SlideShare a Scribd company logo

Software Security Austerity - 44CON 2012

44CON
44CON

Ollie Whitehouse presents Software Security Austerity at 44CON 2012 in London, September 2012.

Technology
1 of 35
Download to read offline
Software Security Austerity Security Debt in Modern Software Development Ollie Whitehouse, Associate Director, NCC Group
Agenda •Introduction •Software Security Debt •Debt Management •Conclusions
Before we begin… metaphor abuse warning!
… before we begin part 2… there is a white paper available
Security debt
Technical debt "Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt."
Security debt… • Present in all software • Analogous to development and bugs • security is just a type of bug • Analogous to development and tech debt • The trade off between • fix everything and ship nothing -versus- • fix only the critical -versus- • real world business
Security debt… • You get good… • .. you get a new problem • Too many vulnerabilities! • You focus on just the critical / serious • … the low / medium mountain grows
Security debt – types? • Known – identified, but yet to be addressed • Unknown – latent issues yet to be discovered
Security debt – source? • Self my development • Supply chain my outsourced development • Dependency COTS component use without formal support
Security debt and SDLs • SDL does not mean 0 debt • SDL means known security debt • with a repayment plan • No SDL means latent security debt • with no repayment plan • SDL means more bugs than resources • quite quickly / in the short to medium term • SDL means accelerated discovery • you get too good
Security debt and SDLs • Why accelerated discovery? • requirements reviews • static code analysis • manual code analysis • automated testing (fuzzing) • increased awareness and knowledge • root cause analysis and variations
Accruing debt based on risk • Financial cost versus • Revenue • Cost of a response incident • Brand impact • Liability • Time cost versus • Resources • Time to market • Financial costs
Accruing debt based on risk • Impact versus • Discovery • Mitigations • Complexity and prerequisite conditions • Access requirements • Marker expectation
Latent debt resilience • Latent debt will always exist • through own activities • through suppliers • through dependencies • The need to feed upstream • The need to build resilient software
Debt Management
Why we care • Client expectation • Regulatory requirements • Increasing cost of debt • Attacker capability evolution • Increased external focus
Why we care
Why we care
Assigning interest rates to security debt • Interest rate = Priority • Priority = risk • Risk = informed
Assigning interest rates to security debt Threat = f (Motivation, Capability, Opportunity, Impact)
Assigning interest rates to security debt DREAD
Assigning interest rates to security debt CVSS
Assigning interest rates to security debt • Impact • Distribution • Disclosure • Likelihood of discovery • Presence of mitigations • Complexity of exploitation • Access requirements • Customer expectation
Repayment – New version requirements
Repayment – Severity prioritization • Next release (any type) • Next release (major version) • Next release +1 (any type) • Next release +2 (any type) • Next release +3 (any type)
Repayment – Percentage reduction Severity Percentage to be resolved Critical 100% Serious 50% Moderate 30% Low 20% Other 0 to 5 %
Repayment – Forced
Debt Expiry
Debt Overhang • Stuart Myers paper (1977) ‘Determinants of Corporate Borrowing’ • Debt mountain equals death by a thousand cuts • Leading to inability to accrue more security debt • Leading to slower innovation
Strategic Debt Restructuring
Bankruptcy
Non Repayment – Consequence Planning "We may be at the point of diminishing returns by trying to buy down vulnerability," the general observed. Instead, he added, "maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can "self-heal" or "self-limit“ the damages inflicted upon them. "
Conclusions • Zero debt is not good business practice • SDLs enable debt discovery and repayment • A pure risk approach allows the mountain to grow • Outsourcing carries risk of larger latent debt • A mature model is to understand and plan payment • … while educating upstream • … while paying down the mountain • … while still using risk
Thanks! Questions? UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Ollie Whitehouse Munich – Germany Zurich - Switzerland ollie.whitehouse@nccgroup.com

Recommended

Ann Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsAnn Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsSocial Media for Nonprofits
 
Crisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaCrisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaAtlantic Training, LLC.
 
Decision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintyDecision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintysapna moodautia
 
Crisis management
Crisis managementCrisis management
Crisis managementahmadsanadsalim
 
Crisis management plan presentation
Crisis management plan presentationCrisis management plan presentation
Crisis management plan presentationSandra Eblevi
 
Crisis management
Crisis managementCrisis management
Crisis managementAtindya K Ghosh
 
Environmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementEnvironmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementThis account is closed
 
Crisis management
Crisis managementCrisis management
Crisis managementBusiness Management
 

Recommended

Ann Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsAnn Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsSocial Media for Nonprofits
 
Crisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaCrisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaAtlantic Training, LLC.
 
Decision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintyDecision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintysapna moodautia
 
Crisis management
Crisis managementCrisis management
Crisis managementahmadsanadsalim
 
Crisis management plan presentation
Crisis management plan presentationCrisis management plan presentation
Crisis management plan presentationSandra Eblevi
 
Crisis management
Crisis managementCrisis management
Crisis managementAtindya K Ghosh
 
Environmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementEnvironmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementThis account is closed
 
Crisis management
Crisis managementCrisis management
Crisis managementBusiness Management
 
Crisis And Risk
Crisis And RiskCrisis And Risk
Crisis And Riskkktv
 
Crisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster StrikesCrisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster StrikesThe Windsdor Consulting Group, Inc.
 
