Coding for Security: 5 Things a Bad Guy Wants YOU To Do


Description

This talk applies the Pareto Principal (80/20 rule) to making coding activities more security focused. It presents 5 coding activities a Bad Guy wants you to do, so they can attack your enterprise. These 5 “Bad Guy Wants” are validated by threat and vulnerability statistics and represent that key 20% of issues, that create 80% of the exploits effects.

This talk takes a different approach to secure coding and development. There are many low-level standards for each technology that illustrate hundreds of “secure coding” practices: string related buffer overflows in C, C++, etc; bad exception handling practices in nearly every language; the list could go on. The CERT C coding standard for C is a 720 page document with 51 high level rules.

How can the mere-mortal, average developer keep all of this in his or her head with all the other technology concepts associated with each technology they use?

The answer is, THEY CAN’T.

As a result the average developer and development team largely ignores secure coding, providing the foundation for an attacker entry and establishment. This simple list of 5 “Bad Guy Wants” becomes the force multiplier towards enhancing security in your application activities.

Outline

  • Errata
  • Presenter Credentials & Experiences
  • Why this format/What to expect
  • 5 Coding Mistakes a Bad Guy Wants YOU To Do
  • Q&A

Formats

This presenting is short and concise in nature. Typically 30 minutes in length it can be stretched to an hour. It is optimally presented as a “lunch and learn” format, or alternatively as a lunch and learn with follow-up focused Q/A time.

  • Lunch & Learn – This is a short format (30 min – 1 hr). The core material is presented (short format versions only) along with a brief group Q&A. This format is ideally suited for lunch and learn sessions, conference settings, and other limited time group/mass scenarios.
  • Lunch & Learn+ – This is the short format presentation, with an additional 1 1/2 hours allocated on-site to work with individual and groups on specific concerns they may have. This format is suited for the same settings as the Lunch & Learn, but where organization needs extended, focused Q&A.