Security Code Reviews
-
CdnSecurityEngineer wrote:
How many of you take time to perform a security code review at your organization?
"Take time"? What kind of concept is that? We have a planning, and like most, always short on time. Having worked at different companies, I can state that one out of five reserved time to discuss, review and implement the correct strategies. The rest encoded their passwords using UTF32 (don't get me started, search the soapbox) and considered "Windows authentication" as being insecure (and hence used "mixed mode").
CdnSecurityEngineer wrote:
Or include any kind of formal security practice at all
Most important is the time-to-market (to beat the competition), a sexy UI, and to promise that extra feature that will never be used. "Normalizing a database" is no longer considered "normal", but a time-waster. If you can't click together a website in two days, you're out :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^]
Eddy Vluggen wrote:
Take time"? What kind of concept is that? We have a planning, and like most, always short on time
Of course...who doesn't, and that's really whats wrong with corporate culture today. It's a battle I fight daily, (And I work for security company). The balance is though, if you don't take the time,spend a little money, and you get hacked is the outcome worth it? So what's more expensive catching security defects early? Or getting hacked & suffering a data breach?
Eddy Vluggen wrote:
The rest encoded their passwords using UTF32 (don't get me started, search the soapbox) and considered "Windows authentication" as being insecure (and hence used "mixed mode").
I think I just had a stroke!
Eddy Vluggen wrote:
Most important is the time-to-market (to beat the competition), a sexy UI, and to promise that extra feature that will never be used
Until you suffer a data breach, loose user's sensitive information at best, or have an attacker steal user's info and further harm your users, can you say lawsuit?
-
Eddy Vluggen wrote:
Take time"? What kind of concept is that? We have a planning, and like most, always short on time
Of course...who doesn't, and that's really whats wrong with corporate culture today. It's a battle I fight daily, (And I work for security company). The balance is though, if you don't take the time,spend a little money, and you get hacked is the outcome worth it? So what's more expensive catching security defects early? Or getting hacked & suffering a data breach?
Eddy Vluggen wrote:
The rest encoded their passwords using UTF32 (don't get me started, search the soapbox) and considered "Windows authentication" as being insecure (and hence used "mixed mode").
I think I just had a stroke!
Eddy Vluggen wrote:
Most important is the time-to-market (to beat the competition), a sexy UI, and to promise that extra feature that will never be used
Until you suffer a data breach, loose user's sensitive information at best, or have an attacker steal user's info and further harm your users, can you say lawsuit?
CdnSecurityEngineer wrote:
Of course...who doesn't, and that's really whats wrong with corporate culture today.
It's the idea that it's a trade-off. It isn't. Either you make a good product, or you're building shit.
CdnSecurityEngineer wrote:
I think I just had a stroke!
Don't. You'd end up in a hospital, and God knows where they had their system built.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^]
-
How many of you take time to perform a security code review at your organization? Or include any kind of formal security practice at all. I am most interested in hearing from young start up companies, but any comments are certainly welcome. http://securityblog.howellsonline.ca/2013/02/securityreview/[^]
Hah, I live behind the firewall, someone elses problem :laugh: :laugh: :laugh:
Never underestimate the power of human stupidity RAH
-
Hah, I live behind the firewall, someone elses problem :laugh: :laugh: :laugh:
Never underestimate the power of human stupidity RAH
Mycroft Holmes wrote:
Hah, I live behind the firewall, someone elses problem
Great, what happens when you write or someone else writes an application that exposes a security risk, or you use insecure code? :D. There's lots firewalls don't protect you from ;)
-
I think he was being sarcastic.
=====
\ | /
\|/
|
|-----|
| |
|_ |
_) | /
_) __/_
_) ____
| /|
| / |
| |
|-----|
|===
I know LOL!
-
Eddy Vluggen wrote:
Take time"? What kind of concept is that? We have a planning, and like most, always short on time
Of course...who doesn't, and that's really whats wrong with corporate culture today. It's a battle I fight daily, (And I work for security company). The balance is though, if you don't take the time,spend a little money, and you get hacked is the outcome worth it? So what's more expensive catching security defects early? Or getting hacked & suffering a data breach?
