SlideShare uma empresa Scribd logo

Usable Security for Developers: A Nightmare

Achim D. Brucker
Achim D. Brucker

The term “usable security” is on everyone’s lips and there seems to be a general agreement that, first, security controls should not unnecessarily affect the usability and unfriendliness of systems. And, second, that simple to use system should be preferred as they minimize the risk of handling errors that can be the root cause of security incidents such as data leakages. But it also seems to be a general surprise (at least for security experts), why software developers always (still) make so many easy to avoid mistakes that lead to insecure software systems. In fact, many of the large security incidents of the last weeks/months/years are caused by “seemingly simple to fix” programming errors. Bringing both observations together, it should be obvious that we need usable and developer-friendly security controls and programming frameworks that make it easy to build secure systems. Still, reality looks different: many programming languages, APIs, and frameworks provide complex interfaces that are, actually, hard to use securely. In fact, they are miles away from providing usable security for developers. In this talk, I will discuss examples of complex and “non-usable” security for developers such as APIs that, in fact, are (nearly) impossible to use securely or that require a understanding of security topics that most security experts to not have (and, thus, that we cannot expert from software developers).

Tecnologia
1 de 33
Baixar para ler offline
Usable Security for Developers: A Nightmare Achim D. Brucker | @adbrucker
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Usable Security for Developers: A Nightmare Abstract The term “usable security” is on everyone’s lips and there seems to be a general agreement that, first, security controls should not unnecessarily affect the usability and unfriendliness of systems. And, second, that simple to use system should be preferred as they minimize the risk of handling errors that can be the root cause of security incidents such as data leakages. But it also seems to be a general surprise (at least for security experts), why software developers always (still) make so many easy to avoid mistakes that lead to insecure software systems. In fact, many of the large security incidents of the last weeks/months/years are caused by “seemingly simple to fix” programming errors. Bringing both observations together, it should be obvious that we need usable and developer-friendly security controls and programming frameworks that make it easy to build secure systems. Still, reality looks different: many programming languages, APIs, and frameworks provide complex interfaces that are, actually, hard to use securely. In fact, they are miles away from providing usable security for developers. In this talk, I will discuss examples of complex and “non-usable” security for developers such as APIs that, in fact, are (nearly) impossible to use securely or that require a understanding of security topics that most security experts to not have (and, thus, that we cannot expert from software developers).
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker About Me Security Expert/Architect at SAP SE Member of the central security team, SAP SE (Germany) Security Testing Strategist Work areas at SAP included: Defining the risk-based Security Testing Strategy Evaluation of security testing tools (e.g., SAST, DAST) Roll-out of security testing tools Secure Software Development Life Cycle integration ... Since December 2015: Associate Professor, The University of Sheffield, UK Head of the Software Assurance & Security Research Team Available as consultancy & (research) collaborations https://www.brucker.ch/
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Outline 1 Security experts and developers 2 Secure programming cant’ be that difficult ... 3 The most common “fixes” 4 What we should do
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker 70 years of software development Since the late 1940ies, we program, debug, and patch computer systems. we do not use punch cards anymore ...
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker 70 years of software development Since the late 1940ies, we program, debug, and patch computer systems. we do not use punch cards anymore ...
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker 70 years of software development Since the late 1940ies, we program, debug, and patch computer systems. we do not use punch cards anymore ...
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker 70 years of software development Since the late 1940ies, we program, debug, and patch computer systems. we do not use punch cards anymore ...
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker We build software since 70 years and still make the same old (security) mistakes
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker The common “silver bullet”: The SDLC Training Risk Identification Plan Security Measures Secure Development & Security Testing Security Validation Secure Operations Security Response Central security experts (SDLC owner) Organizes security trainings Defines product standard “Security” Defines security testing strategy Validates products ... Development teams Select technologies Select development model Design and execute security testing plan ...
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Works nicely in theory – let’s move to reality
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Developer Security Expert
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Introducing the SDLC: View of the security experts The whiteboard is from the Microsoft’s security team I confess, I am guilty too: We also had a board with “embarrassing developers quotes”
SQL Injection: I would never enter this! Encryption: We XOR-encrypted it Injection: But that would be illegal! XSS (as a feature): We can’t fix this, customers rely on it (sad but true)
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Introducing the SDLC: View of the developers Experience security as “The Department of No” Confronted with a strange & complex language (there are over 1024 CWEs – and counting)
