injecting simplicity not sql rsa europe 2010
DESCRIPTION
Injecting simplicity not SQL by David Rook at the RSA Europe conference in 2010.TRANSCRIPT
![Page 1: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/1.jpg)
Title of Presentation
David RookRealex Payments
Session ID: AND-103Session Classification: Intermediate
Injecting simplicity not SQL
![Page 2: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/2.jpg)
Agenda
It is broken so lets fix it
The current approach
The Principles of Secure Development
The principles approach is working
2
![Page 3: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/3.jpg)
It is broken so lets fix it
3
![Page 4: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/4.jpg)
It is broken so lets fix it
• Secure development is broken, we aren’t progressing• Cross Site Scripting , 11 years old?• SQL Injection , 12 years old?• Still major problems in 2010 and for years to come
4
![Page 5: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/5.jpg)
5
Source: http://www.cvedetails.com
5
It is broken so lets fix it
![Page 6: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/6.jpg)
It is broken so lets fix it
• CVE statistics only show publicly known vulns• They do show a lack of app sec progress though• Around 30% of all vulnerabilities in 2005, 2006, 2007,
2008, 2009 and 2010 XSS or SQL Injection• Only one source, lets look at another one
6
![Page 7: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/7.jpg)
It is broken so lets fix it
• WASC Web Application Security Statistics• Sanitised data from pen tests, audits etc• Still a tiny sample size (0.006% of all websites)• These stats also show a lack of app sec progress• 2008 report has less sites but more vulnerabilities
7
![Page 8: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/8.jpg)
It is broken so lets fix it
Source: http://www.webappsec.org /
8
![Page 9: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/9.jpg)
It is broken so lets fix it
• Verizon Data Breach Investigations Report 2010• 89% of all data breaches attributable to SQL Injection• 2010 report released in July• This report also shows a lack of app sec progress
9
![Page 10: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/10.jpg)
The current approach
10
![Page 11: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/11.jpg)
The current approachAnd why I think it fails to deliver secure applications
• We put the cart before the application security horse• Security tells developers about specific vulnerabilities• We hope they figure out how to prevent them• Inevitably security flaws end up in live code• Security complains when data gets stolen
11
![Page 12: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/12.jpg)
The current approachAnd why I think it fails to deliver secure applications
• What if we taught learner drivers in the same way?• Instructor tells driver about the different ways to crash• We hope the driver figures out how not to crash• Inevitably the driver will crash• People complain when they get crashed into
12
![Page 13: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/13.jpg)
• Training often fails to include writing secure code• No secure coding in training == no secure coding in
the real world• Exploiting webgoat etc is basic pen testing training• Software Craftsmanship needs to meet security• Less presentations and exploits more secure coding
The current approachAnd why I think it fails to deliver secure applications
13
![Page 14: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/14.jpg)
The current approachAnd why I think it fails to deliver secure applications
• Many lists of vulnerabilities• OWASP Top 10• White Hat Security Top 10• SANS Top 25• Others??
14
![Page 15: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/15.jpg)
The current approachAnd why I think it fails to deliver secure applications
Cross Site ScriptingInjection Flaws
Security Misconfiguration
Information Leakage
Race Condition
Broken Authentication
Session Management
Cross Site Request Forgery
Buffer Copy without Checking Size on Input
Insecure Direct Object Reference
Failure to Restrict URL Access
Insecure Cryptographic StorageSQL Injection
Content Spoofing
Insufficient AuthorisationInsufficient Authentication
Abuse of FunctionalityPredictable Resource Location
Unrestricted Upload of File with Dangerous Type
Failure to Preserve SQL Query StructureFailure to Preserve Web Page Structure
Failure to Preserve OS Command Structure
URL Redirection to Untrusted Site
Insufficient Transport Layer ProtectionImproper Limitation of a Pathname to a Restricted Directory
Improper Control of Filename for Include/Require Statement in PHP Program
Incorrect Permission Assignment for Critical Resource
Download of Code Without Integrity Check
Information Exposure Through an Error Message
Reliance on Untrusted Inputs in a Security Decision
Use of Hard-coded Credentials
Buffer Access with Incorrect Length ValueImproper Check for Unusual or Exceptional Conditions
Use of a Broken or Risky Cryptographic Algorithm
Missing Encryption of Sensitive Data
Missing Authentication for Critical FunctionInteger Overflow or Wraparound
Improper Validation of Array Index
Incorrect Calculation of Buffer Size
Unvalidated Redirects and Forwards
Allocation of Resource Without Limits or Throttling
Improper Access Control
15
![Page 16: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/16.jpg)
The current approachAnd why I think it fails to deliver secure applications
• Many lists of vulnerabilities• OWASP Top 10• White Hat Security Top 10• SANS Top 25• Others??
