SlideShare a Scribd company logo

The Thing That Should Not Be

M
morisson

Presentation delivered @ OWASP's IBWAS 2010

Technology
1 of 33
Download to read offline
The Thing That Should Not Be A glimpse into the dark future of web application security Bruno Morisson <bm@integrity.pt> IBWAS’10
About me •  Consultant & Partner - INTEGRITY, Consulting & Advisory •  ~12 years in Information Security •  CISSP-ISSMP/CISA/ISO27001 Lead Auditor •  Background as a Linux/Unix sysadmin •  Background as a C developer 2
Warning! This is all rather unscientific! Really. Consider yourself warned. 3
If wishes were ponies… …security would be inherent to the applications. …there would be no (security) bugs. …we would all get along just fine. 4
This is how they see us 5
This is how we see them 6
We’re all skewed! Security practitioners have a skewed vision of reality. We’re usually what regular people would call paranoid. Developers have a skewed vision of reality. They usually don’t care about (or understand) security issues. 7
We’re all skewed! We believe everyone should care about security at least as much as we do. WE’RE WRONG! 8
We’re all skewed! 9
Security Mindset “Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.” Bruce Schneier 10
“We have a firewall on our internets” 11
“We use usernames and passwords to access our web application” 12
SSL 13
Proof Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2010, Cenzic Inc. 14
More Proof Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2010, Cenzic Inc. 15
Even more proof Source: Verizon Data Breach Report 2010 16
OWASP Top Ten •  Injection •  XSS •  Broken Authentication and Session Management •  Insecure Direct Object Reference •  CSRF •  Security Misconfiguration •  Insecure Cryptographic Storage •  Failure to Restrict URL Access •  Insufficient Transport Layer Protection •  Unvalidated Redirects and Forwards 17
How are we solving this ? The typical approach is forcing developers to solve all of these problems. But the question is: Who are the developers ? Do they understand the problem ? Most of them know nothing about security. Some of them know little about web development. 18
19
Render Unto Caesar… Security practitioners are not web developers Why should web developers be security practitioners ? 20
Flashback 21
Let’s party like it’s 1999 Most security vulnerabilities had to do with services: •  HTTP (IIS, apache) •  FTP (wu-ftpd, IIS) •  POP3 (Qpopper) •  SMTP (Sendmail) •  DNS (Bind) •  Telnet •  SSH •  … Buffer Overflows, Format Strings, Integer Overflows were the flavor of the decade… 22
What happened ? Security vulnerabilities had global impact. Few companies/groups produced that software: Microsoft, Apache, SUN, Sendmail, Linux community/vendors. Some built security into the process (Secure SDL), mainly Microsoft. Tools started having security features (from bounds checking, to static and dynamic code analysis) Operating Systems security was improved (no ASLR or DEP back then) 23
Back to the future 24
And now ? Impact of vulnerabilities is limited to that company (or set of companies that use that particular software) Anyone develops a Web Application. Myriad of development languages. Point & Click frameworks that automagically create code… 25
Looking into the future… Let’s break this down into 4 areas: •  Compliance •  Processes •  People •  Tools 26
Compliance Unless there’s a business requirement, don’t expect anyone to implement security. Ex: PCI-DSS, Data Privacy Laws, … 27
Processes If security is done ad-hoc, it will most surely fail. •  Embed security in the SDL •  Create internal processes for dealing specifically with security (e.g. risk assessment, engineering, testing, etc) 28
29
People Developers won’t build security into the apps, unless it’s a requirement… They need to: understand the security impact. know how to solve the problem. know how to use the tools… Developers won’t become security gurus. 30
Tools People fail. Tools/frameworks should become more idiot- proof. Have security built in by default. Force insecurity to be explicit. 31
32
Thank You!" Q&A? Bruno Morisson CISSP-ISSMP, CISA, ISO27001LA [email]: bm@integrity.pt [work]: http://www.integrity.pt/ [fun]: http://genhex.org/~mori/ 33

Recommended

Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsJoshua Berman
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach PostmortemAdrian Sanabria
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Technology to Mitigate Risk
Technology to Mitigate RiskTechnology to Mitigate Risk
Technology to Mitigate RiskHB Litigation Conferences
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008Anton Chuvakin
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware AttackAcronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware AttackAcronis
 
