Secure web paris #1

Michael Mollard

Architech Developer @ Sipios

DEVSEC

How to TRAIN SECURITY AWARE DEVELOPERS ?

Key points

  • The story of DevSec
  • Tips to kickstart DevSec

The Story

Security Expert

  • Knows about security
  • Gatekeeper
  • Goal: 0 security breach

DEV

  • Knows nothing about security
  • Design & Build application
  • Goal: MEP

The Protagonists

THEIR STORIES

Impacts

  • All around frustration
  • Delay to production
  • Developers keep making the same mistakes

KickStart DEVSEC

BUILD AWARENESS

Avoid known vulnerabilities

14% of NPM packages

50M downloads /Months

OWASP Top 10 since 2013

DEMO

LEARN & IMPROVE

Avoid common mistakes with static code analyzer

  • SQL Injections
  • Hard-coded Secrets
  • Using non-trusted inputs
  • Outdated algorithm
  • Weak configuration
  • ...

React to Vulnerability

False positive

The developers knows it is a false positve and report it as such

Known vulnerability

The developers knows this vulnerability and can fix it alone

New vulnerability

The developers ask the security expert for an explanation

DEMO

One step further

Dynamic analysis

  • Automate XSS attacks
  • Automate SQL injections
  • Check security configuration
  • Harder to automate
  • Need for custom login logic
  • Can't test business logic

What they can do

Drawbacks

Bonus

A lot of tools can be brought to the developers IDE

  • Snyk
  • SonarLint
  • And much more

https://github.com/mre/awesome-static-analysis

Challenges

Drawbacks

  • Need to understand and deal with false positive
  • Increase the cost of your software factory
  • Can only deal with known exploits

Tools & Documentation

By security expert for developers

  • 3 weeks to integrate application encryption
  • 1 week to integrate entreprise SSO

Links

https://github.com/mre/awesome-static-analysis

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

https://snyk.io/

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

https://www.sonarqube.org/

Security in your CI

By Michael Mollard

Security in your CI

  • 1,135