Eddy Vluggen wrote:
The rest encoded their passwords using UTF32 (don't get me started, search the soapbox) and considered "Windows authentication" as being insecure (and hence used "mixed mode").
I think I just had a stroke!
Eddy Vluggen wrote:
Most important is the time-to-market (to beat the competition), a sexy UI, and to promise that extra feature that will never be used
Until you suffer a data breach, loose user's sensitive information at best, or have an attacker steal user's info and further harm your users, can you say lawsuit?
Hmm, I vented a bit of frustration on the subject here[^] Security is a mess, just have a look at The OWASP Top 10 2010[^] - and the top 10 for 2012 will look just about the same.
CdnSecurityEngineer wrote:
Until you suffer a data breach, loose user's sensitive information at best, or have an attacker steal user's info and further harm your users, can you say lawsuit?
On the average, it takes about 156 days before a breach is even detected, so if you're an average joe - will you call up your customer and tell him that you've f**ked up, and that he should pay you to fix it? That average obviously does not include those breaches that goes undetected, which I suspect is most of them.
CdnSecurityEngineer wrote:
can you say lawsuit
Usually all involved parties will want to play hush, hush - in the belief that doing anything else will hurt business, friendships, etc. which may true in the short term. The worlds most common password policy is to set expiration to never, and that says a lot ... I once tried to post a question on the "Ruby on Rails: Talk" group about how to set up rails with integrated security on Windows - and as far as I'm able to determine it was moderated away - and I was asking nicely. Perhaps it was a stupid question, or is it that rails don't support integrated security on Windows? :-\
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
Mycroft Holmes wrote:
Hah, I live behind the firewall, someone elses problem
Great, what happens when you write or someone else writes an application that exposes a security risk, or you use insecure code? :D. There's lots firewalls don't protect you from ;)
CdnSecurityEngineer wrote:
There's lots firewalls don't protect you from
Like colleagues downloading a new cool game they just found for free, or the latest Adobe CS torrent with an accompanying keygen ...
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
CdnSecurityEngineer wrote:
Of course...who doesn't, and that's really whats wrong with corporate culture today.
It's the idea that it's a trade-off. It isn't. Either you make a good product, or you're building shit.
CdnSecurityEngineer wrote:
I think I just had a stroke!
Don't. You'd end up in a hospital, and God knows where they had their system built.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^]
Eddy Vluggen wrote:
It's the idea that it's a trade-off. It isn't. Either you make a good product, or you're building sh*t.
No. First it isn't black and white. For example one might know that they need to protect the password but still attempt to encrypt it. Second corporations do not live or die based on quality. Rather it is based on sales. Although there have been some companies that failed due to security problems those examples are few and far between (myself I only know of one.)
-
Eddy Vluggen wrote:
It's the idea that it's a trade-off. It isn't. Either you make a good product, or you're building sh*t.
No. First it isn't black and white. For example one might know that they need to protect the password but still attempt to encrypt it. Second corporations do not live or die based on quality. Rather it is based on sales. Although there have been some companies that failed due to security problems those examples are few and far between (myself I only know of one.)
jschell wrote:
For example one might know that they need to protect the password but still attempt to encrypt it.
One would also assume a "quick Google", and it'd be hard to ignore the term "salt".
jschell wrote:
Second corporations do not live or die based on quality. Rather it is based on sales.
That explains why marketing is such a hot item.
jschell wrote:
Although there have been some companies that failed due to security problems those examples are few and far between (myself I only know of one.)
It's hardly a problem for Twitter to loose the account-information of a somewhat large portion of their user-base.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^]
-
Hmm, I vented a bit of frustration on the subject here[^] Security is a mess, just have a look at The OWASP Top 10 2010[^] - and the top 10 for 2012 will look just about the same.
