• Save
Why AppSec Matters
Upcoming SlideShare
Loading in...5
×
 

Why AppSec Matters

on

  • 643 views

Presented at InnoTech Austin on October 20, 2011. For details on InnoTech, visit www.innotechconferences.com

Presented at InnoTech Austin on October 20, 2011. For details on InnoTech, visit www.innotechconferences.com

Statistics

Views

Total Views
643
Views on SlideShare
643
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Why AppSec Matters Why AppSec Matters Presentation Transcript

    • InnoTech Austin 2011 The OWASP Foundation http://www.owasp.org Why AppSec Matters? Matt Tesauro OWASP Foundation Board Member matt.tesauro@owasp.org
    • <Who is> Broad IT background Developer, DBA, Sys Admin, Pen Tester, Application Security professional, CISSP, CEH, RHCE, Linux+ Long history with Linux and Open Source Contributor to many projects Leader of OWASP Live CD / WTE OWASP Foundation Board Member Cyber Security Engineer Lead at Rackspace 2
    • First some notes... This talk includes some speculation on my part The intention is to get you to think a bit about the topic * Disclaimer: Views of Matt do not necessarily represent those of OWASP... 3
    • Software is Everywhere
    • Drive to the conference this morning? 5
    • 6
    • For those that missed ToorCon... “Real Men Carry Pink Pagers”Girl Tech brandIM-Me devicemodified to: open garage doors clone RFID tags “Diagnostic tool” forsmart meters 7
    • Software for Barbie! 8
    • Fly to Austin? 9
    • Fly to Austin?Snakes on aplaneTux ona plane 10
    • Get hurt in Austin? 11
    • Get hurt in Austin? Australia? Christian Kandlbauer 12
    • Software has Problems
    • Regrettably, Christian died on October 22, 2010 after anautomobile crash 14
    • Remote compromise of a pacemaker 15
    • Air France Flight 447June 1st 2009 Automated telemetry data shows that the software lost trust in on of the two inertial guidance systems Black box has not been found Shoebox in Paris under 3,000 m of water Multiple condition software failure followed by the powered flight into the water Over 200 people killed 16
    • 17
    • In Terminator,Did the machines try totake over the world...~OR~Was it the softwarerunning the machines? 18
    • OWASP is Visibility
    • Open Web Application Security Project First some quick review•Software is everywhere•Software has problems Why do these problems exist in software?•Why cant we have an ecosystem of secure software? 20
    • Why does software have problems? People implicitly trust software•Smart phones & *Store•The Internet Blame Developers for software problems•Well never hack our way secure Security of software is hidden•How do you tell that app is secure? 21
    • This cycle is toxic to to thesoftware securityecosystem. 22
    • Architects Research Create Security Define Security Architecture Requirements Developers Monitor Implement Threat Controls AppSecUsers Infosec Visibility Cycle Understand Share Stakeholders Findings Business Understand Verify Laws Compliance Audit Legal 23
    • Python SecurityEcosystems can existat any levelOWASP InternCraig Youngkins(Python Fanboy)Started solo, nowhas severalcontributors... 24
    • Rugged Software Manifesto 25
    • Incentives against secure & rugged software No liability – EULA excuses all First mover advantage The market doesnt reward secure software The market doesnt reward transparency aka visibility 26
    • Software, as we are building it today, is an unsafe building material. The physical engineering disciplines figured this out a long time ago 27
    • How is software an unsafe building material? Cant inspect software (generally speaking) Cant assess complex failures easily by testing Cant fix a flaw if you find one (DMCA) Cant learn from failures Regulation and/or standards??? 28
    • Regulation problems Jurisdiction•Software is everywhere, butnot all business have a regulatory body Talent and ability•Do regulators have budget and talent to actuallytest software No business likes regulation 29
    • NHTSA National Highway Transportation Safety Agency Active and competent agency with a history of enforcing auto safety Enter the Toyota Prius•NHTSA admitted they didnt have people trained totest software in cars•Borrowed 50 engineers from NASA•Good stop gap but what about next time? 30
    • What we want What we get 31
    • What we need Software we can inspect. Software we can test. Software where security is visible. (transparency) Software that is rugged. To study and learn from failures. 32
    • 33
    • SecurityVulnerabilities Change Control Source Code Mgmt Strategy & Metrics Policy & Compliance Education & Training Threat Assessment Security Requirements Secure Architecture Design Review Code Review Remediation Hardening ... 34
    • OWASP Meritocracy 35
    • Why doI do this? 36
    • A few closing thoughts The blackbox, faith-based cycle of trust must end•Realize the truth of this and work for change Prevent problems rather then cope with the aftermath of software failure.•Some harm has no easy remedy e.g. death.•Post harm at best causes redistribution of capitalbut more likely just blame. 37
    • Questions?Download it free at: Sintel http://www.sintel.org Independent film produced by the Blender Foundation using free and open software 38
    • The giants who lent me their shoulders: Jeff Williams & Dave Wichers AppSec US 2010 and DHS Software Assurance Day presentations – many bits and pieces from these Eben Moglen (Software Freedom Law Center) “When Software is in Everything: Future Liability Nightmares Free Software Helps Avoid” David Rice His wonderful keynote at AppSec US 2010 on software security, externalities and pollution. Karen Sandler et al “Killed by Code: Software Transparency in Implantable Medical Devices” 39