Why AppSec Matters


Published on

Presented at InnoTech Austin on October 20, 2011. For details on InnoTech, visit www.innotechconferences.com

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Why AppSec Matters

  1. 1. InnoTech Austin 2011 The OWASP Foundation http://www.owasp.org Why AppSec Matters? Matt Tesauro OWASP Foundation Board Member matt.tesauro@owasp.org
  2. 2. <Who is> Broad IT background Developer, DBA, Sys Admin, Pen Tester, Application Security professional, CISSP, CEH, RHCE, Linux+ Long history with Linux and Open Source Contributor to many projects Leader of OWASP Live CD / WTE OWASP Foundation Board Member Cyber Security Engineer Lead at Rackspace 2
  3. 3. First some notes... This talk includes some speculation on my part The intention is to get you to think a bit about the topic * Disclaimer: Views of Matt do not necessarily represent those of OWASP... 3
  4. 4. Software is Everywhere
  5. 5. Drive to the conference this morning? 5
  6. 6. 6
  7. 7. For those that missed ToorCon... “Real Men Carry Pink Pagers”Girl Tech brandIM-Me devicemodified to: open garage doors clone RFID tags “Diagnostic tool” forsmart meters 7
  8. 8. Software for Barbie! 8
  9. 9. Fly to Austin? 9
  10. 10. Fly to Austin?Snakes on aplaneTux ona plane 10
  11. 11. Get hurt in Austin? 11
  12. 12. Get hurt in Austin? Australia? Christian Kandlbauer 12
  13. 13. Software has Problems
  14. 14. Regrettably, Christian died on October 22, 2010 after anautomobile crash 14
  15. 15. Remote compromise of a pacemaker 15
  16. 16. Air France Flight 447June 1st 2009 Automated telemetry data shows that the software lost trust in on of the two inertial guidance systems Black box has not been found Shoebox in Paris under 3,000 m of water Multiple condition software failure followed by the powered flight into the water Over 200 people killed 16
  17. 17. 17
  18. 18. In Terminator,Did the machines try totake over the world...~OR~Was it the softwarerunning the machines? 18
  19. 19. OWASP is Visibility
  20. 20. Open Web Application Security Project First some quick review•Software is everywhere•Software has problems Why do these problems exist in software?•Why cant we have an ecosystem of secure software? 20
  21. 21. Why does software have problems? People implicitly trust software•Smart phones & *Store•The Internet Blame Developers for software problems•Well never hack our way secure Security of software is hidden•How do you tell that app is secure? 21
  22. 22. This cycle is toxic to to thesoftware securityecosystem. 22
  23. 23. Architects Research Create Security Define Security Architecture Requirements Developers Monitor Implement Threat Controls AppSecUsers Infosec Visibility Cycle Understand Share Stakeholders Findings Business Understand Verify Laws Compliance Audit Legal 23
  24. 24. Python SecurityEcosystems can existat any levelOWASP InternCraig Youngkins(Python Fanboy)Started solo, nowhas severalcontributors... 24
  25. 25. Rugged Software Manifesto 25
  26. 26. Incentives against secure & rugged software No liability – EULA excuses all First mover advantage The market doesnt reward secure software The market doesnt reward transparency aka visibility 26
  27. 27. Software, as we are building it today, is an unsafe building material. The physical engineering disciplines figured this out a long time ago 27
  28. 28. How is software an unsafe building material? Cant inspect software (generally speaking) Cant assess complex failures easily by testing Cant fix a flaw if you find one (DMCA) Cant learn from failures Regulation and/or standards??? 28
  29. 29. Regulation problems Jurisdiction•Software is everywhere, butnot all business have a regulatory body Talent and ability•Do regulators have budget and talent to actuallytest software No business likes regulation 29
  30. 30. NHTSA National Highway Transportation Safety Agency Active and competent agency with a history of enforcing auto safety Enter the Toyota Prius•NHTSA admitted they didnt have people trained totest software in cars•Borrowed 50 engineers from NASA•Good stop gap but what about next time? 30
  31. 31. What we want What we get 31
  32. 32. What we need Software we can inspect. Software we can test. Software where security is visible. (transparency) Software that is rugged. To study and learn from failures. 32
  33. 33. 33
  34. 34. SecurityVulnerabilities Change Control Source Code Mgmt Strategy & Metrics Policy & Compliance Education & Training Threat Assessment Security Requirements Secure Architecture Design Review Code Review Remediation Hardening ... 34
  35. 35. OWASP Meritocracy 35
  36. 36. Why doI do this? 36
  37. 37. A few closing thoughts The blackbox, faith-based cycle of trust must end•Realize the truth of this and work for change Prevent problems rather then cope with the aftermath of software failure.•Some harm has no easy remedy e.g. death.•Post harm at best causes redistribution of capitalbut more likely just blame. 37
  38. 38. Questions?Download it free at: Sintel http://www.sintel.org Independent film produced by the Blender Foundation using free and open software 38
  39. 39. The giants who lent me their shoulders: Jeff Williams & Dave Wichers AppSec US 2010 and DHS Software Assurance Day presentations – many bits and pieces from these Eben Moglen (Software Freedom Law Center) “When Software is in Everything: Future Liability Nightmares Free Software Helps Avoid” David Rice His wonderful keynote at AppSec US 2010 on software security, externalities and pollution. Karen Sandler et al “Killed by Code: Software Transparency in Implantable Medical Devices” 39