1. How to protect your web
applications
Magno Logan
magno.logan@owasp.org
OWASP Paraíba Chapter Leader
2. About Me
Who am I?
!
• Ex-developer
• Security Analyst
• Chapter Leader
• Martial Arts
• Investments
3. Agenda
!
• They are everywhere!
• Testing, testing, testing…
• Guides, tools and much more
• The insecure software lifecycle
• How to solve these problems
5. And they have bugs everywhere!
!
• The cost of a data breach averages $5.5
million or $194 per customer record*
!
• Companies that take security seriously can
reduce the cost per customer by up to 62%
!
!
!
!
* From a 2011 study by the Ponemon Institute
6. So, how to protect them?!
!
1. Security Testing
!
2. Code Review
!
3. SDL
9. So what do they do?
!
• Protect you from common mistakes
!
• Avoid you from getting hacked by automated
tools/scanners and script kiddies
!
By the way, if you work with AppSec and you
never heard of these two docs…
12. Ok, now what?!
OWASP Code Review Guide
!
• Code review takes a deeper look into your
app
!
• Things that automated scanners won’t find
!
• You’ll see the common mistakes devs make
13. We fixed the problems. How to stop them?
!
• Implement a SDL process
!
• Train your developers about app security
!
• They don’t need to be experts, at least
know how it works and how to protect
their apps
14. Yay! More free stuff…
!
• OWASP ASVS – verify your security
!
• OWASP OpenSAMM – create a security
program
!
• OWASP Developer’s Guide – tips to devs
15. It’s not that simple…
!
• If we have all that, why aren’t our apps
secure?
!
• Why even the big companies don’t follow
the basic rules? Hello Linkedin!
16. We know, we know…
!
• Security costs money. Yeah, but so does
development, support, operations, etc.
!
• Security costs money. But it will save you a lot
more!
!
Why most companies still don’t see the value of
security until they get hacked?
17. Like Dinis Cruz said at AppSec Latam 2011:
!
Unless you’ve been hacked before…
!
If it compiles,
Ship it!
!
That’s the motto in most dev companies
18. The real picture (Developer’s view)
!
• They don’t like the security teams
!
• They already work on a tight schedule
!
• Security will increase their programming
time
19. How it should be…
!
• Dev and infosec should work together
!
• Security practices and implementations should
be included in the schedule time
!
• It will increase the apps protection and
decrease the amount of bugs and work
20. In a nutshell…
!
• Security is not a plugin, it’s a process.
!
• Test everything, every time they change.
!
• Allocate time for security testing within your
project
!
• Never assume security controls are effective
22. References
!
Wagner Elias. “Testar não é suficiente, tem que fazer
direito!”. YSTS 2012
!
Dinis Cruz. “Making Security Invisible by Becoming the
Developer's Best Friends”. OWASP AppSec Latam 2011
!
Building Secure Web Applications Infographic - http://
www.veracode.com/blog/2012/06/building-secure-web-
applications-infographic/
!
OWASP - www.owasp.org