CdnSecurityEngineer wrote:
Until you suffer a data breach, loose user's sensitive information at best, or have an attacker steal user's info and further harm your users, can you say lawsuit?
On the average, it takes about 156 days before a breach is even detected, so if you're an average joe - will you call up your customer and tell him that you've f**ked up, and that he should pay you to fix it? That average obviously does not include those breaches that goes undetected, which I suspect is most of them.
CdnSecurityEngineer wrote:
can you say lawsuit
Usually all involved parties will want to play hush, hush - in the belief that doing anything else will hurt business, friendships, etc. which may true in the short term. The worlds most common password policy is to set expiration to never, and that says a lot ... I once tried to post a question on the "Ruby on Rails: Talk" group about how to set up rails with integrated security on Windows - and as far as I'm able to determine it was moderated away - and I was asking nicely. Perhaps it was a stupid question, or is it that rails don't support integrated security on Windows? :-\
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
Yes, you certainly have vented, there's got to be a good way to educate the development community to become more security aware! I mean secure features != secure code.However to much of the world seems to think that way. I started blogging here. http://securityblog.howellsonline.ca/2013/02/indepth-cross-site-scripting/[^] Sharing some ideas. But I don't know!
-
Yes, you certainly have vented, there's got to be a good way to educate the development community to become more security aware! I mean secure features != secure code.However to much of the world seems to think that way. I started blogging here. http://securityblog.howellsonline.ca/2013/02/indepth-cross-site-scripting/[^] Sharing some ideas. But I don't know!
CdnSecurityEngineer wrote:
Sharing some ideas. But I don't know!
Keep it up :-D
CdnSecurityEngineer wrote:
there's got to be a good way to educate the development community
Before you you can educate the programming community, you need to educate management. They need to get the idea that they are, or rather the company is, in fact often legally resposible - and that when the sh*t hits the fan the costs may reach astronomical figures, depending on who your customers are, the severity of the case, and under what agreeement your company did the work. Management reads and understand legal agreements just as often as developers reads and understand the assembly code for the bios, meaning: not all that often. What I don't figure is how shareholdres think: How can a person with a maximum attentionspan of 5 minutes, and who is by the way proud of it, be trusted to run something as complex as a corporation?
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
CdnSecurityEngineer wrote:
Sharing some ideas. But I don't know!
Keep it up :-D
CdnSecurityEngineer wrote:
there's got to be a good way to educate the development community
Before you you can educate the programming community, you need to educate management. They need to get the idea that they are, or rather the company is, in fact often legally resposible - and that when the sh*t hits the fan the costs may reach astronomical figures, depending on who your customers are, the severity of the case, and under what agreeement your company did the work. Management reads and understand legal agreements just as often as developers reads and understand the assembly code for the bios, meaning: not all that often. What I don't figure is how shareholdres think: How can a person with a maximum attentionspan of 5 minutes, and who is by the way proud of it, be trusted to run something as complex as a corporation?
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
Espen Harlinn wrote:
What I don't figure is how shareholdres think: How can a person with a maximum attentionspan of 5 minutes, and who is by the way proud of it, be trusted to run something as complex as a corporation?
LMAO! So true, I have had 1 to many a manager & CEO like this.
Espen Harlinn wrote:
They need to get the idea that they are, or rather the company is, in fact often legally resposible - and that when the sh*t hits the fan the costs may reach astronomical figures, depending on who your customers are, the severity of the case, and under what agreeement your company did the work.
Not many companies get it & managers really get it, I think this is especially prevalent in a tech start up industry or where startups are coming and going, everyone figures we'll get to it later and hope for the best. Before I got some learning & no I don't mean university. I wrote some pretty terrible security vulnerable code for startups. I shudder to think that it's still in production or some of them are actually using what I wrote. This problem is all to common. Even our colleges and university to a poor job of teaching secure code and secure coding techniques to their students, and therefore the vast majority of them no nothing of it. The reason to educate the dev community. Is it's the devs that are eventually going to make it to manager! *shudder* so if they're not thinking about it now! Ugh. It'll be never!