New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)Seungjoo Kim
 

Recommended

Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsJoshua Berman
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach PostmortemAdrian Sanabria
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Technology to Mitigate Risk
Technology to Mitigate RiskTechnology to Mitigate Risk
Technology to Mitigate RiskHB Litigation Conferences
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008Anton Chuvakin
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware AttackAcronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware AttackAcronis
 
New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)New Threat Trends in CII(Critical Information Infrastructure)
New Threat Trends in CII(Critical Information Infrastructure)Seungjoo Kim
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Kevin Murphy
 
Zymr Cybersecurity
Zymr Cybersecurity Zymr Cybersecurity
Zymr Cybersecurity Zymr Cloud
 
Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSolarWinds
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde..."Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...HackIT Ukraine
 
Secure webdev 3.0
Secure webdev 3.0Secure webdev 3.0
Secure webdev 3.0toots marcelo
 
Security Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsSecurity Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsJoshua Berman
 
Top Ten Hacks of 2007
Top Ten Hacks of 2007Top Ten Hacks of 2007
Top Ten Hacks of 2007Jeremiah Grossman
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trustscoopnewsgroup
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Dragos, Inc.
 
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITYSOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITYDialogueScience
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_CMR WORLD TECH
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionIsaiah Edem
 
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security IndustryUnsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industrydigitallibrary
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
 
Security Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesSecurity Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesJoshua Berman
 
Virtualization & Security
Virtualization & SecurityVirtualization & Security
Virtualization & Securitymorisson
 
APT
APTAPT
APTmorisson
 

More Related Content

What's hot

Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Kevin Murphy
 
Zymr Cybersecurity
Zymr Cybersecurity Zymr Cybersecurity
Zymr Cybersecurity Zymr Cloud
 
Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSolarWinds
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information securityMajor Hayden
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde..."Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...HackIT Ukraine
 
Security Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsSecurity Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsJoshua Berman
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trustscoopnewsgroup
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Dragos, Inc.
 
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITYSOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITYDialogueScience
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_CMR WORLD TECH
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionIsaiah Edem
 
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security IndustryUnsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industrydigitallibrary
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
 
Security Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesSecurity Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesJoshua Berman
 

What's hot (20)

Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
 
Zymr Cybersecurity
Zymr Cybersecurity Zymr Cybersecurity
Zymr Cybersecurity
 
Security Kung Fu: SIEM Solutions
Security Kung Fu: SIEM SolutionsSecurity Kung Fu: SIEM Solutions
Security Kung Fu: SIEM Solutions
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
 
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde..."Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
 
Secure webdev 3.0
Secure webdev 3.0Secure webdev 3.0
Secure webdev 3.0
 
Security Kung Fu: Firewall Logs
Security Kung Fu: Firewall LogsSecurity Kung Fu: Firewall Logs
Security Kung Fu: Firewall Logs
 
Top Ten Hacks of 2007
Top Ten Hacks of 2007Top Ten Hacks of 2007
Top Ten Hacks of 2007
 
Moving Beyond Zero Trust
Moving Beyond Zero TrustMoving Beyond Zero Trust
Moving Beyond Zero Trust
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITYSOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
SOMETHING INTANGIBLE, BUT REAL ABOUT CYBERSECURITY
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecurity
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy Invasion
 
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security IndustryUnsafe at Any Speed: 7 Dirty Secrets of the Security Industry
Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Security Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory ChangesSecurity Kung Fu: Active Directory Changes
Security Kung Fu: Active Directory Changes
 

Viewers also liked

Virtualization & Security
Virtualization & SecurityVirtualization & Security
Virtualization & Securitymorisson
 
Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection morisson
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?morisson
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 
Security asap
Security asapSecurity asap
Security asapmorisson
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 

Viewers also liked (7)

Virtualization & Security
Virtualization & SecurityVirtualization & Security
Virtualization & Security
 
APT
APTAPT
APT
 
Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection Honeypot Farms using Ethernet Bridging over a TCP Connection
Honeypot Farms using Ethernet Bridging over a TCP Connection
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
Security asap
Security asapSecurity asap
Security asap
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 

Similar to The Thing That Should Not Be

Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - IdealwareIdealware
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?NTEN
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec MattersInnoTech
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Forget cyber, it's all about AppSec
Forget cyber, it's all about AppSecForget cyber, it's all about AppSec
Forget cyber, it's all about AppSecAdrien de Beaupre
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Dinis Cruz
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdfssuserfb92ae
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligenceguest08b1e6
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 

Similar to The Thing That Should Not Be (20)

