insecurity in informaton technology
play

Insecurity in Informaton Technology Tanya Janca - PowerPoint PPT Presentation

Jun 19, 2023 •177 likes •1k views

Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple About Me The Im Qualifed Slide Tanya Janca: Applicaton security evangelist, web

  1. Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple

  2. About Me The “I’m Qualifed” Slide Tanya Janca: Applicaton security evangelist, web applicaton penetraton tester and vulnerability assessor, trainer, public speaker, ethical hacker, OWASP Otawa chapter leader, OWASP DevSlop project leader, efectve altruist, sofware developer since the late 90’s. I’m extremely concerned about applicaton security, and you should be too. Let me tell you more.

  3. Thesis: People make stupid decisions when they feel insecure. Confict between security and development makes some people (employees) feel insecure. When this happens, insecure sofware is ofen the result. Changes are required to solve this problem.

  4. Warning: This is not a talk about “feelings”. This talk is about the botom line, getng the job done, and making sofware secure. However, it might get uncomfortable at tmes. Try not to feel too defensive.

  5. The Fine Print: Although I relay all examples in the frst person, as though I was there, these are not all my personal examples. They are from multple members of the InfoSec community.

  6. Talk Outline: • Problem(s) • Soluton(s)

  7. Problem: The way many IT shops are run can create feelings of job insecurity in employees.

  8. Security testng is performed so late in the game that developers 1) Don’t fx anything 2) Resent security for presentng last minute challenges

  9. Developers • Do security testng without the security team, making them feel unrequired. • Don’t cooperate with the security team to enable security testng, claiming they have no tme/jimplying security is low priority. • Ignore security advice from security reports and do not implement any or most of the mitgatons. • Do not take/jask for advice from the security team.

  10. Security The security team quotes policies at developers, or sends them an unvalidated 500 page report.

  11. Security Team • Does not give usable security guidance to the developers when asked. • Acts or is seen as a gate, slowing down the SDLC. • Adds project requirements without explanaton, “because security”. • When revealing issues, they make developers feel incompetent.

  12. All of this creates the feeling of insecurity about people’s jobs and how to do them well. This leads to: • deviant behaviour, • moral disengagement, • reduced job involvement, • risk taking behavior, and • reducton of organizatonal citzenship behavior (positve workplace actvity and involvement).

  13. All of this bad behavior leads to insecure sofware. Is everyone on board with this? Questons? Are we on the same page? More examples?

  15. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confdently get the job done. 2. Repair relatonship. 3. Do not accept ‘bad’ behavior anymore.

  16. 1

  17. 1 Pushing Lef, Like a boss! Requirements Design Code Testng Release Requirements Design Code Testng Release Start Security Earlier!

  18. 1

  19. 1

  20. 1

  21. 1

  22. 1

  23. 1

  24. 1 Break security testng into smaller pieces

  25. 1-2

  26. 1-2

  27. 1 1-2 Provide free training to developers

  28. 2

  29. 2

  30. 2

  31. 2 Job Shadowing

  32. 2 Give Developers Security Tools!

  33. 2

  34. 2 OWASP: Your new BFF The Open Web Applicaton Security Project

  35. 3

  36. 3

  37. 3

  38. 3

  39. A message for conferences X No more “we’re screwed” keynotes.

  40. Summary: 1. Support dev and sec team with processes, training, and resources so they can confdently get the job done. 2. Repair relatonship. 3. Do not accept ‘bad’ behavior anymore.

  41. ANY QUESTIONS ? Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple

  42. Insecurity in Informaton Technology Tanya Janca Tanya.Janca@owasp.org OWASP Otawa Chapter Leader OWASP DevSlop Project Leader @SheHacksPurple New ITSec drinking game: drink every time someone says machine learning, Artificial Intelligence, or Block chain will fix everything. 1

  43. About Me The “I’m Qualifed” Slide Tanya Janca: Applicaton security evangelist, web applicaton penetraton tester and vulnerability assessor, trainer, public speaker, ethical hacker, OWASP Otawa chapter leader, OWASP DevSlop project leader, efectve altruist, sofware developer since the late 90’s. I’m extremely concerned about applicaton security, and you should be too. Let me tell you more.

  44. Thesis: People make stupid decisions when they feel insecure. Confict between security and development makes some people (employees) feel insecure. When this happens, insecure sofware is ofen the result. Changes are required to solve this problem.

  45. Warning: This is not a talk about “feelings”. This talk is about the botom line, getng the job done, and making sofware secure. However, it might get uncomfortable at tmes. Try not to feel too defensive.

  46. The Fine Print: Although I relay all examples in the frst person, as though I was there, these are not all my personal examples. They are from multple members of the InfoSec community.

