.

Secure coding is often an afterthought

<<

mchugh48

Newbie
Newbie

Posts: 1

Joined: Tue Aug 03, 2010 6:54 pm

Post Tue Dec 28, 2010 12:07 pm

Secure coding is often an afterthought

Application Security is designed to keep your users data/information secure
from being read  slolen, or destroyed by malicous people and processes. Security cannot be added as an afterthought, it must be built and restitant to attack. There is usually a big push to get an application out the door and devilered and it takes some strong persusion to build in security from the start. What ways are others out there using to persuade business and government to build in secure coding. Sometimes , I have noticed that using FUD - Fear Uncertainty and Doubt can be effective, but that should really be necessasary.
Tell me what you think!
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Dec 29, 2010 9:46 am

Re: Secure coding is often an afterthought

Hi mchugh48 and welcome to the forum!

I have faced this dilemma many times. Here is what I have done:

1) Build a presentation showing how to add security to  every step of the SDLC (Software Development Life Cycle). I focus on cost reduction by "thinking" about security in the early stage;

2) Show them how, by implementing security into the development framework, we could same a lot of $$$ on subsequent projects. For example, creating a solid filter for user input in web applications could easily be reused by all other projects using the same platform.

3) Security training for developpers. I personally do free "Lunch and hack" sessions at work about twice a month. In these sessions, I will talk about a single topic, for example SQLi, demonstrating an attack or two and showing them how to protect themself. This is also a great way for me to make them aware of my skills  (Hey, I am a contractor ;))

4) If you end up finding vulnerabilities before the system goes in production, talk to management about how this costly mistake could have been easily avoided by doing xyz earlier.

I hope this can help you.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Thu Dec 30, 2010 2:41 am

Re: Secure coding is often an afterthought

Interesting starting points, I'm hoping to install similar habits where I work one day.

Question: do you get a lot of response on those 'Lunch and hack' sessions? I'm curious to see what amount of developers can actually be intrigued by these topics.
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

Empires89

User avatar

Newbie
Newbie

Posts: 6

Joined: Mon Jan 03, 2011 12:30 pm

Location: Seattle

Post Wed Jan 05, 2011 12:59 am

Re: Secure coding is often an afterthought

Security is a huge part of every infrastructure and application project. It can't just be ignored or weakly implemented. This results in major losses down the road, and is more costly. What happens when your application or project has a security flaw or is exploited? You lose customers, you lose money, you lose trust, and your reputation is ruined. Surely the cost of a little prevention is worth it.

I can't say I've ever dealt with a project that had an unreasonable time frame for completion. When my boss once demanded I setup a web-based application with an unreasonable time frame I flat out told him "No." I implemented basic filtering and network/firewall restrictions on this web-based system. Lo and behold, a couple months later, the application's programmers found a flaw that allowed crackers to access the admin panel and steal user data. Since I implemented restrictions on our server I saved us from being cracked and having our customers be exploited.

Speak money to a company and they'll usually listen. Tell them that making security a focal point in the beginning often reduces the chance of exploits. Like H1t said, sometime you can make a security application that can be used in several different projects, and that saves a lot of time and money.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jan 11, 2011 3:20 pm

Re: Secure coding is often an afterthought

I agree with Empires89!

To answer Synquell question: I get a very, very good response from people for my "Lunch and Hack". But it needs to be really interesting. They don't want to study like us...

I found that doing a "real" demo, like scanning their own machines or querying the whois database for the company info interests them a lot. But strangely, hacking a web server on a VM on my laptop gets much less interest. Go figure! It needs to be visual and entertaining.

I guess it's like a magicien show. Who cares about what is the trick, we want to be blown away!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Cyber Warfare

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software