Security For Free
Security For FreeSecurity For Free
Security For Free
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - Idealware
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec Matters
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Forget cyber, it's all about AppSec
Forget cyber, it's all about AppSecForget cyber, it's all about AppSec
Forget cyber, it's all about AppSec
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligence
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

The Thing That Should Not Be

  • 1. The Thing That Should Not Be A glimpse into the dark future of web application security Bruno Morisson <bm@integrity.pt> IBWAS’10
  • 2. About me •  Consultant & Partner - INTEGRITY, Consulting & Advisory •  ~12 years in Information Security •  CISSP-ISSMP/CISA/ISO27001 Lead Auditor •  Background as a Linux/Unix sysadmin •  Background as a C developer 2
  • 3. Warning! This is all rather unscientific! Really. Consider yourself warned. 3
  • 4. If wishes were ponies… …security would be inherent to the applications. …there would be no (security) bugs. …we would all get along just fine. 4
  • 5. This is how they see us 5
  • 6. This is how we see them 6
  • 7. We’re all skewed! Security practitioners have a skewed vision of reality. We’re usually what regular people would call paranoid. Developers have a skewed vision of reality. They usually don’t care about (or understand) security issues. 7
  • 8. We’re all skewed! We believe everyone should care about security at least as much as we do. WE’RE WRONG! 8
  • 10. Security Mindset “Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.” Bruce Schneier 10
  • 11. “We have a firewall on our internets” 11
  • 12. “We use usernames and passwords to access our web application” 12
  • 13. SSL 13
  • 14. Proof Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2010, Cenzic Inc. 14
  • 15. More Proof Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2010, Cenzic Inc. 15
  • 16. Even more proof Source: Verizon Data Breach Report 2010 16
  • 17. OWASP Top Ten •  Injection •  XSS •  Broken Authentication and Session Management •  Insecure Direct Object Reference •  CSRF •  Security Misconfiguration •  Insecure Cryptographic Storage •  Failure to Restrict URL Access •  Insufficient Transport Layer Protection •  Unvalidated Redirects and Forwards 17
  • 18. How are we solving this ? The typical approach is forcing developers to solve all of these problems. But the question is: Who are the developers ? Do they understand the problem ? Most of them know nothing about security. Some of them know little about web development. 18
  • 19. 19
  • 20. Render Unto Caesar… Security practitioners are not web developers Why should web developers be security practitioners ? 20
  • 21. Flashback 21
  • 22. Let’s party like it’s 1999 Most security vulnerabilities had to do with services: •  HTTP (IIS, apache) •  FTP (wu-ftpd, IIS) •  POP3 (Qpopper) •  SMTP (Sendmail) •  DNS (Bind) •  Telnet •  SSH •  … Buffer Overflows, Format Strings, Integer Overflows were the flavor of the decade… 22
  • 23. What happened ? Security vulnerabilities had global impact. Few companies/groups produced that software: Microsoft, Apache, SUN, Sendmail, Linux community/vendors. Some built security into the process (Secure SDL), mainly Microsoft. Tools started having security features (from bounds checking, to static and dynamic code analysis) Operating Systems security was improved (no ASLR or DEP back then) 23
  • 24. Back to the future 24
  • 25. And now ? Impact of vulnerabilities is limited to that company (or set of companies that use that particular software) Anyone develops a Web Application. Myriad of development languages. Point & Click frameworks that automagically create code… 25
  • 26. Looking into the future… Let’s break this down into 4 areas: •  Compliance •  Processes •  People •  Tools 26
  • 27. Compliance Unless there’s a business requirement, don’t expect anyone to implement security. Ex: PCI-DSS, Data Privacy Laws, … 27
  • 28. Processes If security is done ad-hoc, it will most surely fail. •  Embed security in the SDL •  Create internal processes for dealing specifically with security (e.g. risk assessment, engineering, testing, etc) 28
  • 29. 29
  • 30. People Developers won’t build security into the apps, unless it’s a requirement… They need to: understand the security impact. know how to solve the problem. know how to use the tools… Developers won’t become security gurus. 30
  • 31. Tools People fail. Tools/frameworks should become more idiot- proof. Have security built in by default. Force insecurity to be explicit. 31
  • 32. 32
  • 33. Thank You!" Q&A? Bruno Morisson CISSP-ISSMP, CISA, ISO27001LA [email]: bm@integrity.pt [work]: http://www.integrity.pt/ [fun]: http://genhex.org/~mori/ 33