everything we know about web security is wrong at app sec usa

speaker: Eoin Keary

As an industry, we are very busy but things don’t seem to be getting better. Big companies are hacked. If we have the brainpower and the budget, why aren’t things improving?

Asymmetric arms race

  • like the bear. you don’t need to outrun the bear, just the guy behind you.
  • You may be secure at any given time. But it’s like a treadmill. Things change

Too many variables and too limit time to ensure “real” security. Many attacks go after the business logic.

Current state

  • 10 men years of development and two weeks of ethical hacking
  • Testing targets 80-90% coverage.

“Risk comes from not knowing what you’re doing” – Warren Buffet

Testing is time limited. Tools give false positives so still need to investigate output. Code is pushed frequently. The value of the pen test drops because the code no longer matches that test.

Most tools cant scan for DOM/XSS. See DOM XSS Test Cases,

Robots are good at detecting known unknowns. Humans are good at detecting unknown unknowns.

We eat cheeseburger until the doctor says you are going to get a heart attack. We write insecure code until we get hacked.

Tool: https//github.com/jeremy long/DependencyCheck

We can’t improve what we can’t measure.. Risk changes depending on context. Just because it is XSS, doesn’t automatically make it high. Maybe it is on a page only one person can access.

My take
Nice analogies. It felt a bit like preaching to the choir though. I had trouble finding the organization in the presentation (hence the lack of organization in this blog post). In hindsight, I should have guessed this given the lengthy abstract. Also some of the “new” things were in earlier preentation. I left half an hour in. Possible the second half was better.

Leave a Reply

Your email address will not be published.