Software Security: Is OK Good Enough? OWASP AppSec USA 2011

1,601 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,601
On SlideShare
0
From Embeds
0
Number of Embeds
578
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Software Security: Is OK Good Enough? OWASP AppSec USA 2011

  1. 1. Software Security: Is OK Good Enough? Appsec USA 2011 September 22, 2011 John B. Dickson, CISSP Denim Group, Ltd. @johnbdickson© Copyright 2011 Denim Group - All Rights Reserved
  2. 2. OWASP AppSec 2011© Copyright 2011 Denim Group - All Rights Reserved 1
  3. 3. OWASP AppSec 2011© Copyright 2011 Denim Group - All Rights Reserved 2
  4. 4. OWASP AppSec 2011© Copyright 2011 Denim Group - All Rights Reserved 3
  5. 5. Personal Background© Copyright 2011 Denim Group - All Rights Reserved 4
  6. 6. Personal Background© Copyright 2011 Denim Group - All Rights Reserved 5
  7. 7. OWASP AppSec 2011© Copyright 2011 Denim Group - All Rights Reserved 6
  8. 8. Software Security: Is OK Good Enough? • Current State of Affairs in Software Security • What we can Learn from Other Justification Models • Potential Software Security Justification Models • Questions and Answers© Copyright 2011 Denim Group - All Rights Reserved 7
  9. 9. Current State of Affairs in Software Security • Testing approaches differ wildly • Incredible amount of energy focused on technical merits and demerits of testing activities – Existing application security scanners identify a subset of vulnerabilities in applications – 30-40% Coverage level is accepted norm – SQL injection/XSS – yes – Authorization & business logic – not so much© Copyright 2011 Denim Group - All Rights Reserved 8
  10. 10. 1996 Network Security Question? Firewall?© Copyright 2011 Denim Group - All Rights Reserved
  11. 11. 2011 Application Security Question? I’ve run my Automated SQL Injection & XSS Application Scanner?© Copyright 2011 Denim Group - All Rights Reserved
  12. 12. © Copyright 2011 Denim Group - All Rights Reserved
  13. 13. Checkbox Culture • Compliance culture and resource constraints have limited software security coverage • This cuts to the heart of “OK” • Heartland Payments Systems breach and PCI test coverage – Organizations try to limit PCI audit by design, even if many view PCI DSS as the most rigorous application security compliance framework© Copyright 2011 Denim Group - All Rights Reserved 12
  14. 14. © Copyright 2011 Denim Group - All Rights Reserved 13
  15. 15. (drawn to scale)© Copyright 2011 Denim Group - All Rights Reserved 14
  16. 16. © Copyright 2011 Denim Group - All Rights Reserved 15
  17. 17. © Copyright 2011 Denim Group - All Rights Reserved 16
  18. 18. Going Concern: In accounting, "going concern" refers to a companys ability to continue functioning as a business entity.© Copyright 2011 Denim Group - All Rights Reserved 17
  19. 19. © Copyright 2011 Denim Group - All Rights Reserved 18
  20. 20. What do Street Vendor food and iTunes applications have in common?© Copyright 2011 Denim Group - All Rights Reserved 19
  21. 21. Introduction of malware into iTunes & Droid Apps stores • Applications submitted to the Apple iTunes AppStore and the Google Android store do not undergo rigorous security testing • Both application stores do not do "white listing” per se© Copyright 2011 Denim Group - All Rights Reserved 20
  22. 22. New York City • 24,000 restaurants inspected/year • Point-based rating scale • 3 Categories of violations • Public health hazard (7 points) • Critical violation (5 points) • General violation (2 points)© Copyright 2011 Denim Group - All Rights Reserved 21
  23. 23. Venture a Guess? • 3 Categories of violations • Public health hazard (7 points) • Critical violation (5 points) • General violation (2 points)© Copyright 2011 Denim Group - All Rights Reserved 22
  24. 24. Venture a Guess? • 3 Categories of violations • Public health hazard (7 points) • Critical violation (5 points) • General violation (2 points)© Copyright 2011 Denim Group - All Rights Reserved 23
  25. 25. What we can Learn from Other Justification Models – Earthquake Building Codes Haiti vs. Chile© Copyright 2011 Denim Group - All Rights Reserved 24
  26. 26. What we can Learn from Other Justification Models • What we can learn from these two models? • No model is based purely on industry-driven compliance – Have no regulation is bad • Starting point is a generally accepted need for regulation – Buyers need to demand software “seatbelts” – Political consensus in Chile & California to enforce more stringent building codes • Must have Rule of Law present to enforce regulation – Building codes were in place in both Chile & Haiti • Misguided regulation may be more destructive than no regulation at all – e.g., Sarbanes Oxley© Copyright 2011 Denim Group - All Rights Reserved 25
  27. 27. So where do you go from here?© Copyright 2011 Denim Group - All Rights Reserved 26
  28. 28. Software Security Justification Models in an “OK” World What can be Done Globally?© Copyright 2011 Denim Group - All Rights Reserved 27
  29. 29. We need more Earthquakes© Copyright 2011 Denim Group - All Rights Reserved 28
  30. 30. We Need Better Mainstream Scary Stories© Copyright 2011 Denim Group - All Rights Reserved 29
  31. 31. We Need Better Mainstream Scary Stories© Copyright 2011 Denim Group - All Rights Reserved 30
  32. 32. We Need Smarter buyers© Copyright 2011 Denim Group - All Rights Reserved 31
  33. 33. There’s an App for That!© Copyright 2011 Denim Group - All Rights Reserved 32
  34. 34. Software Security Justification Models in an “OK” World - In the World you Influence© Copyright 2011 Denim Group - All Rights Reserved 33
  35. 35. Tailor Responses for Limited Resources - ASVS “Applied” Case Study • Financial Services firm services 2,000 + banks • Before • Reactive testing • No repeatable or predictable • Poor coverage • After • Acceptable level of security testing • Applied 80/20 rule to clients • Predictable results • Mutually understood results© Copyright 2011 Denim Group - All Rights Reserved 34
  36. 36. Tailor Responses for Limited Resources - Open Software Security Maturity Model (OpenSAMM)© Copyright 2011 Denim Group - All Rights Reserved 35
  37. 37. Tailor Responses for Limited Resources Measure, Measure, Measure© Copyright 2011 Denim Group - All Rights Reserved 36
  38. 38. Realize that Sales & Marketing is our #1 Job© Copyright 2011 Denim Group - All Rights Reserved 37
  39. 39. We Need Better Developers • Is it enough to say you are “Rugged” • We need software developers to elevate their coding practices to lower the number of obvious security vulnerabilities • These developers need better tools – Modern frameworks – Static analysis baked into build • Starting point – software engineers need to be further along out of college • Industry responses – Carrot & stick models© Copyright 2011 Denim Group - All Rights Reserved 38
  40. 40. The New Negligence: Eliminate SQL Injections and XSS© Copyright 2011 Denim Group - All Rights Reserved 39
  41. 41. The Negligence: SQL Injections and XSS XSS & SQL Injections© Copyright 2011 Denim Group - All Rights Reserved 40
  42. 42. We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved 41
  43. 43. We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved 42
  44. 44. We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved 43
  45. 45. Questions, Answers, & Contact John B. Dickson, CISSP john@denimgroup.com (210) 572-4400 www.denimgroup.com blog.denimgroup.com Twitter: @johnbdickson© Copyright 2011 Denim Group - All Rights Reserved 44

×