smart, tech-savvy
• Culture of sharing
• Deadlines, milestones
• Close to their code
• Vested in app’s success
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 6
![Page 7: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/7.jpg)
“The Developer”
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 7
![Page 8: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/8.jpg)
Those Crafty Devs…
• “Can you speak like a coder?”
• Need to know exact details
– What needs to be done?
– Where is the code vulnerable?
– Why should it be modified?
– How does it look when it’s not vulnerable?
• Rely on documentation
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 8
![Page 9: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/9.jpg)
Those Crafty Devs…
• Learn the technical language – Explain and understand what you need in
their terms
– Decide where programmers fit in the solution
– Prove you know what you’re talking about
• Develop standards and procedures – Provide consistency
– Following a check-list is quick and easy
– Keep the info fresh
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 9
![Page 10: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/10.jpg)
Example Checklist Output Encoding
All encoding is performed on the server.
All output is contextually encoded (HTML entity encoding)
All characters must be encoded unless they are known to be safe for the intended
interpreter (e.g. standard alpha-numeric characters are safe, but special characters like
“<” are not).
o OWASP AntiSamy
o ESAPI
o Prepared Statements (SQL queries)
All output of untrusted data to queries for SQL, XML, and LDAP are contextually
sanitized.
All output of untrusted data to operating system commands are sanitized.
Error messages do not disclose sensitive data.
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 10
![Page 11: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/11.jpg)
Sharing is (sometimes) Caring
• Engaged actively in the online community – StackOverflow.com – CodeProject.com – Groups.Google.com – JavaRanch.com
• Want to divulge everything – Do not intend malice – Need context to answer code questions
• Reconnaissance: first step of a pen-test
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 11
![Page 12: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/12.jpg)
Sharing is (sometimes) Caring
• Teach “safe” sharing – De-couple code from company
– Avoid using company email for contact
– Forbid protected information • Real-world data
• Company-confidential secrets
• Encourage sharing of security – Hardened common libraries
• OWASP AntiSamy or ESAPI library
• Prepared Statements for SQL queries
– Vetted “generic code” to tackle common issues
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 12
![Page 13: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/13.jpg)
Under Pressure
• Wants the app _______
– Now
– Perfect
– To do everything
• Management are likely not developers
• Become victims of Brooks’ Law
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 13
![Page 14: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/14.jpg)
Under Pressure
• Need top-down support – Don’t forget to educate the bosses
– Time spent now is time saved later
• Find a champion – Gives coders a local contact
– Intimate with their codebase and environment
– Helps disseminate new information
– All-around good ally to have
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 14
![Page 15: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/15.jpg)
Don’t Touch My Code!
• “My code is my baby”
– Criticize my code, you criticize me
• What you want doesn’t make sense
• Might view security as the intruder
– “Iron hand of standards and policies”
– Seen as a roadblock rather than an ally
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 15
![Page 16: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/16.jpg)
Don’t Touch My Code!
• No one’s baby is ugly
• Programmers really do want what’s best for their code
• Learn it once, apply it everywhere
• “…as long as it doesn’t make more work”
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 16
![Page 17: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/17.jpg)
I Only Want What’s Best for the App
• Love simplicity and elegance
• Interested in the future
– What’s new?
– How can I apply it to make my code better?
– How can I solve the problem more simply?
• Wary that policies may stifle creativity
• Would rather focus on bugs first, security last
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 17
![Page 18: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/18.jpg)
I Only Want What’s Best for the App
• Willing to apply best practices, provided they work
• Most security solutions are so good, they’re almost transparent
• If XSS is too hard to mitigate, you may be asking them to fix it incorrectly
• Treat vulnerabilities like functional bugs – No one likes buggy code
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 18
![Page 19: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/19.jpg)
Why Focus on Developer Education?
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 19
![Page 20: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/20.jpg)
Why Focus on Developer Education?
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 20
![Page 21: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/21.jpg)
Why Focus on Developer Education?
• Developers:
– Write the code
– Understand the problem better than anyone
– Possess the skill set
– More effective and efficient at solving
• Encryption is nice, but worthless if the front door is open
5/17/2013
How I Learned to Stop Worrying & Teach Developers
21
![Page 22: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/22.jpg)
Common Questions
• I thought we had an application firewall… – Belt + Suspenders
– “All or none” signature rule
– Might not catch the crafty adversary
• What if we don’t have an AppSec lead? – Find a developer who has an interest
– Setup time to discuss their processes
– Work together to build a program
5/17/2013
How I Learned to Stop Worrying & Teach Developers
22
![Page 23: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/23.jpg)
Example Curriculum
• OWASP Top 10
– Good place to start
– One vulnerability per month
– Two classes per month
• Morning
• Afternoon
![Page 24: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/24.jpg)
Example Curriculum
• Summary of Vulnerability – Exploitability
– Prevalence
– Detection
– Impact
• Functionality – Overview of exploitation
– Threat agents
– Attack vectors
![Page 25: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/25.jpg)
Example Curriculum
• Current events
– Google News search
– As current as possible (shouldn’t be hard)
• Examples
– Code-level
– Pick your poison
– OWASP can help
![Page 26: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/26.jpg)
Example Curriculum
• Visual example
– Mock-up of attack
– Couple with your code
• Review with questions
– What is the attacker allowed to do?
– What are the restrictions on the attack?
– Where are the points of vulnerability?
– How could we patch the application?
![Page 27: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/27.jpg)
Example Curriculum
• Real world examples
• Find vulnerable website
– Make sure it’s “intentionally vulnerable”
– https://hack.me
– Recon before-hand
– Give an assignment
– Walk around and ask questions
![Page 28: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/28.jpg)
Example Curriculum
• Wrap it up
– What vulnerabilities were the class able to find/exploit?
– High-level description of fix
– Code-level example of fix
– List of resources and further reading
– Questions
![Page 29: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/29.jpg)
Conclusion
• Learn the language
• Find an ally
• Keep up to date on current trends
– Setup or use public “hack-labs”
– Analyze logs for attempted attacks and learn from them
– See “Resources” section for more info
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 29
![Page 30: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/30.jpg)
Resources
• OWASP – http://www.owasp.org
• SecurityTube – http://www.securitytube.net/
• CounterHack – A little old, but has hacking challenges – http://www.counterhack.net
• SecurityThoughts – Playgrounds to try your hand at exploiting common
vulnerabilities in a live-feeling environment – https://securitythoughts.wordpress.com/2010/03/22/vul
nerable-web-applications-for-learning/
• HackMe – https://hack.me
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 30
![Page 31: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/31.jpg)
www.smbc-comics.com
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 31
![Page 32: How I Learned to Stop Worrying & Teach Developers · 2016-09-21 · How I Learned to Stop Worrying & Teach Developers 2 Don’t forget to pick up your Certificate of Attendance at](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05d9cb7e708231d41506f1/html5/thumbnails/32.jpg)
Contact
Perry A. Hemmingsen
perry.hemmingsen [at] gmail [dot] com
linkedin.com/in/perryhemmingsen
5/17/2013 How I Learned to Stop Worrying &
Teach Developers 32