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: Buffer overflow > man gets GETS (3S) GETS (3S) NAME gets , fgets - get a string from a stream SYNOPSIS #include <stdio.h> char *gets(s) char *s; DESCRIPTION Gets reads a string into s from the standard input stream stdin. The string is terminated by a newline character , which is replaced in s by a null character. Gets returns its argument. Let’s travel back in time Unix V7 (1979) Reading strings Gets returns a string of arbitrary length Is there a secure use of gets?
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: Buffer overflow Wait, let’s check the man page on a modern Unix/Linux: NAME gets - get a string from standard input (DEPRECATED) BUGS Never use gets (). Because it is impossible to tell without knowing the data in advance how many characters gets () will read , and because gets () will continue to store characters past the end of the buffer , it is extremely dangerous to use. It has been used to break computer security. Use fgets () instead.
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: Buffer overflow OK, that’s sounds easy: Use fgets(buf, n, stdin) instead of gets(buf): void f() { char buf [20]; gets(buf)fgets(buf,20,stdin) // NOT: gets(buf); } Is this now secure? No, fgets does not always null-terminate we need to manually null terminate the buffer (and reserve space for the null character) void f() { char buf [21]; fgets(buf ,20, stdin ); buf [20]= ’0’; } C-Programming has a lot in comming with (insurance) contracts: allways read the small print
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: Error handling “ “Most OpenSSL functions will return an integer to indicate success or failure. Typically a function will return 1 on success or 0 on error. All return codes should be checked and handled as appropriate. Note that not all of the libcrypto functions return 0 for error and 1 for success. There are exceptions which can trip up the unwary. For example if you want to check a signature with some functions you get 1 if the signature is correct, 0 if it is not correct and -1 if something bad happened like a memory allocation failure.” (OpenSSL) Recall the common C convention: 0 indicates success any non-zero value indicates failure
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: Error handling Which one is correct: 1 Consider if ( some_verify_function ()) /* signature successful *? 2 Consider if ( 1 != some_verify_function ()) /* signature successful *? 3 Consider if ( 1 == some_verify_function ()) /* signature successful *? The last one is correct
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: The Java 8 Crypto API Just a nightmare: Many configurations to choose from algorithm mode of operation padding scheme right keys and sizes ... Most ciphers are oudated/broken. Only two can still be recommended AES (symmetric) RSA (asymmetric) Many providers use insecure defaults (e.g., ECB mode) Using the Java crypto API, is already hard for somebody who understands crypto ...
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: XSS (Java) Most Web Frameworks for Java do not provide input/output encoding as default Developers need to include third party encoding libraries (e.g., OWASP Java Encoder: https://github.com/OWASP/owasp-java-encoder) and add calls to the encoder manually: PrintWriter out = ....; out.println("<textarea >"+Encode.forHtml(userData )+" </textarea >"); You need to insert the right (there are many) encoder each time.
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Common mitigations Provide training Do we really expect that our developers understand all these details? Write (coding) guidelines Guidelines without tool support are (mostly) worthless Use generic application security testing tools without configuration, these tools are prone to both high false-positive rates and high false-negative rates many tools are developed for security experts (and not for developers) penetration tests In their generality, these actions are often not very effective!
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Security experts and developers need to work together to achieve the common goal: secure software! (Disclaimer: security experts might need to learn how to code)! Think positive: security enables developers to produce high-quality and secure software! Start early in the development: Select frameworks and/or programming languages that are secure by design Develop custom APIs-Wrappers that are easy to use and require only little security knowledge To consider Configure your DAST/IAST/SAST tool to support your custom APIs In the fix recommendations of your DAST/IAST/SAST tool, point developers to the recommended frameworks If you develop APIs, make your examples secure by default
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker If you do not support your developers, they will seek for help elsewhere!
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Let’s close with a good example: Modern Rails Modern versions of Rails are pretty secure by default Input/output encoding is enabled by default and, in exceptional cases, needs to be disabled explicitly: <%= account.balance.html_safe % > (one can argue, if html_safe is a good name denoting un-sanitized (non-trusted) channels) Suddenly, a simple grep becomes a powerful static analysis tool
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Call for action Let’s build framework and APIs are easy to use securely!
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Call for action Let’s build framework and APIs are easy to use securely!
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Call for action Let’s build framework and APIs are easy to use securely!
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Call for action Let’s build framework and APIs are easy to use securely!
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Thank you for your attention! Any questions or remarks? Contact: Dr. Achim D. Brucker Department of Computer Science University of Sheffield Regent Court 211 Portobello St. Sheffield S1 4DP, UK ƀ a.brucker@sheffield.ac.uk @adbrucker https://de.linkedin.com/in/adbrucker/ ĸ https://www.brucker.ch/ į https://logicalhacking.com/blog/
Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Document Classification and License Information © 2018 LogicalHacking.com, Achim D. Brucker | @adbrucker. This presentation is classified as Public (CC BY-NC-ND 4.0): Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License (CC BY-NC-ND 4.0).

