SlideShare a Scribd company logo

How to code securely: a crash course for non-coders

Jaap Karan Singh
Jaap Karan Singh

The document discusses the critical importance of secure coding practices in software development, highlighting various vulnerabilities such as SQL injection, cross-site scripting, and broken access control. It emphasizes the need for developers to utilize secure coding guidelines, adopt automated security measures, and maintain a culture of security awareness within their teams. Furthermore, it illustrates that proactive security measures can significantly reduce the risk of security incidents and the cost of fixing vulnerabilities post-release.

Technology
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Jaap Karan Singh Co-Founder & Chief Singh @ Secure Code Warrior How to code securely: A crash course for non-coders
Everything is powered by technology
TECHNOLOGY LETS YOU AVOID NAGGING PHONE CALLS FROM YOUR PARTNER... Source: https://www.pinterest.com/pin/678214025109991726/
We are not a bank, we are a technology company with a banking license - EVERY BANK EVER
What's behind all this technology? 111 BN NEW LINES OF CODE EVERY YEAR 22 M DEVELOPERS
Cyber security is now mainstream No longer guys with hoodies lurking in the shadows
Consumer trust is everything DIGITAL BANKING AND CYBER SECURITY
- INFORMATION IS BEAUTIFUL Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
90% security incidents result from defects in the design or code of software - DEPARTMENT OF HOMELAND SECURITY Source: https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf
Are developers unaware or is security really hard?! IT'S THE LATTER.
Let's look at some code GET /transfer-money?from,to,amount database.query => "UPDATE accounts SET balance increment(amount) WHERE account_number = to" database.query => "UPDATE accounts SET balance decrement(amount) WHERE account_number = to" print "Debit: from -amount, Credit: to +amount"
Does this code have any vulnerabilities? YES. SEVERAL ACTUALLY!
SQL Injection WHAT IS IT? User input used in a database query without validation WHY IS IT BAD? Execute additional transactions and actions Exfilterate data Connect to other systems on the network
DATA BREACH 77 MILLION RECORDS STOLEN Sony Hack "From a single injection, we accessed EVERYTHING". Passwords, home addresses and other personal information was stolen. Source: https://www.bbc.co.uk/news/business-13636704
Cross-site Request Forgery WHAT IS IT? Replay actions on behalf of a logged in user WHY IS IT BAD? Unauthorised Attack typically hidden so user does not realise
Good joke, wasn't it? While you were reading this joke on your favourite pass time website, I processed 5 transactions transferring over 1 billion dollars in the background!Source: https://www.pinterest.com/pin/777011741929294349/
Cross-site Scripting (XSS) WHAT IS IT? Attack the users of the application by executing malicious code on their browser WHY IS IT BAD? Execute unauthorised transactions and actions without the user realising Looks like legitimate traffic to the website
Samy the worm SPREAD LIKE WILDFIRE Fastest spreading virus of all time - 1 million users affected in less than 24 hours UNPRECEDENTED IMPACT MySpace had to take the site offline to remove the worm Source: https://www.vice.com/en_us/article/wnjwb4/the-myspace- worm-that-changed-the-internet-forever
But wait, there's more! BROKEN ACCESS CONTROL We never checked if the account belonged to the user BUSINESS LOGIC PROBLEMS Does your account have enough balance? SENSITIVE DATA EXPOSED Data between client and server are sent over plaintext and cached by default INSUFFICIENT LOGGING & MONITORING If something were to go wrong, how would we find out more details?
Let's look at the numbers 4 LINES OF CODE 7 VULNERABILITIES We could have kept going, but you get the point
Let's fix the vulnerabilities and secure our code
SQL Injection prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" GET /transfer-money?from,to,amount database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
Cross-site request forgery configuration protect_against_csrf prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" GET /transfer-money?from,to,amount database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
Broken access control configuration protect_against_csrf prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
Finally looks like this configuration log_all_requests protect_against_csrf hide_technology_info do_not_cache_requests prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" configuration logging sensitive_info => from, to POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" if account.balance < amount throw error "Not enough balance!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: html_escape => from, html_escape => -amount, Credit: html_escape => to, html_escape => +amount"
