Coming into a code base can be overwhelming. Taking responsibility for the security of a project can be truly terrifying. This talk will describe a set of common scenarios for a project, and how to counteract them. Hopefully, this will help to move your codebase and project to a state where you will be more prepared to handle incoming vulnerability reports. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent.

1. @pati_gallardo

2. Make it Fixable
Living with Risk
Patricia Aas
Paranoia by Watchcom 2017
@pati_gallardo

3. Who am I? @pati_gallardo

4. Patricia Aas
Programmer - mainly in C++ and Java
Currently : Vivaldi Technologies
Previously : Cisco Systems, Knowit, Opera Software
Master in Computer Science
Twitter : @pati_gallardo

5. Security is Hard @pati_gallardo

6. Just Remember :
- You live in the real world
- Take one step at a time
- Make a Plan
@pati_gallardo

7. You Need A Security
“Hotline”
security@company.com
Symbiotic relationship
Be polite
Be grateful
Be professional
Be efficient and transparent @pati_gallardo

8. Risk Management - Make it Fixable
- Unable to Roll Out Fixes
- No Control over Dependencies
- The Team is Gone
- It’s in Our Code
- My Boss Made Me Do It
@pati_gallardo

9. Unable to Roll Out Fixes @pati_gallardo

10. Unable to
Roll out Fixes
● Relying on User Updates
● Unable to Build
● Unable to Deploy
● Regression Fear
● No Issue Tracking
● No Release Tags
● No Source
● Issue in infrastructure
@pati_gallardo

11. Internet of Things
Toys: My Friend Cayla, i-Que
Intelligent Robots, Hello Barbie
Mirai: Botnets created with IOT
devices, users don’t update
“Shelfware”
No Maintenance contract
Abandonware
Closed source - no way to fix/fork
@pati_gallardo
Unable to Roll Out Fixes.

12. Fix : Ship It!
Code
● Get the Code
● Use Version Control
● Keep Build Environment
● Write Integration Tests
Holy Grail : Auto Update
Configuration Management
● Have Security Contact
● Track issues
● Make a Deployment Plan
● Control Infrastructure @pati_gallardo

13. Internet of Things
- Auto-update
- Different default passwords
- Unboxing security
“Shelfware”
- Get maintenance contract
- Change supplier
- Do in-house
- Use only Open Source Software
@pati_gallardo
Fix : Ship It!

14. No Control over Dependencies @pati_gallardo

15. No Control over
Dependencies
● Too Many Dependencies
● Frameworks are Abandoned
● Libraries Disappear
● Insecure Platform APIs
● Insecure Tooling
● End-of-Life OS (Windows)
● Licenses expire/change
● Known Issues not Fixed
● OS Not Updated (Android)
@pati_gallardo

16. Stagefright
Bugs in the multimedia library on
android
Heartbleed
Bug in openssl
Left-Pad
Developer unpublished a mini-Js
library
@pati_gallardo
No Control over Dependencies

17. Fix: Control It!
Be conservative
● Is it needed?
● Do you understand it?
Goal : Dependency Control
Be cautious
● Audit your upstream
● Avoid forking
● Have an upgrade plan
● Have someone responsible @pati_gallardo

18. Stagefright
- Workaround in apps calling
into stagefright
Heartbleed
- Control over production
environment
Left-Pad
- Removing unnecessary
dependency
@pati_gallardo
Fix: Control It!

19. The Team is Gone @pati_gallardo

20. The Team Is Gone
● Team were consultants
● They were downsized
● The job was outsourced
● “Bus factor”
● “Binary blob”
● Abandonware
@pati_gallardo

21. @pati_gallardo
“Public Sector”
- Leaves the code with
subcontractor
- No build environment
- Third-party access to
production environment
Abandoned frameworks
- Framework interdependency
- Unable to upgrade
- Known bugs
The Team is Gone

22. Fix : Own It!
Take it on yourselves
● Build competence in-house
● Fork, take control
● “Barely Sufficient” Docs
● Ship It and Control It
Goal : Regain Control
Outsource
● Maintenance Contract
● Add Security Clause
● Own deployment channel
@pati_gallardo