Recomendados

PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
Andrey Karpov
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Zhen Huang
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wp
geeksec80
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
volvent
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
UltraUploader
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynote
MarkDowd13
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Yury Chemerkin
 

Recomendados

PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
Andrey Karpov
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Zhen Huang
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wp
geeksec80
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
Felipe Prado
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
volvent
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
UltraUploader
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynote
MarkDowd13
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Yury Chemerkin
 
Hakin9 05 2013
Hakin9 05 2013Hakin9 05 2013
Hakin9 05 2013
Rodrigo Gomes Pires
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a Hacker
ForAllSecure
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
Malachi Jones
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
Clint Edmonson
 
Built-in Security Mindfulness for Software Developers
Built-in Security Mindfulness for Software DevelopersBuilt-in Security Mindfulness for Software Developers
Built-in Security Mindfulness for Software Developers
Phú Phùng
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
F-Secure Corporation
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
phanleson
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoT
team-WIBU
 
Chapter 2 program-security
Chapter 2 program-securityChapter 2 program-security
Chapter 2 program-security
Vamsee Krishna Kiran
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
Alvaro Folgado Rueda
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
Nathan Case
 
demo1
demo1demo1
demo1
googli
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
googli
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
Pavu Jas
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
googli
 
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
CODE BLUE
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
Achim D. Brucker
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
Achim D. Brucker
 

Mais conteúdo relacionado

Semelhante a Usable Security for Developers: A Nightmare

Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a Hacker
ForAllSecure
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
phanleson
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
Alvaro Folgado Rueda
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
googli
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
Pavu Jas
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
googli
 
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
CODE BLUE
 

Semelhante a Usable Security for Developers: A Nightmare (20)

Hakin9 05 2013
Hakin9 05 2013Hakin9 05 2013
Hakin9 05 2013
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a Hacker
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Built-in Security Mindfulness for Software Developers
Built-in Security Mindfulness for Software DevelopersBuilt-in Security Mindfulness for Software Developers
Built-in Security Mindfulness for Software Developers
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
 
Embedded Security and the IoT
Embedded Security and the IoTEmbedded Security and the IoT
Embedded Security and the IoT
 
Chapter 2 program-security
Chapter 2 program-securityChapter 2 program-security
Chapter 2 program-security
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
 
demo1
demo1demo1
demo1
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
 

Mais de Achim D. Brucker

Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
Achim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
Achim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
Achim D. Brucker
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
Achim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
Achim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
Achim D. Brucker
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
Achim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Achim D. Brucker
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
Achim D. Brucker
 

Mais de Achim D. Brucker (20)

Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

Usable Security for Developers: A Nightmare

  • 1. Usable Security for Developers: A Nightmare Achim D. Brucker | @adbrucker
  • 2. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Usable Security for Developers: A Nightmare Abstract The term “usable security” is on everyone’s lips and there seems to be a general agreement that, first, security controls should not unnecessarily affect the usability and unfriendliness of systems. And, second, that simple to use system should be preferred as they minimize the risk of handling errors that can be the root cause of security incidents such as data leakages. But it also seems to be a general surprise (at least for security experts), why software developers always (still) make so many easy to avoid mistakes that lead to insecure software systems. In fact, many of the large security incidents of the last weeks/months/years are caused by “seemingly simple to fix” programming errors. Bringing both observations together, it should be obvious that we need usable and developer-friendly security controls and programming frameworks that make it easy to build secure systems. Still, reality looks different: many programming languages, APIs, and frameworks provide complex interfaces that are, actually, hard to use securely. In fact, they are miles away from providing usable security for developers. In this talk, I will discuss examples of complex and “non-usable” security for developers such as APIs that, in fact, are (nearly) impossible to use securely or that require a understanding of security topics that most security experts to not have (and, thus, that we cannot expert from software developers).
  • 3. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker About Me Security Expert/Architect at SAP SE Member of the central security team, SAP SE (Germany) Security Testing Strategist Work areas at SAP included: Defining the risk-based Security Testing Strategy Evaluation of security testing tools (e.g., SAST, DAST) Roll-out of security testing tools Secure Software Development Life Cycle integration ... Since December 2015: Associate Professor, The University of Sheffield, UK Head of the Software Assurance & Security Research Team Available as consultancy & (research) collaborations https://www.brucker.ch/
  • 4. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Outline 1 Security experts and developers 2 Secure programming cant’ be that difficult ... 3 The most common “fixes” 4 What we should do
  • 5. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker 70 years of software development Since the late 1940ies, we program, debug, and patch computer systems. we do not use punch cards anymore ...
  • 6. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker 70 years of software development Since the late 1940ies, we program, debug, and patch computer systems. we do not use punch cards anymore ...
  • 7. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker 70 years of software development Since the late 1940ies, we program, debug, and patch computer systems. we do not use punch cards anymore ...
  • 8. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker 70 years of software development Since the late 1940ies, we program, debug, and patch computer systems. we do not use punch cards anymore ...
  • 9. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker We build software since 70 years and still make the same old (security) mistakes
  • 10. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker
  • 11. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker The common “silver bullet”: The SDLC Training Risk Identification Plan Security Measures Secure Development & Security Testing Security Validation Secure Operations Security Response Central security experts (SDLC owner) Organizes security trainings Defines product standard “Security” Defines security testing strategy Validates products ... Development teams Select technologies Select development model Design and execute security testing plan ...
  • 12. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Works nicely in theory – let’s move to reality
  • 13. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Developer Security Expert
  • 14. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Introducing the SDLC: View of the security experts The whiteboard is from the Microsoft’s security team I confess, I am guilty too: We also had a board with “embarrassing developers quotes”
  • 15. SQL Injection: I would never enter this! Encryption: We XOR-encrypted it Injection: But that would be illegal! XSS (as a feature): We can’t fix this, customers rely on it (sad but true)
  • 16. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Introducing the SDLC: View of the developers Experience security as “The Department of No” Confronted with a strange & complex language (there are over 1024 CWEs – and counting)
  • 17. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: Buffer overflow > man gets GETS (3S) GETS (3S) NAME gets , fgets - get a string from a stream SYNOPSIS #include <stdio.h> char *gets(s) char *s; DESCRIPTION Gets reads a string into s from the standard input stream stdin. The string is terminated by a newline character , which is replaced in s by a null character. Gets returns its argument. Let’s travel back in time Unix V7 (1979) Reading strings Gets returns a string of arbitrary length Is there a secure use of gets?
  • 18. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: Buffer overflow Wait, let’s check the man page on a modern Unix/Linux: NAME gets - get a string from standard input (DEPRECATED) BUGS Never use gets (). Because it is impossible to tell without knowing the data in advance how many characters gets () will read , and because gets () will continue to store characters past the end of the buffer , it is extremely dangerous to use. It has been used to break computer security. Use fgets () instead.
