Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome , Safari or Firefox browser.

Software
Security
Assurance
Krisztián Schäffer // cloudbreaker.co
@ ITBN 2012
What
Building security into Applications
Development Lifecycle Hardening
From Requirements Analysis to Shutdown
Balanced measures according to risks
Better security awareness through
training, feedback and reusable framework
Quality Assurance meets Security


But today we don't cover metrics and KPIs...
Why
The network 
is strong



Everybody has firewall, VPN, 2FA etc.
The Application
is the weakest link
The lack of
Awareness
1998

Rain Forest Puppy discovered
SQL Injection
Mitigation is
Easy
2011
SQL Injection
Anonymous hits HBGary using
2012

Yahoo! breach
SQL Injection
The lack of
Awareness
is the weakest link



The problems of
Technology
Hypertext
is

an Application Platform?

Just one example:

Click the link: DOM XSS Demo

Reload the page to clear XSS


DOM XSS is
VERY HARD


to detect automatically


Chrome's XSS filter also fails here
More bad news:
DOM XSS after the # is
IMPOSSIBLE
to detect on the server side
ergo
There is no such thing as
OWASP Top 10 WAF

  • No (usable) standard authentication
  • No session management
  • Mixed data and code
  • ...


  • Lot of progress done and coming:
  • CSP
  • CORS
  • Sandboxing
  • ...



The problems of
Technology
is the weakest link



Prioritization of the
Budget
Typical IT Budget
Application
Host
Network
Typical IT security Budget
Application
Host
Network
1998

Bob Frankston said

Firewalls are the New
Maginot Line
2012
is the weakest link
is the target
Verizon 2012 DBIR:
54%




of breaches affected webapps
is the target
Security Testing
Part of the solution
Regenerates the problem
Ineffective in AppSec


Do you want to pay for zero days in Struts?




And what happens with your tested Struts app

if somebody finds one?
How
Start it lightweight
Train your developers

Cost effective and long lasting
Run a limited pilot project
Dictate security requirements to your suppliers

Security != Authentication
If you see it is good, continue
Prioritize your applications


Assign assurance levels to them according to their risks
For high risk apps implement SSA


Our example for today

Microsoft SDL
Thank you!
Krisztián Schäffer
ko.co
Made with impress.js