You are viewing content from a past/completed QCon

Presentation: Making the Most out of a Bad Day as a Developer

Track: Security: Lessons Learned From Being Pwned

Location: St James, 4th flr.

Day of week: Wednesday

Level: Intermediate

Persona: Developer

Share this on:

What You’ll Learn

  • Learn why threat modeling is important and how you can do it 
  • Analyze examples and good practices for dealing with things like secure communication and secure data storage
  • Gain ideas for breaking down barriers between development and security

Abstract

You know how it goes. There is always someone that finds out how to break all the hard work you and your team have put in developing a kick-ass application. Nobody likes to receive security bug reports but they are a reality we have to deal with. Penetration testers, bug bounty programs, independent researchers, and security incidents all provide us with invaluable information to develop better code. The question then becomes what we do with what we learned and how we prevent similar vulnerabilities to appear again. This presentation is a tale of war stories from my experience as a penetration tester and the numerous years of work with development teams building secure development practices. I hope to help you in understanding the value of security bugs for you, your organisations and your clients.

Question: 

What’s your talk going to be about?

Answer: 

Nowadays everything has to have a threat model, otherwise it’s not even considered for development. My talk will be a lessons learned overview of what I’ve done in the past. There will be practical examples at a technical level of things that I always see in threat modeling exercises. Examples about things like secure communication, secure data storage, etc.

One example that I will talk about is on third party libraries. Many people want to use them for cryptography, for example from .NET or OpenSSL but often they don’t know how to use them properly. When validating code I’ve seen things like hardcoded encryption keys in the code that is the same for every client that they deploy the application to. If one of those keys gets compromised, all your clients get compromised. This is something that shouldn’t be done like this. In my talk I will show good practices how to incorporate third party libraries and use them.

Question: 

Who should be involved in threat modeling?

Answer: 

Looking at threat modeling, architects can get a lot of input from developers and product owners who know how the product should work. They can also get very useful input from QA people who know how it actually fails and how it doesn’t work. It’s important to have interaction between these stakeholders in one room to get sufficient insight into the vulnerabilities.

My talk aims at developers and architects, but there are things in there for anybody involved in the development process.

Question: 

How would you rate the level of this talk?

Answer: 

Intermediate to advanced level.

Question: 

What advice do you give teams for breaking down barriers between development and security?

Answer: 

I’m confident that developers don’t come into work to create vulnerable software. Problem is that we’re not able to express security requirements very well. Security people often want to own the security process. I tell them that they are not the owner of the process, and suggest them to provide developers with tools and practices, teach them, and then step back. Of course developers also need to move closer to the security people.

Question: 

What do you feel is the most disruptive tech in IT right now?

Answer: 

I would say it’s the Internet of Things, very small devices providing a lot of data that is consumed by web services all around the world. The protection of that data and the security of those devices, and the visibility of those devices and the capabilities that are offered to attackers are immense. We need to pay much more attention to that, both from a developer and security perspective.

Speaker: Wim Remes

CEO/Principal Consultant @NRJSecurity & Board Member (ISC)²

CEO/Principal Consultant over at NRJ Security. He's also a board member for (ISC)² and co-organizes BruCON.

Find Wim Remes at

Last Year's Tracks