1 / 37

Cassio Goldschmidt

Fundamental Practices and tools to implement a security development lifecycle On The Driving Seat of Secure Development. Cassio Goldschmidt. Sr. Manager, Product Security. Why Accidents Happen?. Do You Drive Better than the Average Driver?. Yes. X. No.

bevis
Download Presentation

Cassio Goldschmidt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fundamental Practices and tools to implement a security development lifecycleOn The Driving Seat of Secure Development Cassio Goldschmidt Sr. Manager, Product Security On The Driving Seat of Secure Development

  2. Why Accidents Happen? Do You Drive Better than the Average Driver? Yes X No On The Driving Seat of Secure Development

  3. Every Two MilesThe Average Driver Makes... 400 Observations 40 Decisions 1 Error On The Driving Seat of Secure Development

  4. Every 500 MilesOne of Those Decisions... Results on a Near Collision On The Driving Seat of Secure Development

  5. Every 61,000 milesOne of those Mistakes Leads to a... Acidente On The Driving Seat of Secure Development

  6. CRASH! On The Driving Seat of Secure Development

  7. CRASH! On The Driving Seat of Secure Development

  8. Analyzing The Problem Developers User On The Driving Seat of Secure Development

  9. Raising the Bar on EducationDriving: A Privileged not a Right On The Driving Seat of Secure Development

  10. Resolving the Problem with Education On The Driving Seat of Secure Development

  11. - Common Weakness Enumeration CWE Top 25

  12. EducationOWASP Tools - WebGoat

  13. EducationOWASP tools - LiveCD

  14. SAFECode Publications

  15. What is SAFECode.org? SAFECode’s Mission Increase trust in information and communications technology products and services through the advancement of proven software assurance methods.

  16. CRASH! On The Driving Seat of Secure Development

  17. Eye on the Ball!Focus Test How Many Times Does the White Team Pass the Ball? Video created by Daniel Simons, a professor of psychology at Harvard On The Driving Seat of Secure Development

  18. To Err is Human On The Driving Seat of Secure Development

  19. 1960 – 1970: A New Approach to Traffic Safety • Medical Doctor By training • Wouldn’t eat mayonnaise afraid of contamination • Took a scientific approach to solve the problem. • Concluded that driver education was not the problem • The problem was the interaction between humans and machines William Haddon On The Driving Seat of Secure Development

  20. Human-Machine Interaction WINNER! VS. On The Driving Seat of Secure Development

  21. Human-Machine Interaction On The Driving Seat of Secure Development

  22. Human-Machine Interaction On The Driving Seat of Secure Development

  23. Human-Machine Interaction On The Driving Seat of Secure Development

  24. Security Mechanisms in Modern Compilers (C++) Ms Visual C++ Flags and Options Banned Functions (banned.h) • /GS • /DYNAMICBASE • /NXCOMPAT • /SafeSEH • /Analyze • strcpy, strcat, strlen… • strncpy, strncat… • sprintf, wsprintf, swprintf... • gets, _getts • strtok, _tcstok… • makepath, splitpath • scanf, sscanf • _itoa, _itow • chartoOem, OEMtoChar • alloca, _alloca • ... Flags no gcc • -fstack-protector • -WI, -pie • -D_FORTIFY_SOURCE=2

  25. Sandboxing • Defense in depth • Least privilege • Encouraged for applications that are: • Installed on a large number of systems (> 1 million) • Process untrusted data • Parse complex data • Examples: • Norton Antivirus • Internet Explorer • Adobe Acrobat • Microsoft Office On The Driving Seat of Secure Development

  26. Static Source Code Analysis • The spell checker of developers • Everyone should use it • Tools that integrate with build environment leads to faster resolution • Not a replacement for code-base analysis • Clean run = free from some well-known and well-understood patterns • Can be used with limited source code access • May lead to false negatives • Great when new types of weaknesses are discovered • Rules can do the initial triage On The Driving Seat of Secure Development

  27. Static Source Code AnalysisTips • First time users • Clear all warnings first • Expect a significant list of findings • Consider creating a team to clean the code • Disassemble the “clean up team” after • Use of multiple tools is recommended • Continuous build • Track findings? • Change in rules = change in metrics = complains from dev teams On The Driving Seat of Secure Development

  28. Traffic AnalysisBurp Suite On The Driving Seat of Secure Development

  29. Secure Driving is a Process On The Driving Seat of Secure Development

  30. Secure Development is a Process CONCEPT PLANNING DEV TEST SUPPORT

  31. One Slide Summary Training Awareness Programs CONCEPT Threat Modeling PLANNING DEV Tools Code Reviews TEST Tools for Security Test Penetration Test SUPPORT Vulnerability Management 3rd party component alerts

  32. The Entire Supply Chain Needs to Be Secure On The Driving Seat of Secure Development

  33. Open Source Use Must be Controled On The Driving Seat of Secure Development

  34. Third Party Components and Cloud Computing • Organizations must certify contractually that a secure development process has been followed. Tests Uses Clouds-R-Us.Com Vendors-R-Us.Com Pen Testers (External) On The Driving Seat of Secure Development

  35. Security Is a Journey On The Driving Seat of Secure Development

  36. Cassio Goldschmidt cassio@cassiogoldschmidt.com http://www.cassiogoldschmidt.com On The Driving Seat of Secure Development

  37. Links & References • Wrong Turn, Malcom Gladwell, The New Yorker June 11, 2001 • www.safecode.org • www.owasp.org • http://cwe.mitre.org/top25/ • http://portswigger.net/burp/ • The invisible Gorilla, Daniel J. Simons & Christopher Charbis, http://www.theinvisiblegorilla.com/videos.html On The Driving Seat of Secure Development

More Related