23. Fix : Own It!
“Public Sector”
- Backsourcing - Bring back
work previously outsourced
Abandoned frameworks
- Replace with equivalent (OSS)
- Remove dependency
- Fork
@pati_gallardo

24. It’s in Our Code @pati_gallardo

25. It’s in Our Code
● Injection
● Exploited crash etc
● Debug code in production
● Server compromised
● Outdated platform
● Intercepted traffic
● Mined local data
● Good old fashioned BUG
@pati_gallardo

26. REMA 1000 Æ App
- Reporter: Hallvard Nygård
(@hallny)
- All user data could be
retrieved
- Badly handled report
- “Bug” (Lack of security) in App
BEST CASE SCENARIO@pati_gallardo
It’s in Our Code

27. Fix : Live It!
Prevent
● Sanitize your input
● Send crash reports
● Code review + tests
● Review server security
● Encrypt all traffic
● Review local storage
● Work around old platform
● Sign and check
Goal : Prevent & Cure
Cure
● Ship it! @pati_gallardo

28. Browsers are very experienced
- But boring ;)
gitlab.com
- “rm -rf”
- Sysadmin maintenance
- Cascading errors as backups
fail
- All logged Publicly in real
time
Transparency@pati_gallardo
Fix : Live It!

29. My Boss Made Me Do It @pati_gallardo

30. My Boss Made Me Do It
The Feature
is the Bug
How?
● Security Problem
● Privacy Problem
● Unethical
● Illegal
@pati_gallardo

31. Capcom's Street Fighter V
- Installed a driver
- “anti-crack solution”
“...disables supervisor-mode
execution protection and then
runs the arbitrary code passed in
through the ioctl buffer with
kernel permissions..”
- Reddit user extrwi
@pati_gallardo
My Boss Made Me Do It

32. Fix : Protect It!
Prevent : Protect your team
● Workers rights
● Build trust
Goal : Protect your user
Cure : Protect your company
● Find a Powerful Ally
● Do Risk Analysis : Brand
Reputation, Trust
● Use the Law
LAST RESORT : Whistleblowing & Quitting @pati_gallardo

33. Statoil
- Internal reports of security
incidents after outsourcing
- Only public after serious IRL
incidents
Nødnett
- Transitive outsourcing
- National Security
These are often the Unsung Heros
(Last Resort : Edward Snowden)@pati_gallardo
Fix : Protect It!

34. Ship It, Control It, Own It, Live It
@pati_gallardo
Protect It

35. Security is Hard
Protect Your User
@pati_gallardo

36. Make it Fixable
Living with Risk
Patricia Aas, Vivaldi Technologies
@pati_gallardo
Photos from pixabay.com

37. Designing the User Experience of Security @pati_gallardo

38. The Users Won’t Read
Error blindness
Most users will mentally erase
permanent error notifiers - they
won’t read
“Just click next”
Most users will accept the defaults
- they won’t read
“Make it go away”
The user will try to make the error
dialog go away - they won’t read
@pati_gallardo

39. Fix : Less is More
Don’t leave it to the user
Just do the right thing, you don’t
have to ask
Have good defaults
Make sure that clicking next will
leave the user in a good place
Be very explicit when needed
If the user is in a “dangerous”
situation - design carefully and if
you have to explain : use language
the user can understand
@pati_gallardo

40. They Trust You
With Personal information
They trust you to protect them from
both hackers and governments
With Data
They trust you to protect their
pictures, documents, email ...
With Money
They trust you to protect their
payment information and passwords
@pati_gallardo

41. Fix : Be Trustworthy
Only store what you have to
Try to use end-to-end encryption,
so that even you don’t have access.
Otherwise, encrypt as much as you
can
Back up everything
Your users can’t afford to lose
their baby pictures
Use third party payment
Avoid having responsibility for
their money
@pati_gallardo

42. The Spaces We Create Online Are REAL
@pati_gallardo

43. Protect Your User - Be a Force For Good
@pati_gallardo

44. Make it Fixable
Living with Risk
Patricia Aas, Vivaldi Technologies
@pati_gallardo
Photos from pixabay.com