Fun with Application Security

Editor's Notes

• #2: Video / music to start? Thank you so much for coming out to this session – I know there are many choices – you’ve come the room where we are going to discuss “Fun with Application Security” Let’s jump in
• #3: Everyone remembers their first time. For me it was in Flanders Elementary school in the fall of 1978. After finishing some school subjects early in the year, I was able to spend a few hours a day in the library (self-study). At some point in the fall a number of boxes arrived, and inside was a brand new Commodore PET computer (with a fancy cassette tape drive to load one of the two “tapes” of programs that it came with). No one that I can remember knew why the computer was bought for the school (and put in the library) but they let me try it out, and even teach some of the teachers. You couldn’t buy software for computers in these days – you had to write them. So like most people who get started in coding, I spent several months running other peoples code, reading other peoples code, learning BASIC, then modifying other peoples code – Space Invaders clone, Choose Your Own Adventure, and then trying to code myself (there was no copy and paste or Google or Stack Overflow at the time, so it was a lot of typing things in, and there really wasn’t an ability to “save” at the time, so I ended up leaving the computer on or retyping things … but the point it it was FUN
• #4: Stuff happens, yada, yada, and jump forward 10 years and I get my first real taste of things to come, and my first run in with security challenges. I was doing summer research in Quantum Chemistry/Physics and implementing some rather complex matrix math equations in Fortran 77 – to make a long story short, they simulated certain molecules (like H20) and calculated changes in energy levels when you messed with the orbits of some of the electrons. To run some of the models we got time on a Cray YMP supercomputer in California and connected over the fledgling Internet (via 300 baud dial up). The point here is that it was a shared time situation where there were others using the same system at other times. Turns out some of these other people were getting into each others code and messing with it – high-brow hijinks (adding a third oxygen atom to the mix and trying to model a H30 molecule, etc.). So the “passwords” (that we were assigned) had to be changed and lost a good weeks worth of research. So coding was still Fun, and now possibly even profitable, but security was really starting to make things less fun.
• #5: Jump forward another 30 years and it is getting ridiculous. Every week there is a new security threat or five. They have gone crazy in reporting them and started naming them like Hurricanes. They even have logos now for things like Poodle, Shellshock, HeartBleed and more – with Freak Attacks and WannaCry that weaponized EternalBlue. So early this year I decided to take a new position and role to focus 100% on these type of issues.
• #6: My goal now, and in the next hour or so, is explain some ways that you can look at the security challenges, take some precautions, use some powerful tools, and take back software development. We need to “Make Software Development Fun Again” And no, I’m not a Trump fan, but you have to admit they did a great job branding things with the witty saying and the hats … but let’s get started …
• #7: Disclaimer … Bruce Abernethy I am a life long developer, certified Microsoft developer, Apple Developer and Google Android developer – with current web apps, web services, apps in both stores, and code running on devices. Security-wise I have a GIAC certification in secure coding for .NET and am working on a CEH. I’ve had 5-6 different roles at Meijer – this year I made a switch and took on a brand new role at Meijer focused on Application Security – there is a big need for that, and I do want to bring the fun back …
• #12: Research tells us that the average person consumes about 34Gb of data a day – mostly video, pictures, games and digital content. In fact only 1/10 of 1% of this data is textual. So I wanted to have a good visual and exciting theme to tie all the themes in security together - something current and memorable that would fit with the themes of fun, and security and heroes protecting their apps from evil. Unfortunately it didn’t really come together with modern favorites.
• #13: A very different hero emerged that fit better into the main themes that I wanted to focus on
• #14: It’s my view that Dora grew up and has become a very successful Coder and has used her skills and experience to focus on Secure Software Development
• #15: If you know Dora, that will help – if you don’t – you’ll be fine. Dora taught and annoyed a bunch of kids in the last almost 20 years. She went through a daily adventure, with her companion Boots the monkey, planed her way with “The Map” had tools and goodies in the backpack. The antagonist in the series was Swiper the fox, who always tried to steal her stuff (see where we are going with security). With a few other regulars on the show to make things interesting.
• #16: Our meta-app will be a tic tac toe game – TIC TAC TICO – we want it to be web-based but also a mobile app (iOS, Android?)
• #18: Security for most developers is a chore, literally. It is something you know you need to do, you don’t really want to do, but you have a feeling that if you don’t do it, that there will be consequences. What have we done as humans with chores? Tried to use technology to make them easier.
• #25: MS Threat Modeling Tool 2016 – free, Windows only. Draw it out, include at rest, in memory, and in transit (along with protocols), runs a STRIDE rules engine
• #26: OWASP Incubator Project just usable, going beta soon, and a lot of promise. Cross platform desktop app built in Node and Angular with Electron. If they can get the rules engine working, this should replace Microsoft’s tool going forward.
• #27: The more you learn about security, the more you will determine that you really don’t know. It doesn’t mean you have to move to a cabin in the woods. It does mean that you can take basic precautions and feel a bit more secure.
• #30: Also raw error messages No one with that username exists in the system …. Keep trying until you get a username The password is wrong for that username … That username exists in the system, now just find the password.
• #43: Code reviews and pull requests …