DeepSec 2018 Talk: Injecting Security Controls into Software Applications – Katy Anton
“SQL Injection was first mentioned in a 1998 article in Phrack Magazine. Twenty years later, injection is still a common occurrence in software applications (No.1 in latest OWASP Top 10 2017). For the last 20 years, we have been focusing on vulnerabilities from an attacker’s point of view and SQL injection is still King. Something else must be done.”, says Katy Anton.
“What if there is another way to look at software vulnerabilities? Can vulnerabilities be decomposed into security controls familiar to developers? Which security controls are an absolute must-have, and which additional security measures do you need to take into account?
These are hard questions as evidenced by the numerous insecure applications we still have today. Attend this talk to explore security vulnerabilities from a different angle. As part of this talk, we examine how to decompose vulnerabilities into security controls that developers are familiar with and offer actionable advice when to use them in SDLC and how to verify them.
We will flip security from focusing on vulnerabilities (which are measured at the end) on focusing on techniques familiar to developers, which can be done from the beginning of the software and measured throughout SDLC.”
We asked Katy a few more questions about her topic of expertise.
Please tell us the top 5 facts about your talk.
- This talk is about challenging the way we look at vulnerabilities at the moment.
- About extracting the security controls that help prevent these vulnerabilities,
- Identifying when to use these in software development lifecycle
- And making them part of the SDLC.
- This talk is about creating the foundation on which further developer education can be built on.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Last year was released OWASP Top 10 2017, where the Injection category is still at number 1, despite the fact we’ve been talking about it for the last 20 years. At that point for me it was the realisations that if we continue on the same route, we are at risk of still talking about injection for the next 20 years as well. Something else must be done.
One of the problems is that we (the security professionals) expect developers to talk the security language. On top of their normal job of writing software, we expect them to know how to fix security vulnerabilities.
But can we, the security professionals, do something about this? As security practitioners it is our responsibility to help developers to translate security vulnerabilities into security controls they are familiar with and they can use on a regular basis.
Why do you think this is an important topic?
Today, every company is a software company. More and more software is produced, at faster and faster rates. The security aspect of the software is important and this importance will just increase. But we will not be able to produce secure software applications unless we evolve this methodology.
Is there something you want everybody to know – some good advice for our readers maybe?
Most cyber attacks are not that sophisticated – the attackers will use simple tools and techniques. Implementing basic security controls and do this consistently is the best way to defend against the majority of attacks.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
With an increase in security awareness, there will be an increase in frameworks with security features by default and libraries with security embedded-in, easier for developers to implement and more difficult to get it wrong.
Katy Anton is a security professional with a background in software development. An international public speaker she enjoys speaking about secure coding and how to secure software applications. In her previous roles she led software development teams and implemented security best practices in software development life cycles. As part of her work she got involved in the OWASP Top Ten Proactive Controls project where she joined as project leader. In her current role as Principal Application Security Consultant at CA Technologies | Veracode, Katy works with security teams and software developers around the world and helps them secure their software.