• != Secure development guidance• 45 vulnerabilities, 41 unique names• Training courses often based these lists
16
![Page 17: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/17.jpg)
Philosophical Application Security
Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime.
I want to apply this to secure development education:
Teach a developer about a vulnerability and he will prevent it, teach him how to develop securely and he will prevent many vulnerabilities
17
![Page 18: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/18.jpg)
The current approachAnd why I think it fails to deliver secure applications
• Lets put the application security horse before the cart• Security tells developers how to write secure code• Developer doesn't need to guess anymore• Common vulnerabilities prevented in applications• Realistic or just a caffeine fueled dream?
18
![Page 19: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/19.jpg)
The Principles of Secure Development
19
![Page 20: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/20.jpg)
The current approachAnd why I think it fails to deliver secure applications
Cross Site ScriptingInjection Flaws
Security Misconfiguration
Information Leakage
Race Condition
Broken Authentication
Cross Site Request Forgery
Buffer Copy without Checking Size on Input
Insecure Direct Object Reference
Failure to Restrict URL Access
Insecure Cryptographic StorageSQL Injection
Content Spoofing
Insufficient AuthorisationInsufficient Authentication
Abuse of FunctionalityPredictable Resource Location
Unrestricted Upload of File with Dangerous Type
Failure to Preserve SQL Query StructureFailure to Preserve Web Page Structure
Failure to Preserve OS Command Structure
URL Redirection to Untrusted Site
Insufficient Transport Layer ProtectionImproper Limitation of a Pathname to a Restricted Directory
Improper Control of Filename for Include/Require Statement in PHP Program
Incorrect Permission Assignment for Critical Resource
Download of Code Without Integrity Check
Information Exposure Through an Error Message
Reliance on Untrusted Inputs in a Security Decision
Use of Hard-coded Credentials
Buffer Access with Incorrect Length ValueImproper Check for Unusual or Exceptional Conditions
Use of a Broken or Risky Cryptographic Algorithm
Missing Encryption of Sensitive Data
Missing Authentication for Critical FunctionInteger Overflow or Wraparound
Improper Validation of Array Index
Incorrect Calculation of Buffer Size
Unvalidated Redirects and Forwards
Allocation of Resource Without Limits or Throttling
Improper Access Control
The Principles of Secure Development
Secure Communications
Input Validation
Session Management
Error Handling
Secure Storage
AuthenticationSecure Resource Access
Authorisation
Auditing and Logging
Output Validation
20
![Page 21: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/21.jpg)
The Principles of Secure Development
• Input Validation• Identify the data your application must accept • Identify the input points data will be received through• Define validation for each data type (content, size etc)• Use whitelisting validation approach where possible• Blacklisting is harder and potentially less secure
21
![Page 22: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/22.jpg)
Two simple examples
• Whitelist (allow “known” good)<td>
<input type=text runat=server id=userID><asp:RegularExpressionValidator runat=server
ControlToValidate= "userID " ErrorMessage="ID must be 6-10 letters." ValidationExpression="[a-zA-Z]{6,10}" />
</td>
• Blacklist (replace “known” bad)public class ReplaceSingleQuotes {
public static void main(String[] args) {String str = " ' OR 1=1-- ";String strreplace = " " ";String result = str.replaceAl l(" ' ", strreplace);System.out.println(result);}
}
22
![Page 23: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/23.jpg)
Demo 1
• Lack of input validation• SQLi in FreeRealty used to bypass authentication• Credit to Sid3^effects, April 2010
23
![Page 24: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/24.jpg)
Demo 1
• SQL Injection allows users to bypass authentication• Demo shows the SQL Injection authentication bypass• Delete a users house listing• I then open the source code and show/explain the
vulnerability• I put a simple fix in place and explain this• I carry out the same attack against the secured code• SQL Injection fails against the secured code
24
![Page 25: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/25.jpg)
The Principles of Secure Development
• Output Validation• Identify the data your application must output • Understand where your data should end up• Choose the correct encoding for the data's destination• Use whitelist validation for data returned by the app• Not just about encoding, think credit card numbers etc
25
![Page 26: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/26.jpg)
Two simple examples
• HTML Encoding
Response.Write(HttpUtility.HtmlEncode (Request.Form["name"]));
• Replace credit card number@card_masked = card_masked.sub(/^([0-9]+)([0-9]{4})$/) { '*' * $1.length + $2 }
26
![Page 27: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/27.jpg)
Demo 2
• Lack of output validation• Stored XSS in DBHcms used to steal user cookies• Credit to ITSecTeam, May 2010
27
![Page 28: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/28.jpg)
Demo 2
• Stored XSS allows for theft of admin cookie/session• Demo shows the theft of an admin cookie using XSS• I show the cookie logger and captured cookie• Demo how I can replace my cookie with the admin
cookie and “become” admin• I show the vulnerability in the source code• I put a simple fix in place and explain this• I carry out the same attack against the secured code• XSS attack fails against the secured code