  47. Talk Outline: • Problem(s) • Soluton(s)

  48. Problem: The way many IT shops are run can create feelings of job insecurity in employees.

  49. Security testng is performed so late in the game that developers 1) Don’t fx anything 2) Resent security for presentng last minute challenges

  50. Developers • Do security testng without the security team, making them feel unrequired. • Don’t cooperate with the security team to enable security testng, claiming they have no tme/jimplying security is low priority. • Ignore security advice from security reports and do not implement any or most of the mitgatons. • Do not take/jask for advice from the security team.

  51. Security The security team quotes policies at developers, or sends them an unvalidated 500 page report.

  52. Security Team • Does not give usable security guidance to the developers when asked. • Acts or is seen as a gate, slowing down the SDLC. • Adds project requirements without explanaton, “because security”. • When revealing issues, they make developers feel incompetent.

  53. All of this creates the feeling of insecurity about people’s jobs and how to do them well. This leads to: • deviant behaviour, • moral disengagement, • reduced job involvement, • risk taking behavior, and • reducton of organizatonal citzenship behavior (positve workplace actvity and involvement). When people are acting like this, what kind of software are they making? Are they being diligent? Are they going the extra mile? I think not. ** There are many published studies to support these findings that job insecurities lead to these behaviors. 12

  54. All of this bad behavior leads to insecure sofware. Is everyone on board with this? Questons? Are we on the same page? More examples? “Choose your own adventure” books. Make sure it is very clear that we are moving onto the next part of the talk. • The security team has no idea how to give advice on software so they forward long, unreadable security documents that aren’t at all helpful to try to hide the fact that they don’t know. ITSG-33 or NIST example, depending on audience. • Developers try to publish their apps without security seeing them at all. No example required, sadly we’ve all witnessed this. • Security standard or policy published but not announced, developers not consulted or informed • Story of VA teams sending unvalidated reports, wasting developers time and making the sec team appear & feel incompetent • Story of “climb out the window and down the trellis”, extraordinarily poor management example • More examples from various sources, depending on length of time allowed for talk. Story of “we use SAML tokens” (making developer look like a fool in front of client, developer responds in kind) • Story of ridiculously inaccurate and vague web app standard (XSS and CSRF addressed with same mitigation and errors) published by sec team with no notifcation at all to the dev team 13

  55. Make sure audience switches gears with you that this is the second part of the talk. 14

  56. The Plan: 1. Support dev and sec team with processes, training, and resources so they can confdently get the job done. 2. Repair relatonship. 3. Do not accept ‘bad’ behavior anymore. 1)training, tools, standards, processes (appsec program & team) 2)Repair relationship (co-locate, team building, etc) 3)speak out and punish bad behavior, managers set good examples 15

  57. 1 If you do not have an application security team (the part of the security team that knows software and talks to developers), get one. Now. Run, don’t walk. If you work in an enterprise sized business it is not acceptable to not have one, even if you have to lure security-minded developers to your team in order to staff it. AppSec is the cause of approximately a quarter of security incidents, why aren’t you spending a quarter of your security budget on it? 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Atlanta, GA What is food insecurity? Food Insecurity in Why we care about

Outline Atlanta, GA What is food insecurity? Food Insecurity in Why we care about

2010 MOWAA Annual Conference and EXPO Outline Atlanta, GA What is food insecurity? Food Insecurity in Why we care about food insecurity? Older Americans: What are barriers to achieve food security? What are the consequences of

290 views • 4 slides
Increases in Food Insecurity due to COVID-19: What Can be Done? Craig Gundersen University of

Increases in Food Insecurity due to COVID-19: What Can be Done? Craig Gundersen University of

Increases in Food Insecurity due to COVID-19: What Can be Done? Craig Gundersen University of Illinois ACES Distinguished Professor Department of Agricultural and Consumer Economics Defining Food Insecurity A households food insecurity

363 views • 35 slides
Food Insecurity Statistics Orange County 12.7% of households are food insecure There are

Food Insecurity Statistics Orange County 12.7% of households are food insecure There are

Food Insecurity Statistics Orange County 12.7% of households are food insecure There are 349,690 people living with food insecurity 1 in 5 children face food insecurity Source: (Feeding America. Map the Meal Gap 2013.) Child Poverty

554 views • 23 slides
OF FOOD INSECURITY Evaluating the level and dynamics of Ph.D. Qualifier: food insecurity Mame

OF FOOD INSECURITY Evaluating the level and dynamics of Ph.D. Qualifier: food insecurity Mame

Evaluate the LEVEL AND DYNAMICS OF FOOD INSECURITY Evaluating the level and dynamics of Ph.D. Qualifier: food insecurity Mame Zewga PROMOTER: Vector Jetten Mame Zewge Co-PROMOTERS: Dr. Ettema Janneke Dr. Dereje Meshesha Outline

