Secure web paris #1
Michael Mollard
Architech Developer @ Sipios
DEVSEC
How to TRAIN SECURITY AWARE DEVELOPERS ?
Key points
- The story of DevSec
- Tips to kickstart DevSec
The Story
Security Expert
- Knows about security
- Gatekeeper
- Goal: 0 security breach
DEV
- Knows nothing about security
- Design & Build application
- Goal: MEP
The Protagonists
THEIR STORIES
Impacts
- All around frustration
- Delay to production
- Developers keep making the same mistakes
KickStart DEVSEC
BUILD AWARENESS
Avoid known vulnerabilities
14% of NPM packages
50M downloads /Months
OWASP Top 10 since 2013
DEMO
LEARN & IMPROVE
Avoid common mistakes with static code analyzer
- SQL Injections
- Hard-coded Secrets
- Using non-trusted inputs
- Outdated algorithm
- Weak configuration
- ...
React to Vulnerability
False positive
The developers knows it is a false positve and report it as such
Known vulnerability
The developers knows this vulnerability and can fix it alone
New vulnerability
The developers ask the security expert for an explanation
DEMO
One step further
Dynamic analysis
- Automate XSS attacks
- Automate SQL injections
- Check security configuration
- Harder to automate
- Need for custom login logic
- Can't test business logic
What they can do
Drawbacks
Bonus
A lot of tools can be brought to the developers IDE
- Snyk
- SonarLint
- And much more
https://github.com/mre/awesome-static-analysis
Challenges
Drawbacks
- Need to understand and deal with false positive
- Increase the cost of your software factory
- Can only deal with known exploits
Tools & Documentation
By security expert for developers
- 3 weeks to integrate application encryption
- 1 week to integrate entreprise SSO
Links
https://github.com/mre/awesome-static-analysis
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://snyk.io/
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://www.sonarqube.org/