Don’t Teach Developers Security Caleb Sima caleb@armorize.com Armorize Technologies

Don’t Teach Developers SecurityCaleb Sima

caleb@armorize.comArmorize Technologies

Who am I?

1997-2000: Ex-ISSer from X-Force

2000-2007: Founder and CTO of SPI Dynamics

2007-2010: CTO of Application Security at HP

Current…: CEO of Armorize Technologies

Old Man in Security Now…

Yes I Know..

Can you fix this Spike?... Can you? Can we do it quick? Can we Spike?

Securit

yDevelopment

Training is Important But..

We focus on the wrong method (Top 10)

We focus on the wrong people (developers)

Security is a PIA.

Turnover sucks

Don’t rely on it

2010 OWASP Top 10

1. Injection2. Cross Site Scripting (XSS)3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross Site Request Forgery (CSRF)6. Security Misconfiguration7. Insecure Cryptographic Storage8. Failure to Restrict URL Access9. Insufficient Transport Layer Protection10. Un-validated Redirects and Forwards

Training is Important But..

We focus on the wrong method (Top 10)

We focus on the wrong people (developers)

Security is a PIA.

Turnover sucks

Don’t rely on it

What is wrong with this code?

Training is Important But..

We focus on the wrong method (Top 10)

We focus on the wrong people (developers)

Security is a PIA.

Turnover sucks

Don’t rely on it

Note on PCI

Step 1Start with a security assessment

Step 2Assign and train QA on your 2 issues

Step 3Assign 1 developer on each app team to

be the security controller

Step 4Automate this process

Future

Code Analyses + Remediation Libraries = Code Verification

Security, Accuracy and Privacy in Computer Systems - James Martin

Reasonableness Test:For example. a charge of $500 might be reasonableon a corporations electricity bill but not on an individuals bill.

Consistency Test:In an airline booking to Chicago the transaction may be checked to ensure that the flight number in it does in fact go to Chicago.

Special Tests:Dates may be checked to ensure that the month is between I and l2.that the day is between l and 28, 29, 30, or 31. depending upon the month.Self Checking Numbers:

The extra digit is derivedarithmetically from the other digits.

Written in 1973!

“To me, security is important. But it's no less important than

everything *else* that is also important!”

- Linus

Caleb Simacaleb@armorize.comwww.armorize.com

Download Trial of CodeSecure at

http://www.armorize.com/codesecure4-beta/

Google: “OWASP ESAPI”, “BSIMM”, “Armorize”,”James Martin”

REFERENCES