578 views • 18 slides
Natural Language Processing Lecture 6: Informaton Theory; Spelling, Edit Distance, and Noisy

Natural Language Processing Lecture 6: Informaton Theory; Spelling, Edit Distance, and Noisy

Natural Language Processing Lecture 6: Informaton Theory; Spelling, Edit Distance, and Noisy Channels Language Models Ngram models seem limited Must be something beter What about grammar/semantcs? But we care more about ranking

347 views • 22 slides
Food Deserts in Our Community Presented by Micheline Hynes Prevalence of Food Insecurity The

Food Deserts in Our Community Presented by Micheline Hynes Prevalence of Food Insecurity The

Food Deserts in Our Community Presented by Micheline Hynes Prevalence of Food Insecurity The prevalence of food insecurity varied considerably among household types. Rates of food insecurity were higher than the national average (11.1%) for

298 views • 29 slides
Nutrition Programs for Older Adults Food Insecurity in Older Adults Food Insecurity (USDA): A

Nutrition Programs for Older Adults Food Insecurity in Older Adults Food Insecurity (USDA): A

Nutrition Programs for Older Adults Food Insecurity in Older Adults Food Insecurity (USDA): A household-level economic and social condition of limited or uncertain access to adequate food. As of 2017, 7.3% of older adults in the

258 views • 11 slides
Software Engineering I (02161) Additional Informaton for Programming Assignment 5 Assoc. Prof.

Software Engineering I (02161) Additional Informaton for Programming Assignment 5 Assoc. Prof.

Software Engineering I (02161) Additional Informaton for Programming Assignment 5 Assoc. Prof. Hubert Baumeister Spring 2016 Contents 1 Adding a Command Line Interface to the Library Application 1 1 Adding a Command Line Interface to the

338 views • 6 slides
INFORMATON, ADVICE AND GUIDANCE Paul Rapley Assistant Headteacher Agenda 01 The Gatsby

INFORMATON, ADVICE AND GUIDANCE Paul Rapley Assistant Headteacher Agenda 01 The Gatsby

CAREERS INFORMATON, ADVICE AND GUIDANCE Paul Rapley Assistant Headteacher Agenda 01 The Gatsby Benchmarks for IAG 02 KS4 and KS5 Destinations 03 Careers Information Advice and Guidance at THS 04 Future developments The Gatsby

411 views • 12 slides
Food insecurity and health: Development and initial findings of a community research

Food insecurity and health: Development and initial findings of a community research

Food insecurity and health: Development and initial findings of a community research collaboration Sandi L. Pruitt June 26, 2017 Reduction of food insecurity, particularly at the severe level, is a public health concern and a modifiable

190 views • 15 slides
Stockholm Water Week Water stewardship different ways but same objectives Water insecurity

Stockholm Water Week Water stewardship different ways but same objectives Water insecurity

Stockholm Water Week Water stewardship different ways but same objectives Water insecurity an increasingly dominate factor for sustainable development Drivers of Water insecurity All sectors have a role Non-cooperation makes a bad

346 views • 11 slides
Colloquium 2019 Food Insecurities: Our College Community Responsibility Presented by: Diane

Colloquium 2019 Food Insecurities: Our College Community Responsibility Presented by: Diane

Colloquium 2019 Food Insecurities: Our College Community Responsibility Presented by: Diane Haskins What is Food In Insecurity? FOOD INSECURITY (food insecurity), n. Food insecurity is the limited or uncertain availability of

551 views • 23 slides
CONSTANT INSECURITY: THINGS YOU DIDN'T KNOW ABOUT (PECOFF) PORTABLE EXECUTABLE FILE FORMAT

CONSTANT INSECURITY: THINGS YOU DIDN'T KNOW ABOUT (PECOFF) PORTABLE EXECUTABLE FILE FORMAT

BlackHat USA 2011, Las Vegas Mario Vuksan & Tomislav Pericin, ReversingLabs CONSTANT INSECURITY: THINGS YOU DIDN'T KNOW ABOUT (PECOFF) PORTABLE EXECUTABLE FILE FORMAT Constant Insecurity Maturing Code PE has been on Windows for 18

686 views • 41 slides
Food Insecurity in Africa: the Situation Analysis Situation Analysis Ashraf Shaalan

Food Insecurity in Africa: the Situation Analysis Situation Analysis Ashraf Shaalan

Food Insecurity in Africa: the Situation Analysis Situation Analysis Ashraf Shaalan Ashraf Shaalan Prof. of Biological Anthropology; Vice-president, Academy of Scientific Research and Technology (ASRT), gy ( ), Egypt Outlines

625 views • 59 slides
FOOD INSECURITY WHOS AFFECTED? WHY DOES IT MATTER? Audrey C. McCool, EdD, RDN, LD Learning

