Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Upcoming SlideShare
Loading in...5
×
 

Software Security: Is OK Good Enough? OWASP AppSec USA 2011

on

  • 1,631 views

 

Statistics

Views

Total Views
1,631
Views on SlideShare
1,058
Embed Views
573

Actions

Likes
0
Downloads
9
Comments
0

4 Embeds 573

http://blog.denimgroup.com 522
http://denimgroup.typepad.com 44
http://denimgroup.posterous.com 5
http://translate.googleusercontent.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Software Security: Is OK Good Enough? OWASP AppSec USA 2011 Software Security: Is OK Good Enough? OWASP AppSec USA 2011 Presentation Transcript

  • Software Security: Is OK Good Enough? Appsec USA 2011 September 22, 2011 John B. Dickson, CISSP Denim Group, Ltd. @johnbdickson© Copyright 2011 Denim Group - All Rights Reserved
  • OWASP AppSec 2011© Copyright 2011 Denim Group - All Rights Reserved 1
  • OWASP AppSec 2011© Copyright 2011 Denim Group - All Rights Reserved 2
  • OWASP AppSec 2011© Copyright 2011 Denim Group - All Rights Reserved 3
  • Personal Background© Copyright 2011 Denim Group - All Rights Reserved 4
  • Personal Background© Copyright 2011 Denim Group - All Rights Reserved 5
  • OWASP AppSec 2011© Copyright 2011 Denim Group - All Rights Reserved 6
  • Software Security: Is OK Good Enough? • Current State of Affairs in Software Security • What we can Learn from Other Justification Models • Potential Software Security Justification Models • Questions and Answers© Copyright 2011 Denim Group - All Rights Reserved 7
  • Current State of Affairs in Software Security • Testing approaches differ wildly • Incredible amount of energy focused on technical merits and demerits of testing activities – Existing application security scanners identify a subset of vulnerabilities in applications – 30-40% Coverage level is accepted norm – SQL injection/XSS – yes – Authorization & business logic – not so much© Copyright 2011 Denim Group - All Rights Reserved 8
  • 1996 Network Security Question? Firewall?© Copyright 2011 Denim Group - All Rights Reserved
  • 2011 Application Security Question? I’ve run my Automated SQL Injection & XSS Application Scanner?© Copyright 2011 Denim Group - All Rights Reserved
  • © Copyright 2011 Denim Group - All Rights Reserved
  • Checkbox Culture • Compliance culture and resource constraints have limited software security coverage • This cuts to the heart of “OK” • Heartland Payments Systems breach and PCI test coverage – Organizations try to limit PCI audit by design, even if many view PCI DSS as the most rigorous application security compliance framework© Copyright 2011 Denim Group - All Rights Reserved 12
  • © Copyright 2011 Denim Group - All Rights Reserved 13
  • (drawn to scale)© Copyright 2011 Denim Group - All Rights Reserved 14
  • © Copyright 2011 Denim Group - All Rights Reserved 15
  • © Copyright 2011 Denim Group - All Rights Reserved 16
  • Going Concern: In accounting, "going concern" refers to a companys ability to continue functioning as a business entity.© Copyright 2011 Denim Group - All Rights Reserved 17
  • © Copyright 2011 Denim Group - All Rights Reserved 18
  • What do Street Vendor food and iTunes applications have in common?© Copyright 2011 Denim Group - All Rights Reserved 19
  • Introduction of malware into iTunes & Droid Apps stores • Applications submitted to the Apple iTunes AppStore and the Google Android store do not undergo rigorous security testing • Both application stores do not do "white listing” per se© Copyright 2011 Denim Group - All Rights Reserved 20
  • New York City • 24,000 restaurants inspected/year • Point-based rating scale • 3 Categories of violations • Public health hazard (7 points) • Critical violation (5 points) • General violation (2 points)© Copyright 2011 Denim Group - All Rights Reserved 21
  • Venture a Guess? • 3 Categories of violations • Public health hazard (7 points) • Critical violation (5 points) • General violation (2 points)© Copyright 2011 Denim Group - All Rights Reserved 22
  • Venture a Guess? • 3 Categories of violations • Public health hazard (7 points) • Critical violation (5 points) • General violation (2 points)© Copyright 2011 Denim Group - All Rights Reserved 23
  • What we can Learn from Other Justification Models – Earthquake Building Codes Haiti vs. Chile© Copyright 2011 Denim Group - All Rights Reserved 24
  • What we can Learn from Other Justification Models • What we can learn from these two models? • No model is based purely on industry-driven compliance – Have no regulation is bad • Starting point is a generally accepted need for regulation – Buyers need to demand software “seatbelts” – Political consensus in Chile & California to enforce more stringent building codes • Must have Rule of Law present to enforce regulation – Building codes were in place in both Chile & Haiti • Misguided regulation may be more destructive than no regulation at all – e.g., Sarbanes Oxley© Copyright 2011 Denim Group - All Rights Reserved 25
  • So where do you go from here?© Copyright 2011 Denim Group - All Rights Reserved 26
  • Software Security Justification Models in an “OK” World What can be Done Globally?© Copyright 2011 Denim Group - All Rights Reserved 27
  • We need more Earthquakes© Copyright 2011 Denim Group - All Rights Reserved 28
  • We Need Better Mainstream Scary Stories© Copyright 2011 Denim Group - All Rights Reserved 29
  • We Need Better Mainstream Scary Stories© Copyright 2011 Denim Group - All Rights Reserved 30
  • We Need Smarter buyers© Copyright 2011 Denim Group - All Rights Reserved 31
  • There’s an App for That!© Copyright 2011 Denim Group - All Rights Reserved 32
  • Software Security Justification Models in an “OK” World - In the World you Influence© Copyright 2011 Denim Group - All Rights Reserved 33
  • Tailor Responses for Limited Resources - ASVS “Applied” Case Study • Financial Services firm services 2,000 + banks • Before • Reactive testing • No repeatable or predictable • Poor coverage • After • Acceptable level of security testing • Applied 80/20 rule to clients • Predictable results • Mutually understood results© Copyright 2011 Denim Group - All Rights Reserved 34
  • Tailor Responses for Limited Resources - Open Software Security Maturity Model (OpenSAMM)© Copyright 2011 Denim Group - All Rights Reserved 35
  • Tailor Responses for Limited Resources Measure, Measure, Measure© Copyright 2011 Denim Group - All Rights Reserved 36
  • Realize that Sales & Marketing is our #1 Job© Copyright 2011 Denim Group - All Rights Reserved 37
  • We Need Better Developers • Is it enough to say you are “Rugged” • We need software developers to elevate their coding practices to lower the number of obvious security vulnerabilities • These developers need better tools – Modern frameworks – Static analysis baked into build • Starting point – software engineers need to be further along out of college • Industry responses – Carrot & stick models© Copyright 2011 Denim Group - All Rights Reserved 38
  • The New Negligence: Eliminate SQL Injections and XSS© Copyright 2011 Denim Group - All Rights Reserved 39
  • The Negligence: SQL Injections and XSS XSS & SQL Injections© Copyright 2011 Denim Group - All Rights Reserved 40
  • We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved 41
  • We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved 42
  • We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved 43
  • Questions, Answers, & Contact John B. Dickson, CISSP john@denimgroup.com (210) 572-4400 www.denimgroup.com blog.denimgroup.com Twitter: @johnbdickson© Copyright 2011 Denim Group - All Rights Reserved 44