10
Not in the Job Description Ross McDonald Senior Developer, FrogSlayer

Software Developer's Cartel - Not In The Job Description

Embed Size (px)

Citation preview

Page 1: Software Developer's Cartel - Not In The Job Description

Not in the Job DescriptionRoss McDonaldSenior Developer, FrogSlayer

Page 2: Software Developer's Cartel - Not In The Job Description

Requirements• Is a website• Users can store content• Users can login• Only logged in users can

modify content• User content is analyzed using

client algorithm

Developer knowledge

Assumed Expertise

Client Provided Knowledge

Page 3: Software Developer's Cartel - Not In The Job Description

Probability / Random Sampling• Random vs. Pseudorandom• Correct use of PRNGs• Converting uniform distributions to non-

uniform distributions

Page 4: Software Developer's Cartel - Not In The Job Description

Produce a predictable sequence determined by initial seed

• Seed once• Make sure its properties

fit your need

Pseudorandom Number Generators

Page 5: Software Developer's Cartel - Not In The Job Description

PRNG Output Transformation Pitfalls• Bounding with rand()%max or similar• Producing byte-streams or floats with random ints incorrectly• Sampling more complex distributions with a uniform PRNG

incorrectly

Page 6: Software Developer's Cartel - Not In The Job Description

Computer Security Pitfalls• Not understanding Encryption /

Authentication / Integrity• Not trusting the defaults and standards

(rolling your own)• Trusting the defaults and standards

Page 7: Software Developer's Cartel - Not In The Job Description

Alice Bob

Authentication Integrity Encryption

Page 8: Software Developer's Cartel - Not In The Job Description

Trust the Defaultse.g. .NET provides CryptoServiceProvider classes with reasonable defaults.

• GenerateKey()• GenerateIV()• Sane default Mode (CBC)

Original ECB Non-ECB

Page 9: Software Developer's Cartel - Not In The Job Description

Don’t Trust the Defaults• No matter how self contained the library is, there is potential for

misuse (e.g. Padding Oracle Attack)• PGP does not provide forward secrecy• GnuPG was slow in adopting Elliptic Curve• The NSA / RSA BSAFE debacle

Page 10: Software Developer's Cartel - Not In The Job Description

Takeaways • Recognize problems are more complicated than you might think.• Never stop learning.• Immerse yourself in technical cultures (e.g. blogs, podcasts, stack

exchange)• Know enough about everything to know when your client’s concerns

warrant an expert