insecurity in information technology - full length version

41
Insecurity in Information Technology Tanya Janca [email protected] OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple

Upload: tanyajanca

Post on 21-Jan-2018

68 views

Category:

Technology


3 download

TRANSCRIPT

Page 1: Insecurity in Information Technology - Full Length Version

Insecurity in Information Technology

Tanya [email protected]

OWASP Ottawa Chapter Leader

OWASP DevSlop Project Leader

@SheHacksPurple

Page 2: Insecurity in Information Technology - Full Length Version

The “I’m Qualified” Slide

Tanya Janca: Application security evangelist, web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, OWASP Ottawa chapter leader, OWASP DevSlop project leader, effective altruist, software developer since the late 90’s.

I’m extremely concerned about application security, and you should be too. Let me tell you more.

About Me

Page 3: Insecurity in Information Technology - Full Length Version

Thesis:

People make stupid decisions when they feel insecure.

Conflict between security and development makes some people (employees) feel insecure.

When this happens, insecure software is often the result.

Changes are required to solve this problem.

Page 4: Insecurity in Information Technology - Full Length Version

Warning:

This is not a talk about “feelings”.

This talk is about the bottom line, getting the job done, and making software secure.

However, it might get uncomfortable at times.

Try not to feel too defensive.

Page 5: Insecurity in Information Technology - Full Length Version

The Fine Print:

Although I relay all examples in the first person, as though I was there, these are not all my personal examples. They are from multiple members of the InfoSec community.

Page 6: Insecurity in Information Technology - Full Length Version

Talk Outline:

• Problem(s)

• Solution(s)

Page 7: Insecurity in Information Technology - Full Length Version

Problem:

The way many IT shops are run can create feelings of job insecurity in employees.

Page 8: Insecurity in Information Technology - Full Length Version

Security testing is performed so late in the game that developers

1) Don’t fix anything

2) Resent security for presenting last minute challenges

Page 9: Insecurity in Information Technology - Full Length Version

• Do security testing without the security team, making them feel unrequired.

• Don’t cooperate with the security team to enable security testing, claiming they have no time/implying security is low priority.

• Ignore security advice from security reports and do not implement any or most of the mitigations.

• Do not take/ask for advice from the security team.

Developers

Page 10: Insecurity in Information Technology - Full Length Version

The security team quotes policies at

developers, or sends them an unvalidated

500 page report.

Security

Page 11: Insecurity in Information Technology - Full Length Version

• Does not give usable security guidance to the developers when asked.

• Acts or is seen as a gate, slowing down the SDLC.

• Adds project requirements without explanation, “because security”.

• When revealing issues, they make developers feel incompetent.

Security Team

Page 12: Insecurity in Information Technology - Full Length Version

All of this creates the feeling of insecurity about people’s jobs and how to do them well.

This leads to:

• deviant behaviour,

• moral disengagement,

• reduced job involvement,

• risk taking behavior, and

• reduction of organizational citizenship behavior (positive workplace activity and involvement).

Page 13: Insecurity in Information Technology - Full Length Version

All of this bad behavior leads to insecure software.

Is everyone on board with this? Questions?Are we on the same page? More examples?

Page 14: Insecurity in Information Technology - Full Length Version
Page 15: Insecurity in Information Technology - Full Length Version

The Plan:

1. Support dev and sec team with processes, training, and resources so they can confidently get the job done.

2. Repair relationship.

3. Do not accept ‘bad’ behavior anymore.

Page 16: Insecurity in Information Technology - Full Length Version

1

Page 17: Insecurity in Information Technology - Full Length Version

1

Start Security Earlier!

Requirements Design Code Testing Release

Pushing Left, Like a boss!

Page 18: Insecurity in Information Technology - Full Length Version

1

Page 19: Insecurity in Information Technology - Full Length Version

1

Page 20: Insecurity in Information Technology - Full Length Version

1

Page 21: Insecurity in Information Technology - Full Length Version

1

Page 22: Insecurity in Information Technology - Full Length Version

1

Page 23: Insecurity in Information Technology - Full Length Version

1

Page 24: Insecurity in Information Technology - Full Length Version

1

Break security testing into smaller pieces

Page 25: Insecurity in Information Technology - Full Length Version

1-2

Page 26: Insecurity in Information Technology - Full Length Version

1-2

Page 27: Insecurity in Information Technology - Full Length Version

1

Provide free training to developers

1-2

Page 28: Insecurity in Information Technology - Full Length Version

2

Page 29: Insecurity in Information Technology - Full Length Version

2

Page 30: Insecurity in Information Technology - Full Length Version

2

Page 31: Insecurity in Information Technology - Full Length Version

2

Job Shadowing

Page 32: Insecurity in Information Technology - Full Length Version

Give Developers Security Tools!

2

Page 33: Insecurity in Information Technology - Full Length Version

2

Page 34: Insecurity in Information Technology - Full Length Version

OWASP: Your new BFF

The Open Web Application Security Project

2

Page 35: Insecurity in Information Technology - Full Length Version

3

Page 36: Insecurity in Information Technology - Full Length Version

3

Page 37: Insecurity in Information Technology - Full Length Version

3

Page 38: Insecurity in Information Technology - Full Length Version

3

Page 39: Insecurity in Information Technology - Full Length Version

No more “we’re screwed” keynotes.

A message for conferences

Page 40: Insecurity in Information Technology - Full Length Version

Summary:

1. Support dev and sec team with processes, training, and resources so they can confidently get the job done.

2. Repair relationship.

3. Do not accept ‘bad’ behavior anymore.

Page 41: Insecurity in Information Technology - Full Length Version

Tanya [email protected] Ottawa Chapter Leader

OWASP DevSlop Project Leader

@SheHacksPurple

ANY

QUESTIONS?