Chapter 2 (crisis management)
Chapter 2 (crisis management)Chapter 2 (crisis management)
Chapter 2 (crisis management)Abdul Jawad Chaudhry
 
Crisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCrisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCORE Consulting
 
SoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumSoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumPeadar Duffy
 
Adw
AdwAdw
Adwbigj686
 
Crisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSCrisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSAtlantic Training, LLC.
 
Crisis management
Crisis managementCrisis management
Crisis managementRajat Ghosh
 
Crisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityCrisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityAtlantic Training, LLC.
 
Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Atlantic Training, LLC.
 
Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Alaa Abdallah
 
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011gajananh999
 
Crisis Management
Crisis ManagementCrisis Management
Crisis ManagementRalph Bateman
 
Crisis management
Crisis management Crisis management
Crisis management Tribhuvan University,
 
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityDavid Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityAssociation for Project Management
 
risk management
risk managementrisk management
risk managementQue Tomeyz
 
Crisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINCrisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINTaha ABULAYNIN
 
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)Devin DeCiantis
 
Risk transfer strategy.
Risk transfer strategy.Risk transfer strategy.
Risk transfer strategy.Ignacio Reclusa
 
Crisis management final
Crisis management finalCrisis management final
Crisis management finalGeeg geeh
 
Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?easy2comply
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 

More Related Content

What's hot

Crisis And Risk
Crisis And RiskCrisis And Risk
Crisis And Riskkktv
 
Crisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCrisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCORE Consulting
 
SoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumSoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumPeadar Duffy
 
Crisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSCrisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSAtlantic Training, LLC.
 
Crisis management
Crisis managementCrisis management
Crisis managementRajat Ghosh
 
Crisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityCrisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityAtlantic Training, LLC.
 
Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Atlantic Training, LLC.
 
Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Alaa Abdallah
 
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011gajananh999
 
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityDavid Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityAssociation for Project Management
 
risk management
risk managementrisk management
risk managementQue Tomeyz
 
Crisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINCrisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINTaha ABULAYNIN
 
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)Devin DeCiantis
 
Crisis management final
Crisis management finalCrisis management final
Crisis management finalGeeg geeh
 

What's hot (20)

Crisis And Risk
Crisis And RiskCrisis And Risk
Crisis And Risk
 
Crisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster StrikesCrisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster Strikes
 
Chapter 2 (crisis management)
Chapter 2 (crisis management)Chapter 2 (crisis management)
Chapter 2 (crisis management)
 
Crisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCrisis Management Webinar - Core Consulting
Crisis Management Webinar - Core Consulting
 
SoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumSoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty Continuum
 
Adw
AdwAdw
Adw
 
Crisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSCrisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMS
 
Crisis management
Crisis managementCrisis management
Crisis management
 
Crisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityCrisis Management Training by Iowa State University
Crisis Management Training by Iowa State University
 
Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...
 
Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Crisis Management and Crisis Communication
Crisis Management and Crisis Communication
 
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
 
Crisis Management
Crisis ManagementCrisis Management
Crisis Management
 
Crisis management
Crisis management Crisis management
Crisis management
 
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityDavid Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
 
risk management
risk managementrisk management
risk management
 
Crisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINCrisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNIN
 
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
 
Risk transfer strategy.
Risk transfer strategy.Risk transfer strategy.
Risk transfer strategy.
 
Crisis management final
Crisis management finalCrisis management final
Crisis management final
 

Similar to Software Security Austerity - 44CON 2012

Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?easy2comply
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Understanding credit risk : mint2save
Understanding credit risk : mint2saveUnderstanding credit risk : mint2save
Understanding credit risk : mint2saveMint2Save
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision makingDennis Stevens
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision makingdrewz lin
 
Getting down to business with security
Getting down to business with securityGetting down to business with security
Getting down to business with securityGerhard de Klerk
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testingrrice2000
 
Risk management automation
Risk management automationRisk management automation
Risk management automationsheyam selvaraj
 
Rims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliencyRims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliencyLootok, Ltd
 
Risk Management in Financial Institutions
Risk Management in Financial InstitutionsRisk Management in Financial Institutions
Risk Management in Financial InstitutionsArchanaKamble18
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSaraPia5
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
 
Risk managemet made easy
Risk managemet made easyRisk managemet made easy
Risk managemet made easysheyam selvaraj
 
Introduction to credit risk management
Introduction to credit risk managementIntroduction to credit risk management
Introduction to credit risk managementTOSHI STATS Co.,Ltd.
 
Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"Alert Logic
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...CODE BLUE
 

Similar to Software Security Austerity - 44CON 2012 (20)

Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Understanding credit risk : mint2save
Understanding credit risk : mint2saveUnderstanding credit risk : mint2save
Understanding credit risk : mint2save
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision making
 
Presentation on credit risk
Presentation on credit risk Presentation on credit risk
Presentation on credit risk
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision making
 
DRIDeckFinalMar3
DRIDeckFinalMar3DRIDeckFinalMar3
DRIDeckFinalMar3
 
Getting down to business with security
Getting down to business with securityGetting down to business with security
Getting down to business with security
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
 
Risk management automation
Risk management automationRisk management automation
Risk management automation
 
Rims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliencyRims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliency
 
Risk Management in Financial Institutions
Risk Management in Financial InstitutionsRisk Management in Financial Institutions
Risk Management in Financial Institutions
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor Hersom
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
 
Risk managemet made easy
Risk managemet made easyRisk managemet made easy
Risk managemet made easy
 
Managing Risk
Managing RiskManaging Risk
Managing Risk
 
Introduction to credit risk management
Introduction to credit risk managementIntroduction to credit risk management
Introduction to credit risk management
 
Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
 
PCG Presentation
PCG PresentationPCG Presentation
PCG Presentation
 

More from 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 

More from 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 

Recently uploaded

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Recently uploaded (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Software Security Austerity - 44CON 2012

  • 1. Software Security Austerity Security Debt in Modern Software Development Ollie Whitehouse, Associate Director, NCC Group
  • 3. Before we begin… metaphor abuse warning!
  • 4. … before we begin part 2… there is a white paper available
  • 6. Technical debt "Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt."
  • 7. Security debt… • Present in all software • Analogous to development and bugs • security is just a type of bug • Analogous to development and tech debt • The trade off between • fix everything and ship nothing -versus- • fix only the critical -versus- • real world business
  • 8. Security debt… • You get good… • .. you get a new problem • Too many vulnerabilities! • You focus on just the critical / serious • … the low / medium mountain grows
  • 9. Security debt – types? • Known – identified, but yet to be addressed • Unknown – latent issues yet to be discovered
  • 10. Security debt – source? • Self my development • Supply chain my outsourced development • Dependency COTS component use without formal support
  • 11. Security debt and SDLs • SDL does not mean 0 debt • SDL means known security debt • with a repayment plan • No SDL means latent security debt • with no repayment plan • SDL means more bugs than resources • quite quickly / in the short to medium term • SDL means accelerated discovery • you get too good
  • 12. Security debt and SDLs • Why accelerated discovery? • requirements reviews • static code analysis • manual code analysis • automated testing (fuzzing) • increased awareness and knowledge • root cause analysis and variations
  • 13. Accruing debt based on risk • Financial cost versus • Revenue • Cost of a response incident • Brand impact • Liability • Time cost versus • Resources • Time to market • Financial costs
  • 14. Accruing debt based on risk • Impact versus • Discovery • Mitigations • Complexity and prerequisite conditions • Access requirements • Marker expectation
  • 15. Latent debt resilience • Latent debt will always exist • through own activities • through suppliers • through dependencies • The need to feed upstream • The need to build resilient software
  • 17. Why we care • Client expectation • Regulatory requirements • Increasing cost of debt • Attacker capability evolution • Increased external focus
  • 20. Assigning interest rates to security debt • Interest rate = Priority • Priority = risk • Risk = informed
  • 21. Assigning interest rates to security debt Threat = f (Motivation, Capability, Opportunity, Impact)
  • 22. Assigning interest rates to security debt DREAD
  • 23. Assigning interest rates to security debt CVSS
  • 24. Assigning interest rates to security debt • Impact • Distribution • Disclosure • Likelihood of discovery • Presence of mitigations • Complexity of exploitation • Access requirements • Customer expectation
  • 25. Repayment – New version requirements
  • 26. Repayment – Severity prioritization • Next release (any type) • Next release (major version) • Next release +1 (any type) • Next release +2 (any type) • Next release +3 (any type)
  • 27. Repayment – Percentage reduction Severity Percentage to be resolved Critical 100% Serious 50% Moderate 30% Low 20% Other 0 to 5 %
  • 30. Debt Overhang • Stuart Myers paper (1977) ‘Determinants of Corporate Borrowing’ • Debt mountain equals death by a thousand cuts • Leading to inability to accrue more security debt • Leading to slower innovation
  • 33. Non Repayment – Consequence Planning "We may be at the point of diminishing returns by trying to buy down vulnerability," the general observed. Instead, he added, "maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can "self-heal" or "self-limit“ the damages inflicted upon them. "
  • 34. Conclusions • Zero debt is not good business practice • SDLs enable debt discovery and repayment • A pure risk approach allows the mountain to grow • Outsourcing carries risk of larger latent debt • A mature model is to understand and plan payment • … while educating upstream • … while paying down the mountain • … while still using risk
  • 35. Thanks! Questions? UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Ollie Whitehouse Munich – Germany Zurich - Switzerland ollie.whitehouse@nccgroup.com