Developers and AppSec : Collectively You're Doing it Wrong
There's a lot of cool stuff in motion and behind the scenes I'll cover later. But let's start with the most recent hot topic:
Dr. Chenxi Wang spoke today at OWASP Application Security USA 2010, about overcompensating for weak security from Developers (my biased paraphrasing).
The idea is that we can't depend on developers for security, so we need to correct outside of the development process. To over-generalize further, the Web Application Firewall concept is being done wrong. I agree that we can't wait for developers to start writing secure code, but I think this is more of a temporary band-aid to buy us time to starting more secure code--not a solution per se, but a crutch.
Signature detection isn't enough, visibility to steer current attacks would help mitigate if a super-WAF is available. But there's not patch for exploiting business flow/logic, therefore we can't stop educating the developer community to write secure code.
So it boils down to I agree we can't wait until code is secure, because it will never be, but that's no reason to give up on developers. We must fight on every front. That's one reason we started the x06d project: to start adding visibility to the browser and on the network from outside the browser. I'll post updated DEFCON 18 slides from the project soon ...
Dr. Chenxi Wang spoke today at OWASP Application Security USA 2010, about overcompensating for weak security from Developers (my biased paraphrasing).
The idea is that we can't depend on developers for security, so we need to correct outside of the development process. To over-generalize further, the Web Application Firewall concept is being done wrong. I agree that we can't wait for developers to start writing secure code, but I think this is more of a temporary band-aid to buy us time to starting more secure code--not a solution per se, but a crutch.
Signature detection isn't enough, visibility to steer current attacks would help mitigate if a super-WAF is available. But there's not patch for exploiting business flow/logic, therefore we can't stop educating the developer community to write secure code.
So it boils down to I agree we can't wait until code is secure, because it will never be, but that's no reason to give up on developers. We must fight on every front. That's one reason we started the x06d project: to start adding visibility to the browser and on the network from outside the browser. I'll post updated DEFCON 18 slides from the project soon ...