Side by side comparison configuration log_all_requests protect_against_csrf hide_technology_info do_not_cache_requests prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" configuration logging sensitive_info => from, to POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" if account.balance < amount throw error "Not enough balance!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: html_escape => from, html_escape => -amount, Credit: html_escape => to, html_escape => +amount" GET /transfer-money?from,to,amount database.query => "UPDATE accounts SET balance increment(amount) WHERE account_number = to" database.query => "UPDATE accounts SET balance decrement(amount) WHERE account_number = to" print "Debit: from -amount, Credit: to +amount"
3.5x more code needed to make it secure
To do things right, you would need superheroes Normal coders don't stand a chance!
Developers don't think about security all day We need to make security easy and accessible FUN FACT
How do we scale secure coding?
Stand on the shoulder of giants DON'T RE-INVENT THE WHEEL Avoid implementing security features yourself, eg. encryption RELY ON BATTLE-TESTED ENTERPRISE LIBRARIES Vetted by security experts, active developer community, security mindset
Stand on the shoulder of giants USE SECURE DEFAULTS Most enterprise grade libraries come with a security guide Read it and create an internal best practices guide or base library. Do it once, reap the benefits over and over again PATCH AND UPDATE DEPENDENCIES REGULARLY Hackers can fingerprint technology stack Exploit based on known vulnerabilities
- NO ONE EVER "I LOVE UPDATE SCREENS" Source: fakeupdate.net
60-80% of a commercial codebase is typically open source libraries 60% VULNERABLE of those scanned EQUIFAX CREDIT BUREAU public example of things gone wrong Why is patching important?
Security automation CATCH BUGS EARLY Security bugs are inevitable, provide early feedback loops through automated testing REDUCE HUMAN EFFORT AND SAVE $$$ Low hanging fruit should be caught by machines, not humans EMED SECURITY INTO DEVELOPMENT WORKFLOW AUTOMATE AND GET OUT OF THE WAY Security tools can sometimes be slow. Anything embedded into the workflow needs to be fast and pain-free
Embed security automation into the workflow CODE BUILD TEST DEPLOY IDE Plugins Security Unit Tests Static Source Code Analysis (SAST) Software Composition Analysis (SCA) Dynamic Application Security Testing (DAST) Container Scanning Runtime Application Self-Protection (RASP) Bug Bounties
Architecture and design SOLID FOUNDATIONS TO SET YOURSELF UP FOR SECURITY SUCCESS
30x more costly to fix defects after release compared to design phase 30x Source: ftp://ftp.software.ibm.com/software/rational/info/do-more/RAW14109USEN.pdf
INFRASTRUCTURE DESIGN Design to minimise attack surface and reduce risk posture of the application THREAT MODELLING Understand the risk level of your application, data it collects and processes and any regulatory requirements SECURITY AUTOMATION Automate from the start, easier than climbing a steep hill all at once Architecture and design
Security awareness and culture
Am I rewarded or punished for reporting security issues? AVOID A TOXIC WORK ENVIRONMENT
Developer Training THREAT LANDSCAPE AND RESPONSIBLITY Cost to the business of a security incident, impact of vulnerabilties and duty to protect customer and business data FOCUS ON DEFENSIVE SKILLS Proactive controls, internal secure coding guidelines Don't turn developers into hackers - that's not their job SOFTWARE SECURITY FUNDAMENTALS TRAINING High level overview for support staff: Business Analysts, Project Managers, Product Managers etc
BUILD ON THE SHOULDER OF GIANTS THINK ABOUT SECURITY DURING ARCHITECTURE AND DESIGN PHASE HOW DO YOU CODE SECURELY? EMBED AND AUTOMATE SECURITY IN THE DEVELOPMENT WORKFLOW BUILD A SECURITY CONSCIOUS CULTURE IN YOUR BUSINESS PATCH, PATCH AND PATCH AGAIN

More Related Content

What's hot (20)

PPTX
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
PPT
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PPT
Survey Presentation About Application Security
Nicholas Davis
 
PDF
OWASP Top 10
Arthur Shvetsov
 
PDF
Owasp Top 10-2013
n|u - The Open Security Community
 
PDF
Oh, WASP! Security Essentials for Web Apps
TechWell
 
PDF
Hybrid website security from Indusface
Infosys
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PDF
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
PPTX
Web Application Penetration Testing Introduction
gbud7
 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
PPTX
Widespread security flaws in web application development 2015
mahchiev
 
