Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Security Ninja (www.securityninja.co.uk) Speaker at international security conferences Nominated for multiple blog awards A mentor in the InfoSecMentors project Developed and released Agnitio
Agenda Using Jedi mind tricks on your developers s/Application Security Alien/Business Language/i;
Using Jedi mind tricks on developers Most developers actually want to write secure code
You need to take ownership of the app sec problems with them Developers generally like producing quality code, use this! They want security knowledge with good practices and tools
http://securosis.com/blog/good-programming-practices-vs.-rugged-development
Using Jedi mind tricks on developers How you can help developers?
Help them understand how to write secure code Own application security problems with them Dont dictate! Speak, listen, learn and improve things
Probability 3
Impact 5
Score 15
Appetite 12
Jedi mind tricks and alien translations Apply the KISS principle to everything you do
Keep everything as simple as possible, complexity doesnt help Understand what developers want and need to write secure code Work with the business and use their language and formats
QUESTIONS?
www.securityninja.co.uk @securityninja /realexninja /securityninja /realexninja
Padawan?
It was all about attack. Early web app testing: Lotus Domino, Cold Fusion Windows Security: Netcat for Windows, L0phtCrack Early disclosure policies: RFPolicy, L0pht Advisories
Time to help the defensive side Led @stake research team @stake application security consultant Published Art of Software Security Testing Veracode CTO and Co-Founder
Why do we need executive buy in? Application security programs will require developer training Application security programs will require tools/services Application security programs will impact delivery schedules Application security cannot be voluntary
Authority
How do I grow my top line? How do I lower costs? How do I mitigate risk? Talk in terms of business risk and use monetary terms when possible. Then we can we can speak the same language.
Legal risk Legal costs, settlement costs, fines Compliance risk fines, lost business Brand risk lost business Security risk - ????
Your Vulnerabilities
32
Notification 500,321 15
Average Per-capita
159
203
237
248
294
149
310
266
133
256
192
Attack Type
0%
20%
40%
60%
0%
10%
20%
30%
40%
34
(
f
*If your SQL Injection prevalence is similar to average SQL Injection prevalence, assumes 100,000 records
35
25% 14% 9% 7% 7% 2%
10% 6% 5% 2% 7% <1%
36
Assume 100,000 customer records. For SQLi the expected loss is: 62% * $248 * 100,000 * 25% = $3,844,000
1. 2. Veracode 2010 State of Software Security Report, Vol. 2 De-identified financial service company data from Veracode industry data
Executives want
An organizational wide view. Am I lowering overall application risk?
Internal code Outsourced Vendor supplied Open source
A program that has achievable objectives. What am I getting for the money I am spending? A program that is measurable: metrics and reporting. Am I marching toward the objectives?
Which dev teams, outsourcers are performing well? How is my organization doing relative to my peers?
Tips to make the program successful The right people have to understand what is going to happen before you start Do a real world pen test or assessment of a project. Demonstrate relevant risk. Integrate into existing processes
SDLC Procurement/legal M&A
Q&A
Speaker Contact Information: Chris Wysopal (cwysopal@veracode.com) Twitter: @WeldPond
David Rook
www.securityninja.co.uk @securityninja /realexninja /securityninja
39
/realexninja