28
![Page 29: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/29.jpg)
The Principles of Secure Development
• Error Handling• Even the best apps will crash at some point• Detailed error messages can help an attacker• Handle error conditions securely, sanitise the message• No error handling == information leakage
29
![Page 30: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/30.jpg)
Demo 3
• Lack of error handling• Lack of error handling leads to information leakage• Sample page by David Rook
30
![Page 31: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/31.jpg)
Demo 3
• Lack of error handling leads to information leakage• Demo shows the lack of error handling• I show the information leakage and then the source
code• I show the vulnerability in the source code• I put a simple fix in place and explain this• I carry out the request against the secured code• The exception is handled in a secure manner
31
![Page 32: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/32.jpg)
3232
![Page 33: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/33.jpg)
The Principles of Secure Development
• Authentication and Authorisation• Applications often have a need to authenticate users• Often at least two levels of authorisation• Prevent horizontal and vertical privilege escalation• Strong passwords and management systems• Ensure A+A is secure, not a false sense of security• Don’t rely on fields that are easily spoofed• Re-authenticate users for sensitive actions
33
![Page 34: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/34.jpg)
The Principles of Secure Development
• Session Management• Used to manage authenticated users• Ensure that your sessionID’s have sufficient entropy• SessionID’s must not be predictable or reusable• Never build your own session management, it will fail• Protect sessionID’s when in transit• Issue a new value for sensitive actions
34
![Page 35: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/35.jpg)
The Principles of Secure Development
• Secure Communications• Protect sensitive data in transit• As with all cryptography, don’t create your own• Don’t use broken protection mechanisms• Don’t just SSL the logon pages, protect the session!• Avoid mixing secure and insecure traffic on a page
35
![Page 36: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/36.jpg)
The Principles of Secure Development
• Secure Storage• Protect sensitive data when stored• As with all cryptography, don’t create your own• Don’t use broken protection mechanisms• Don’t just SSL the logon pages, protect the session!• Avoid mixing secure and insecure traffic on a page
36
![Page 37: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/37.jpg)
Demo 4
• Lack of secure storage• Passwords stored insecurely in Flat File Logon• Credit to ViRuSMaN, February 2010
37
![Page 38: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/38.jpg)
Demo 4
• Lack of strong hashing and access control lead to usernames and passwords being disclosed
• Demo shows the weak hashes and cracking of them• I show the vulnerability in the source code• I put a simple fix in place and explain this• I carry out the same attack against the secured code• The hashes are salted (strong) and can’t be cracked
38
![Page 39: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/39.jpg)
Admin password - no salt
39
![Page 40: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/40.jpg)
Admin password - salted
40
![Page 41: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/41.jpg)
The Principles of Secure Development
• Secure Resource Access• Obscurity != security, don’t try to hide sensitive resources• Least privilege users for all tasks• Store library, include, and utility files outside web root• Securely harden servers including filesystem ACL’s
41
![Page 42: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/42.jpg)
Demo 5
• Lack of secure resource access• Local file include vulnerability in Bit Weaver 2.7• Credit to John Leitch, July 2010
42
![Page 43: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/43.jpg)
Demo 5
• Insecure server configuration exploited to steal data from the server
• Demo a local file include attack to steal “secrets” file• I change PHP settings and server ACL’s• I carry out the same attack against the secured server• The local file include attack will fail
43
![Page 44: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/44.jpg)
4444
![Page 45: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/45.jpg)
The Principles of Secure Development
• Auditing and Logging• Logs will be created by your application for many events• These logs must not contain sensitive data• They must contain sufficient information for auditing• Logs should be sent to a central server• If possible the logs should be stored “read only”• Retain logs for as long as required by laws/regulatory standards
45
![Page 46: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/46.jpg)
46
But I need to prevent vulnerability “X”
46
Specific vulnerabilities for each principle
OWASP White Hat Security SANS
Input Validation Injection, Cross Site Scripting, Security Misconfiguration, Unvalidated Redirects and Forwards
Cross Site Scripting, SQL Injection, Content Spoofing
Unrestricted Upload of File with Dangerous Type, Failure to Preserve SQL Query Structure, Failure to Preserver Web Page Structure, Failure to Preserve OS Command Structure, URL Redirection to Untrusted Site, Buffer Copy without Checking Size on Input, Improper Limitation of a Pathname to a Restricted Directory, Improper Control of Filename for Include/Require Statement in PHP Program, Buffer Access with Incorrect Length Value, Improper Validation of Array Index, Integer Overflow or Wraparound, Incorrect Calculation of Buffer SizeOutput Validation Cross Site Scripting Cross Site Scripting Failure to Preserve Web Page Structure