PPTX
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
PDF
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
PDF
OWASP TOP TEN 2017 RC1
Chema Alonso
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PPTX
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Cyber Security Alliance
 
PPTX
iOS Security: The Never-Ending Story of Malicious Profiles
Yair Amit
 
The bare minimum that you should know about web application security testing ...
Ken DeSouza
 
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Owasp top 10 security threats
Vishal Kumar
 
Survey Presentation About Application Security
Nicholas Davis
 
OWASP Top 10
Arthur Shvetsov
 
Owasp Top 10-2013
n|u - The Open Security Community
 
Oh, WASP! Security Essentials for Web Apps
TechWell
 
Hybrid website security from Indusface
Infosys
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
OWASP API Security TOP 10 - 2019
Miguel Angel Falcón Muñoz
 
Web Application Penetration Testing Introduction
gbud7
 
Top 10 Web Application vulnerabilities
Terrance Medina
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
Widespread security flaws in web application development 2015
mahchiev
 
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
OWASP TOP TEN 2017 RC1
Chema Alonso
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Cyber Security Alliance
 
iOS Security: The Never-Ending Story of Malicious Profiles
Yair Amit
 

Similar to How to code securely: a crash course for non-coders (20)

KEY
Do it-yourself-audits
Johann-Peter Hartmann
 
PPTX
State of the information security nation
SensePost
 
PPT
Bank One App Sec Training
Mike Spaulding
 
PDF
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP
 
PPTX
Owasp top ten 2017
AnukaJinadasa
 
PPTX
So Your Company Hired A Pentester
NorthBayWeb
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PDF
OWASP TOP 10 by Team xbios
Vi Vek
 
PPTX
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
PDF
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
IMMUNIO
 
PDF
Things that go bump on the web - Web Application Security
Christian Heilmann
 
PPTX
Demystifying Web Application Security - JSFoo 2018
shyamsesh
 
PDF
How to Secure Web Apps — A Web App Security Checklist
PixelCrayons
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PPTX
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
PDF
4 andrii kudiurov - web application security 101
Ievgenii Katsan
 
PDF
OWASP Top 10 - 2017
HackerOne
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Do it-yourself-audits
Johann-Peter Hartmann
 
State of the information security nation
SensePost
 
Bank One App Sec Training
Mike Spaulding
 
OWASP Poland Day 2018 - Anthony Fielding and William Jardine - Common App Vulns
OWASP
 
Owasp top ten 2017
AnukaJinadasa
 
So Your Company Hired A Pentester
NorthBayWeb
 
00. introduction to app sec v3
Eoin Keary
 
OWASP TOP 10 by Team xbios
Vi Vek
 
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
IMMUNIO
 
Things that go bump on the web - Web Application Security
Christian Heilmann
 
Demystifying Web Application Security - JSFoo 2018
shyamsesh
 
How to Secure Web Apps — A Web App Security Checklist
PixelCrayons
 
How to Test for The OWASP Top Ten
Security Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
4 andrii kudiurov - web application security 101
Ievgenii Katsan
 
OWASP Top 10 - 2017
HackerOne
 
The path of secure software by Katy Anton
DevSecCon
 
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Ad

Recently uploaded (20)

PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
PDF
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
PDF
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PPTX
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
PDF
Human-centred design in online workplace learning and relationship to engagem...
Tracy Tang
 
PDF
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
Rethinking Security Operations - SOC Evolution Journey.pdf
Haris Chughtai
 
PPTX
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
PDF
CloudStack GPU Integration - Rohit Yadav
ShapeBlue
 
PDF
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PPTX
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
Persuasive AI: risks and opportunities in the age of digital debate
Speck&Tech
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
Human-centred design in online workplace learning and relationship to engagem...
Tracy Tang
 
NewMind AI Journal - Weekly Chronicles - July'25 Week II
NewMind AI
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Rethinking Security Operations - SOC Evolution Journey.pdf
Haris Chughtai
 
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
CloudStack GPU Integration - Rohit Yadav
ShapeBlue
 
