Secure web paris #1
Michael Mollard
Architech Developer @ Sipios
DEVSEC
How to TRAIN SECURITY AWARE DEVELOPERS ?
Key points
- The story of DevSec
- Tips to kickstart DevSec
The Story
Security Expert
- Knows about security
- Gatekeeper
- Goal: 0 security breach
DEV
- Knows nothing about security
- Design & Build application
- Goal: MEP
The Protagonists
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6301960/think.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6301963/web-development.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6301968/wall.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6301968/wall.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6301968/wall.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6301968/wall.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6301968/wall.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6301970/policeman.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6307905/checklist.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6307912/blind.png)
THEIR STORIES
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6324148/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6324690/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6324905/pasted-from-clipboard.png)
Impacts
- All around frustration
- Delay to production
- Developers keep making the same mistakes
KickStart DEVSEC
BUILD AWARENESS
Avoid known vulnerabilities
14% of NPM packages
50M downloads /Months
OWASP Top 10 since 2013
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6308020/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6308024/pasted-from-clipboard.png)
DEMO
LEARN & IMPROVE
Avoid common mistakes with static code analyzer
- SQL Injections
- Hard-coded Secrets
- Using non-trusted inputs
- Outdated algorithm
- Weak configuration
- ...
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6314926/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6314935/pasted-from-clipboard.png)
React to Vulnerability
False positive
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6324954/error.png)
The developers knows it is a false positve and report it as such
Known vulnerability
The developers knows this vulnerability and can fix it alone
New vulnerability
The developers ask the security expert for an explanation
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6301963/web-development.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6325082/pasted-from-clipboard.png)
DEMO
One step further
Dynamic analysis
- Automate XSS attacks
- Automate SQL injections
- Check security configuration
- Harder to automate
- Need for custom login logic
- Can't test business logic
What they can do
Drawbacks
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6318096/pasted-from-clipboard.png)
Bonus
A lot of tools can be brought to the developers IDE
- Snyk
- SonarLint
- And much more
https://github.com/mre/awesome-static-analysis
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6324869/fireworks.png)
Challenges
Drawbacks
- Need to understand and deal with false positive
- Increase the cost of your software factory
- Can only deal with known exploits
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6324781/construction.png)
Tools & Documentation
By security expert for developers
- 3 weeks to integrate application encryption
- 1 week to integrate entreprise SSO
![](https://s3.amazonaws.com/media-p.slid.es/uploads/816404/images/6319204/gears.png)
Links
https://github.com/mre/awesome-static-analysis
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://snyk.io/
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.sonarqube.org/
Security in your CI
By Michael Mollard
Security in your CI
- 1,074