Error Handling Information Leakage Information Exposure Through an Error Message, Improper Check for Unusual or Exceptional Conditions
Authentication and Authorisation
Broken Authentication and Session Management, Security Misconfiguration, Unvalidated Redirects and Forwards
Insufficient Authorisation, Insufficient Authentication, Abuse of Functionality
Use of Hard-coded Credentials, Incorrect Permission Assignment for Critical Resource, Reliance on Untrusted Inputs in a Security Decision, Missing Authentication for Critical Function, Improper Access Control
Session Management
Broken Authentication and Session Management, Cross Site Request Forgery
Cross Site Request Forgery Cross Site Request Forgery
Secure Communications
Insufficient Transport Layer Protection Use of a Broken or Risky Cryptographic Algorithm, Missing Encryption of Sensitive Data
Secure Storage Insecure Cryptographic Storage Use of a Broken or Risky Cryptographic Algorithm, Missing Encryption of Sensitive Data
Secure Resource Access
Insecure Direct Object Reference, Failure to Restrict URL Access, Security Misconfiguration, Unvalidated Redirects and Forwards
Predictable Resource Location Improper Limitation of a Pathname to a Restricted Directory, Improper Control of Filename for Include/Require Statement in PHP Program, Allocation of Resource Without Limits or Throttling
![Page 47: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/47.jpg)
Lets redefine what secure development means
• Follow a small, repeatable set of principles• Try not to focus on specific vulnerabilities• Develop securely, not to prevent "hot vuln of the day"• Integrate security, build it into the code
47
![Page 48: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/48.jpg)
The principles approach is working
48
![Page 49: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/49.jpg)
The principles approach is working
• Private banking development company, Switzerland• Security lead saw the secure development principles• Re-designed his secure development training program• Security training costs down• Quicker "spin up" of security trained developers• Security within their SDLC now based on the principles
49
![Page 50: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/50.jpg)
The principles approach is working
• Fortune 500 financial services company, USA• One developer tasked with training local developers• Had tried the “teach all the vulns” approach and it failed• Used principles based training with .NET examples• CSO has now implemented this approach company wide
50
![Page 51: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/51.jpg)
Evolution, not revolution
• Don’t make things more difficult than they need to be• Not a new wheel, its just a smoother, easier to use wheel• Don’t treat security as something separate, integrate it• A security bug is just another bug• Secure development doesn’t have to be hard, KISS it!
51
![Page 52: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/52.jpg)
We knew how to fix this in 1978!
• What happened in 1978 that is so special?• IBM released a video discussing information security• Remember what I said about not reinventing the
wheel?
52
![Page 53: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/53.jpg)
Demo 6
• Short video from IBM in 1978• Discusses the principles of Authentication and
Authorisation in IBM systems (1978)• Reinforces the “don’t reinvent the wheel” statement
53
![Page 54: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/54.jpg)
Demo 7
• Short video from IBM in 1978• Discusses the principle of Secure Communications in
IBM systems (1978)• Reinforces the “don’t reinvent the wheel” statement
54
![Page 55: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/55.jpg)
Demo 8
• Short video from IBM in 1978• Discusses the principles of Input Validation and Error
Handling in IBM systems (1978)• Reinforces the “don’t reinvent the wheel” statement
55
![Page 56: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/56.jpg)
Demo 9
• Short video from IBM in 1978• Discusses the principles of Input Validation and Error
Handling in IBM systems (1978)• Reinforces the “don’t reinvent the wheel” statement
56
![Page 57: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/57.jpg)
We need to learn from 1978
• Those ideas from 1978 are still valid in 2010• 1st Video – Authentication and Authorisation• 2nd Video – Secure Communications• 3rd & 4th Videos – Validation and Error Handling
57
![Page 58: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/58.jpg)
Talk is cheap……
• What am I doing to promote this approach?• Producing more principles of secure development info• Helping companies who have adopted this approach• Developing principles based security tools
58
![Page 59: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/59.jpg)
Apply
• Download principles documentation from Security Ninja• Focus secure development training on code not exploits• Use your language/s in all code examples• Implement principles based security code reviews• Tie all security findings back to specific principles• Use principles based code review tools (coming soon!)
59
![Page 60: Injecting simplicity not SQL RSA Europe 2010](https://reader031.vdocuments.mx/reader031/viewer/2022020207/549abeffb47959f2088b45c3/html5/thumbnails/60.jpg)
Questions?
www.securityninja.co.uk
@securityninja
• Follow me, visit my websites and ask questions :)
• Security Ninja, myself and my security colleagues
60