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
Ad

How to code securely: a crash course for non-coders

  • 1. Jaap Karan Singh Co-Founder & Chief Singh @ Secure Code Warrior How to code securely: A crash course for non-coders
  • 2. Everything is powered by technology
  • 3. TECHNOLOGY LETS YOU AVOID NAGGING PHONE CALLS FROM YOUR PARTNER... Source: https://www.pinterest.com/pin/678214025109991726/
  • 4. We are not a bank, we are a technology company with a banking license - EVERY BANK EVER
  • 5. What's behind all this technology? 111 BN NEW LINES OF CODE EVERY YEAR 22 M DEVELOPERS
  • 6. Cyber security is now mainstream No longer guys with hoodies lurking in the shadows
  • 7. Consumer trust is everything DIGITAL BANKING AND CYBER SECURITY
  • 8. - INFORMATION IS BEAUTIFUL Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  • 9. 90% security incidents result from defects in the design or code of software - DEPARTMENT OF HOMELAND SECURITY Source: https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf
  • 10. Are developers unaware or is security really hard?! IT'S THE LATTER.
  • 11. Let's look at some code GET /transfer-money?from,to,amount database.query => "UPDATE accounts SET balance increment(amount) WHERE account_number = to" database.query => "UPDATE accounts SET balance decrement(amount) WHERE account_number = to" print "Debit: from -amount, Credit: to +amount"
  • 12. Does this code have any vulnerabilities? YES. SEVERAL ACTUALLY!
  • 13. SQL Injection WHAT IS IT? User input used in a database query without validation WHY IS IT BAD? Execute additional transactions and actions Exfilterate data Connect to other systems on the network
  • 14. DATA BREACH 77 MILLION RECORDS STOLEN Sony Hack "From a single injection, we accessed EVERYTHING". Passwords, home addresses and other personal information was stolen. Source: https://www.bbc.co.uk/news/business-13636704
  • 15. Cross-site Request Forgery WHAT IS IT? Replay actions on behalf of a logged in user WHY IS IT BAD? Unauthorised Attack typically hidden so user does not realise
  • 16. Good joke, wasn't it? While you were reading this joke on your favourite pass time website, I processed 5 transactions transferring over 1 billion dollars in the background!Source: https://www.pinterest.com/pin/777011741929294349/
  • 17. Cross-site Scripting (XSS) WHAT IS IT? Attack the users of the application by executing malicious code on their browser WHY IS IT BAD? Execute unauthorised transactions and actions without the user realising Looks like legitimate traffic to the website
  • 18. Samy the worm SPREAD LIKE WILDFIRE Fastest spreading virus of all time - 1 million users affected in less than 24 hours UNPRECEDENTED IMPACT MySpace had to take the site offline to remove the worm Source: https://www.vice.com/en_us/article/wnjwb4/the-myspace- worm-that-changed-the-internet-forever
  • 19. But wait, there's more! BROKEN ACCESS CONTROL We never checked if the account belonged to the user BUSINESS LOGIC PROBLEMS Does your account have enough balance? SENSITIVE DATA EXPOSED Data between client and server are sent over plaintext and cached by default INSUFFICIENT LOGGING & MONITORING If something were to go wrong, how would we find out more details?
  • 20. Let's look at the numbers 4 LINES OF CODE 7 VULNERABILITIES We could have kept going, but you get the point
  • 21. Let's fix the vulnerabilities and secure our code
  • 22. SQL Injection prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" GET /transfer-money?from,to,amount database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
  • 23. Cross-site request forgery configuration protect_against_csrf prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" GET /transfer-money?from,to,amount database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
  • 24. Broken access control configuration protect_against_csrf prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: from -amount, Credit: to +amount"
  • 25. Finally looks like this configuration log_all_requests protect_against_csrf hide_technology_info do_not_cache_requests prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" configuration logging sensitive_info => from, to POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" if account.balance < amount throw error "Not enough balance!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: html_escape => from, html_escape => -amount, Credit: html_escape => to, html_escape => +amount"
