Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing &...
Transcript of Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing &...
![Page 1: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/1.jpg)
Rogue Secure
DevelopmentMarisa Fagan
Errata Security - VP Marketing & Project Services
October 2010
SecTor
![Page 2: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/2.jpg)
Who are you?
![Page 3: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/3.jpg)
What’s the problem?
• Microsoft & Cisco
leading by example
• Developers don’t
believe SQLi is real
• Managers only care
about time to market
• Compliance diverts
attention from risks
![Page 4: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/4.jpg)
Is there a solution?
• Before you begin:
• Know what you can do
• Know how much you can spend
• Know who you have
• Do we need another secure coding
program?
![Page 5: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/5.jpg)
Rogue Secure
Development
![Page 6: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/6.jpg)
Phase 0: The Incident
• A realistic approach
• Begin with a breach
• Initiate Incident Response Plan
• Now, let’s stop that *kind* of bug from
happening again
![Page 7: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/7.jpg)
Phase 1: The Template
• Types of software and bugs
• Choose the template
• Is this right for you?
• Build Requirements Document
RequirementsWeb Application
Security Requirements1. Authentication
Threat Model1.Normalization
1.a SQL Injection
1.b XSS
2. Authentication
3.Encryption
4. Directory Traversal
Example: Apple iPad registration exposed on web
![Page 8: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/8.jpg)
Phase 2: The Gauntlet
• Bring up QA testers
• Run automated security tools that search
code for common bugs
• Use the Common Bugs list
• Pass to the Coders for remediation
Example: Adobe strcat
![Page 9: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/9.jpg)
Phase 3:
The Code Review
• Coders check the list
• Fix the Highs and the Lows
• Code Managers check the Coders
• Unit tests in isolation
• Remediation
Example: Perl URL directory traversal attack
![Page 10: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/10.jpg)
Phase 4:
The Sanity Check
• QA - Classic functionality test
• QA - Verify the known bugs have been
patched
• Defense in Depth
• SE - Sign off for release OR send back to
coder for Phase 3
Example: Windows DLL Preloading Attack
![Page 11: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/11.jpg)
Phase 5: The Release
• PM - Hand off product to
Marketing/Distribution
• PM - Edit SDLC to learn from the process
• Attempt to make less "top 20" mistakes
next time
Remember: Focus on the incident
Example: Apple Quicktime “_MARSHALED_PUNK” backdoor
![Page 12: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/12.jpg)
But why?
• Maybe this isn’t right for you
• If it is,
• You save money
• Better code
• Customers expect it
• Stay off the headlines
![Page 13: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/13.jpg)
The future
• Doesn’t look good
• Hackers always one step ahead
• Can’t be secure “once and for all”
• Low Hanging Fruit
• Reduce spending!
![Page 14: Rogue Secure Development · Rogue Secure Development Marisa Fagan Errata Security - VP Marketing & Project Services October 2010 SecTor](https://reader033.fdocuments.in/reader033/viewer/2022051805/5ff61870335022520b34994e/html5/thumbnails/14.jpg)
Questions/Comments?
• Marisa Fagan can be reached at:
• Twitter: @errata @dewzi
• http://erratasec.blogspot.com
• http://erratasec.com