  • 19. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: Buffer overflow OK, that’s sounds easy: Use fgets(buf, n, stdin) instead of gets(buf): void f() { char buf [20]; gets(buf)fgets(buf,20,stdin) // NOT: gets(buf); } Is this now secure? No, fgets does not always null-terminate we need to manually null terminate the buffer (and reserve space for the null character) void f() { char buf [21]; fgets(buf ,20, stdin ); buf [20]= ’0’; } C-Programming has a lot in comming with (insurance) contracts: allways read the small print
  • 20. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: Error handling “ “Most OpenSSL functions will return an integer to indicate success or failure. Typically a function will return 1 on success or 0 on error. All return codes should be checked and handled as appropriate. Note that not all of the libcrypto functions return 0 for error and 1 for success. There are exceptions which can trip up the unwary. For example if you want to check a signature with some functions you get 1 if the signature is correct, 0 if it is not correct and -1 if something bad happened like a memory allocation failure.” (OpenSSL) Recall the common C convention: 0 indicates success any non-zero value indicates failure
  • 21. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: Error handling Which one is correct: 1 Consider if ( some_verify_function ()) /* signature successful *? 2 Consider if ( 1 != some_verify_function ()) /* signature successful *? 3 Consider if ( 1 == some_verify_function ()) /* signature successful *? The last one is correct
  • 22. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: The Java 8 Crypto API Just a nightmare: Many configurations to choose from algorithm mode of operation padding scheme right keys and sizes ... Most ciphers are oudated/broken. Only two can still be recommended AES (symmetric) RSA (asymmetric) Many providers use insecure defaults (e.g., ECB mode) Using the Java crypto API, is already hard for somebody who understands crypto ...
  • 23. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Example of unfriendly APIs: XSS (Java) Most Web Frameworks for Java do not provide input/output encoding as default Developers need to include third party encoding libraries (e.g., OWASP Java Encoder: https://github.com/OWASP/owasp-java-encoder) and add calls to the encoder manually: PrintWriter out = ....; out.println("<textarea >"+Encode.forHtml(userData )+" </textarea >"); You need to insert the right (there are many) encoder each time.
  • 24. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Common mitigations Provide training Do we really expect that our developers understand all these details? Write (coding) guidelines Guidelines without tool support are (mostly) worthless Use generic application security testing tools without configuration, these tools are prone to both high false-positive rates and high false-negative rates many tools are developed for security experts (and not for developers) penetration tests In their generality, these actions are often not very effective!
  • 25. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Security experts and developers need to work together to achieve the common goal: secure software! (Disclaimer: security experts might need to learn how to code)! Think positive: security enables developers to produce high-quality and secure software! Start early in the development: Select frameworks and/or programming languages that are secure by design Develop custom APIs-Wrappers that are easy to use and require only little security knowledge To consider Configure your DAST/IAST/SAST tool to support your custom APIs In the fix recommendations of your DAST/IAST/SAST tool, point developers to the recommended frameworks If you develop APIs, make your examples secure by default
  • 26. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker If you do not support your developers, they will seek for help elsewhere!
  • 27. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Let’s close with a good example: Modern Rails Modern versions of Rails are pretty secure by default Input/output encoding is enabled by default and, in exceptional cases, needs to be disabled explicitly: <%= account.balance.html_safe % > (one can argue, if html_safe is a good name denoting un-sanitized (non-trusted) channels) Suddenly, a simple grep becomes a powerful static analysis tool
  • 28. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Call for action Let’s build framework and APIs are easy to use securely!
  • 29. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Call for action Let’s build framework and APIs are easy to use securely!
  • 30. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Call for action Let’s build framework and APIs are easy to use securely!
  • 31. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Call for action Let’s build framework and APIs are easy to use securely!
  • 32. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Thank you for your attention! Any questions or remarks? Contact: Dr. Achim D. Brucker Department of Computer Science University of Sheffield Regent Court 211 Portobello St. Sheffield S1 4DP, UK ƀ a.brucker@sheffield.ac.uk @adbrucker https://de.linkedin.com/in/adbrucker/ ĸ https://www.brucker.ch/ į https://logicalhacking.com/blog/
  • 33. Usable Security for Developers: A Nightmare ; Achim D. Brucker | @adbrucker Document Classification and License Information © 2018 LogicalHacking.com, Achim D. Brucker | @adbrucker. This presentation is classified as Public (CC BY-NC-ND 4.0): Except where otherwise noted, this presentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License (CC BY-NC-ND 4.0).