  • 26. Side by side comparison configuration log_all_requests protect_against_csrf hide_technology_info do_not_cache_requests prepared_statements addMoney => "UPDATE accounts SET balance increment(%1) WHERE account_number = %2" deductMoney => "UPDATE accounts SET balance decrement(%1) WHERE account_number = %2" getAccount => "SELECT * from accounts WHERE account_number = %1" configuration logging sensitive_info => from, to POST /transfer-money?from,to,amount account = database.query => prepared_statements.getAccount, from if account.user_id != logged_in_user throw error "Access denied!" if account.balance < amount throw error "Not enough balance!" database.query => prepared_statements.add_money, amount, to database.query => prepared_statements.deduct_money, amount, from print "Debit: html_escape => from, html_escape => -amount, Credit: html_escape => to, html_escape => +amount" GET /transfer-money?from,to,amount database.query => "UPDATE accounts SET balance increment(amount) WHERE account_number = to" database.query => "UPDATE accounts SET balance decrement(amount) WHERE account_number = to" print "Debit: from -amount, Credit: to +amount"
  • 27. 3.5x more code needed to make it secure
  • 28. To do things right, you would need superheroes Normal coders don't stand a chance!
  • 29. Developers don't think about security all day We need to make security easy and accessible FUN FACT
  • 30. How do we scale secure coding?
  • 31. Stand on the shoulder of giants DON'T RE-INVENT THE WHEEL Avoid implementing security features yourself, eg. encryption RELY ON BATTLE-TESTED ENTERPRISE LIBRARIES Vetted by security experts, active developer community, security mindset
  • 32. Stand on the shoulder of giants USE SECURE DEFAULTS Most enterprise grade libraries come with a security guide Read it and create an internal best practices guide or base library. Do it once, reap the benefits over and over again PATCH AND UPDATE DEPENDENCIES REGULARLY Hackers can fingerprint technology stack Exploit based on known vulnerabilities
  • 33. - NO ONE EVER "I LOVE UPDATE SCREENS" Source: fakeupdate.net
  • 34. 60-80% of a commercial codebase is typically open source libraries 60% VULNERABLE of those scanned EQUIFAX CREDIT BUREAU public example of things gone wrong Why is patching important?
  • 35. Security automation CATCH BUGS EARLY Security bugs are inevitable, provide early feedback loops through automated testing REDUCE HUMAN EFFORT AND SAVE $$$ Low hanging fruit should be caught by machines, not humans EMED SECURITY INTO DEVELOPMENT WORKFLOW AUTOMATE AND GET OUT OF THE WAY Security tools can sometimes be slow. Anything embedded into the workflow needs to be fast and pain-free
  • 36. Embed security automation into the workflow CODE BUILD TEST DEPLOY IDE Plugins Security Unit Tests Static Source Code Analysis (SAST) Software Composition Analysis (SCA) Dynamic Application Security Testing (DAST) Container Scanning Runtime Application Self-Protection (RASP) Bug Bounties
  • 37. Architecture and design SOLID FOUNDATIONS TO SET YOURSELF UP FOR SECURITY SUCCESS
  • 38. 30x more costly to fix defects after release compared to design phase 30x Source: ftp://ftp.software.ibm.com/software/rational/info/do-more/RAW14109USEN.pdf
  • 39. INFRASTRUCTURE DESIGN Design to minimise attack surface and reduce risk posture of the application THREAT MODELLING Understand the risk level of your application, data it collects and processes and any regulatory requirements SECURITY AUTOMATION Automate from the start, easier than climbing a steep hill all at once Architecture and design
  • 41. Am I rewarded or punished for reporting security issues? AVOID A TOXIC WORK ENVIRONMENT
  • 42. Developer Training THREAT LANDSCAPE AND RESPONSIBLITY Cost to the business of a security incident, impact of vulnerabilties and duty to protect customer and business data FOCUS ON DEFENSIVE SKILLS Proactive controls, internal secure coding guidelines Don't turn developers into hackers - that's not their job SOFTWARE SECURITY FUNDAMENTALS TRAINING High level overview for support staff: Business Analysts, Project Managers, Product Managers etc
  • 43. BUILD ON THE SHOULDER OF GIANTS THINK ABOUT SECURITY DURING ARCHITECTURE AND DESIGN PHASE HOW DO YOU CODE SECURELY? EMBED AND AUTOMATE SECURITY IN THE DEVELOPMENT WORKFLOW BUILD A SECURITY CONSCIOUS CULTURE IN YOUR BUSINESS PATCH, PATCH AND PATCH AGAIN