2. Who are you?
• Bryn Salisbury (@bryns)
• Welsh born and Hertfordshire based.
• IT Security Consultant by day.
• Podcaster, Blogger, Twitter-er (is that even a
word?) and adequate photographer
• First time at Barcamp London (quite
excited).
3. IT Security
• Been working in IT for around 12 years.
• IT Security full time for the last 5
• Penetration testing and security scanning
• PCI QSA
4. PCI Data Security Standard
• Global Security Standard for the handling of credit
card (and some debit card) data.
• Breaks down into 12 requirements (everything from
firewalls to HR).
• Rules on applications (web and otherwise)
development.
• Requires the development of secure coding
guidelines, as well as a teaching programme.
• Sets minimum standards to keep credit card data safe.
5. What is Secure
Development?
• A set of methods that, when used, can
reduce the ability of hostile parties to
exploit your application(s).
• In web applications, these are commonly
Input Validation (e.g. Cross Site Scripting),
Injection (e.g. SQL Injection)
6. Is it really that
necessary?
• Absolutely... 85% of the data breaches in
2009-2010 were as a result of web
application compromises.
• Defensive devices such as IPS/IDS and WAF
are not always effective.
• Heavy fines for loss of data - €50,000
initial, €75,000/month for failure to
remediate the breach.
see: http://www.7safe.com/breach_report/Breach_report_2010.pdf
9. “If we taught people to drive the same way we
teach them secure coding, we’d have a lot more
wrecked cards and dead bodies to clean up”
@securityninja
10. Are we doing it wrong?
• I’ve always had the tendency to want to
demonstrate the worst case scenario.
• Easier to show off “exploitable” code and a
lot more impressive.
• Examples of the ‘right way’ are technology
dependant.
• Hadn’t even occurred to me that the training
wasn’t what they needed (or wanted).
12. What would the right
way look like?
• The idea of showing how it should be done
is appealing
• Gives clear and concise guidance to the
coder
• Easier to track and audit in the long term
• See @securityninja’s RSA talk - http://
slideshare.net/securityninja/injecting-
simplicity-not-sql-rsa-europe-2010
13. What would the right
way look like?
• Ultimately, I think that the perfect program needs to:
• Educate, but not be patronising to the
developers.
• Give them enough information to work with,
but not overload them.
• Be straightforward enough that the principles
can be applied to any language.
• It should definitely carry the full support of the
management.
15. Blog Response
• Wrote it up a few days ago: http://
www.randomlyevil.org.uk/2011/10/26/datblygu-
diogel-secure-development/
• Opinions appear to be evenly divided - some
arguing that coders need to see how bad it
gets.
• Another suggesting the coders only need to
know what they should do, the rest is up to the
pen-testers.
18. Let’s keep the
discussion going!
• After the talk...
• At the bar...
• On the blog: http://
www.randomlyevil.org.uk/2011/10/26/
datblygu-diogel-secure-development/
• On Twitter... I’m @bryns
• On Google+... I’m Bryn Salisbury
It was during a PCI audit that the guy I was interviewing said the following to me...\n
He suggested that we put the cart before the horse, and that we’re much more keen to spend time showing how things could go wrong, instead of how to do it right.\n\nIt was a bit of a revelation...\n
He suggested that we put the cart before the horse, and that we’re much more keen to spend time showing how things could go wrong, instead of how to do it right.\n\nIt was a bit of a revelation...\n
Let’s face it, who doesn’t enjoy a bit of schadenfreude?\n\nThings happening properly don’t make for interesting demonstrations - “Oh look, it presented a graceful error message... how... Zzzzzz” versus “ZOMG! Look! I found an XSS, so if you log into the website, it emails out the user’s credentials to the attacker! that’s SOOOO COOL!”\n\nFrankly, I’d rather claw out my own eyeballs than try to go through every single web technology finding the right way to do things like handle input validation, connect to stored procedures and alike.\n\nSadly, the feedback all came back as positive, and people kept telling me how entertaining the whole thing was. I suppose a bit like an Angelina Jolie movie... no one really pays attention to the plot.\n
Honestly? I don’t know...\n\n\n\n
So @securityninja tells me all about the security training he gives, and I start to think “Isn’t it a lot nicer to be positive?” \n\nShow people how it should be done, rather than saying “cor... look at this loser! he doesn’t even know how to validate his inputs! LOL”.\n\nThere’s no ambiguity when it comes to writing production code, the coder is told “this is the way it ought to be”. Easier for them to integrate into their workflow.\n\nCode reviews for compliance become a lot easier, if you’ve set the rules, the coders know that’s the only way you get your code accepted is if it follows the path you’ve set. Becomes easier to record the developer’s training, and give more specific support.\n
I thought... how could I get more input on this issue from people in the know?\n
\n
After a little bit of lost in translation (you’ll see the comments)...\n\n\n
The reason I bring it to you guys is this... I don’t want to be *that* kind of security consultant... you know, the one who only wants to sell your boss the latest copy of Symantec’s latest doo-dah. \n\nI take the view that the safer your applications are, the safer my data is likely to be.\n\nSo, what do you lot think? Do you like the sound of @securityninja’s principles? Is it better to show the right way? or scare people with the wrong? Is it better to teach principles? or secure by exception?\n\n\n