Mais conteúdo relacionado Semelhante a Better Do What They Told Ya (20) Better Do What They Told Ya2. © 2012
$ whois urma
• Ulisses Albuquerque
– App Security Consultant for Trustwave SpiderLabs
• Penetration testing
• Code reviews
• Secure development training
– Passionate and opinionated developer
• Ruby and C FTW
– Long time F/LOSS advocate
• It’s all about the community
3. © 2012
Who is SpiderLabs?
SpiderLabs is the elite security team at Trustwave, offering clients the most advanced
information security expertise and intelligence available today.
The SpiderLabs team has performed more than 1,500 computer incident response and
forensic investigations globally, as well as over 15,000 penetration and application security
tests for Trustwave’s clients.
The global team actively provides threat intelligence to both Trustwave and growing
numbers of organizations from Fortune 50 to enterprises and start-ups.
Companies and organizations in more than 50 countries rely on the SpiderLabs team’s
technical expertise to identify and anticipate cyber security attacks before they happen.
Featured Speakers at:
Featured Media:
4. © 2012
Agenda
• Motivation
• Non-Functional Requirements
• Who You Gonna Call?
• Official Documentation
• What Can We Do About It?
• Conclusion
8. © 2012
Motivation
• Are developers really at fault?
• Do we (ahem, them) really suck this much?
• Do we have an attitude problem between
developers and security people in the software
industry?
• Obviously not, developers SUCK, right?
13. © 2012
Who You Gonna Call?
Software
Concepts
Business
Needs
Constraints
Craftmanship
14. © 2012
Who You Gonna Call?
• How to fill the concept-to-code knowledge gap?
• Google can help
• Stack Overflow can help a lot
• But…
There’s more than
one way to do it™
http://www.spidereyeballs.com/os5/perl/small_os5_r23_1542.html
18. © 2012
Who You Gonna Call?
• Official documentation should be the most
trustworthy source of information
• We don’t want to know just any “how to do it”
• We want to know “how to do it in a secure way”
http://www.themahoganyblog.com/2012/04/attention-music-imposter/laptop-thief/
<3 Stack Overflow!
19. © 2012© 2012
How are vendors providing information on
the security aspects of their tools, APIs
and frameworks?
22. © 2012
Official Documentation - Java
• Pros
• Use of annotations to indicate deprecated APIs
• Compiler warnings
• Clear indication of reason for deprecation
• Security aspects mixed with functional description
• Cons
• Deprecation is not a security-oriented feature
24. © 2012
Official Documentation - .NET
• Pros
• Use of annotations to indicate deprecated APIs
• Compiler warnings
• Cons
• No indication of reason for deprecation
• Deprecation is not a security-oriented feature
26. © 2012
Official Documentation
• It’s not only about documentation in web pages
• manpages are very inconsistent in their presentation of
security-relevant information
• Shame on us, F/LOSS developers
35. © 2012
What Can We Do About It?
• We = security professionals
– Ignorance != incompetence
– Assume developers are unaware of their mistakes
– Avoid confrontation
• Do proper secure SDLC and be involved in ALL
stages of development
– Help developers make the right choices instead of just
vetoing them
– Easier said than done, unfortunately
36. © 2012
What Can We Do About It?
• We = developers
– Developers write tools for developers
– Add consistent and comprehensive security
information to documentation
– Help fellow developers make the right choices
• Deprecate what needs deprecation
• Remove what is too dangerous
38. © 2012
Conclusion
• Developers need training
– Obviously
• Vendor documentation MUST improve
– Even trained developers need context to guide their
choices
• Developers are easy targets after a breach
– Their work takes months or years, breaches happen in
the blink of an eye
39. © 2012
Conclusion
• MOAR ACCOUNTABILITY! MOAR RESOURCES!
– Train your teams
– Assess your results and ACT on them
• Security people need to position themselves as
facilitators rather than opponents
– Who enjoys having their work vetoed after months
working on it?
41. © 2012
Trustwave SpiderLabs
SpiderLabs is an elite team of ethical hackers at
Trustwave advancing the security capabilities of
leading businesses and organizations throughout
the world.
More Information:
Web: https://www.trustwave.com/spiderlabs
Blog: http://blog.spiderlabs.com
Twitter: @SpiderLabs
Notas do Editor Google Oriented Programming = busca no Google, tentafazerigual, se funcionarpassapara o próximoproblema As respostasmaisóbvias de “comofazer” tambémsãofontes de informaçãofáceisparaosatacantesO atacantenão tem nada a perder Adicionaranimaçãoparatransicionar entre pros e cons Adicionaranimaçãoparatransicionar entre pros e cons De acordo com o estudo da Whitehat Security, 27% dos desenvolvedoresnuncativeramtreinamento de desenvolvimentoseguro, e 32% tiveramaté 3 diasapenas