FOOD INSECURITY WHOS AFFECTED? WHY DOES IT MATTER? Audrey C. McCool, EdD, RDN, LD Learning

FOOD INSECURITY WHOS AFFECTED? WHY DOES IT MATTER? Audrey C. McCool, EdD, RDN, LD Learning Objectives 2 Session Participants will: Have increased understanding of the extent of food insecurity throughout the U.S. and in their local

803 views • 40 slides
SUSTAINABLE LAND MANAGEMENT IN ETHIOPIA: RESPONSE TO RURAL HOUSEHOLDS TENURE INSECURITY, LAND

SUSTAINABLE LAND MANAGEMENT IN ETHIOPIA: RESPONSE TO RURAL HOUSEHOLDS TENURE INSECURITY, LAND

SUSTAINABLE LAND MANAGEMENT IN ETHIOPIA: RESPONSE TO RURAL HOUSEHOLDS TENURE INSECURITY, LAND DEGRADATION AND FOOD INSECURITY PhD PROPOSAL DEFENSE BICHAYE TESFAYE Supervisors: Prof. Dr. Ir. J.A. Zevenbergen, Dr. Monica Lengoiboni and Dr.

1.71k views • 20 slides
Viterbi Algorithm Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Viterbi Algorithm Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Viterbi Algorithm Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay October 30, 2015 1 / 33 Encoder State Diagram 1 + D 2 1 + D + D 2 G ( D ) = 1 + D 0/000 v ( 0 )

1.26k views • 33 slides
Code Realizations for Networks Ralf Koetter, Coordinated Science Lab., University of Illinois

Code Realizations for Networks Ralf Koetter, Coordinated Science Lab., University of Illinois

Code Realizations for Networks Ralf Koetter, Coordinated Science Lab., University of Illinois e-mail: koetter@csl.uiuc.edu 2 The network.... . . . ...,Muriel Medard, Tracey Ho, David Karger, Michelle Effros, Gerhard Kramer, Irem

414 views • 37 slides
Recursive Trellis Decoding Techniques of Polar Codes Peter Trifonov ITMO University, Russia June

Recursive Trellis Decoding Techniques of Polar Codes Peter Trifonov ITMO University, Russia June

Recursive Trellis Decoding Techniques of Polar Codes Peter Trifonov ITMO University, Russia June 18, 2020 Peter Trifonov ( ITMO University, Russia) Recursive Trellis Decoding Techniques of Polar Codes June 18, 2020 1 / 18 Outline Polar

525 views • 21 slides
Integrodifferential Hyperbolic Equations and its Application for 2-D Rotational Fluid Flows

Integrodifferential Hyperbolic Equations and its Application for 2-D Rotational Fluid Flows

Integrodifferential Hyperbolic Equations and its Application for 2-D Rotational Fluid Flows Integrodifferential Hyperbolic Equations and its Application for 2-D Rotational Fluid Flows Alexander Chesnokov Lavrentyev Institute of Hydrodynamics

453 views • 31 slides
The Multilevel Change Model James H. Steiger Department of Psychology and Human Development

The Multilevel Change Model James H. Steiger Department of Psychology and Human Development

Introduction The General Polynomial Growth Model A Linear Growth Model An Example Early Childhood Intervention Multilevel Modeling Results Plotting Model Trends Examining Model Assumptions The Multilevel Change Model James H. Steiger

555 views • 41 slides
At UIC Sabri Cetinkunt, Professor Mechatronics Laboratory Department of Mechanical and

At UIC Sabri Cetinkunt, Professor Mechatronics Laboratory Department of Mechanical and

Mechatronics Education At UIC Sabri Cetinkunt, Professor Mechatronics Laboratory Department of Mechanical and Industrial Engineering University of Illinois at Chicago Ph: (312) 996-9611, FAX: (312) 413-0447 Email: scetin@uic.edu Courses:

609 views • 14 slides
Microgrid Layouts Pavol Bauer Learning objectives How can a microgrid be connected to an

Microgrid Layouts Pavol Bauer Learning objectives How can a microgrid be connected to an

Microgrid Layouts Pavol Bauer Learning objectives How can a microgrid be connected to an external upstream grid? What are the possible layouts for microgrids? What are the main differences between these layouts? Simplified

597 views • 10 slides
Model for DUNE MCCs Juergen Reichenbacher, Jason Stock, James Haiston DUNE Data Selection

Model for DUNE MCCs Juergen Reichenbacher, Jason Stock, James Haiston DUNE Data Selection

Radiological Background Model for DUNE MCCs Juergen Reichenbacher, Jason Stock, James Haiston DUNE Data Selection Workshop Penn State, 14-Aug-2018 Synopsis of Simulated Radiological Backgrounds impinging neutron flux 10 -5 cm -2 s -1 1.01

599 views • 12 slides

More recommend