Your SlideShare is downloading. ×
0
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Milton smith 2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Milton smith 2013

296

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
296
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 2. Keeping the Future Securewith JavaMilton Smith Email: milton.smith@oracle.comSr. Principal Security PM Blog: http://spoofzu.blogspot.com/ Twitter: @spoofzu2 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 3. Notice "THE FOLLOWING IS INTENDED TO OUTLINE OUR GENERAL PRODUCT DIRECTION. IT IS INTENDED FOR INFORMATION PURPOSES ONLY, AND MAY NOT BE INCORPORATED INTO ANY CONTRACT. IT IS NOT A COMMITMENT TO DELIVER ANY MATERIAL, CODE, OR FUNCTIONALITY, AND SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISION. THE DEVELOPMENT, RELEASE, AND TIMING OF ANY FEATURES OR FUNCTIONALITY DESCRIBED FOR ORACLES PRODUCTS REMAINS AT THE SOLE DISCRETION OF ORACLE."3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 4. Who Am I? Milton Smith §  Responsible for Java platform security: vision/features, internal/ external communications – everything Java except EE. §  20+ years of programming and specializing in security. §  Former employer was Yahoo! where I managed security for the User Data Analytics property.4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 5. Program Agenda §  Security Industry Challenges §  Risk Choices & Methodologies §  Security at Oracle §  Ongoing Security Improvements §  Security in Development Communities §  Call to Action5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 6. Security Industry & Challenges6 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 7. Java EcosystemLevel of Security Challenge… Facts Desktops §  Java deployed on 97 Percent desktops §  Java deployed on 80 percent of mobile platforms Devices §  Java deployed on 125 million television sets §  1 billion Java downloads per year Community §  9 million developers worldwide Ref: http://www.oracle.com/us/corporate/press/18435467 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 8. Security Threat LandscapeA lot has changed since 1995 when Java started… That was Then… This is Now… •  State or Terrorist Cyber•  Data Destruction Warfare•  Denial of Service •  Intellectual Property Theft•  Hacktivism Individual pranksters Well funded and organized8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 9. Why is Java a Favored Target for Attack? §  Java is deployed widely across homes and business computers. §  Multi-platform features of Java allow attackers to indiscriminately target Windows, Mac, and even Linux versions. §  Unlike data centers, physical and logical security controls for the home systems are less sophisticated.9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 10. What Uses of Java are Highest Risk? Highest Risk… §  Java Applets and Web Start plugins running in the browser. Why… §  Java users have valuable information (e.g., credit cards, licensee keys, etc) §  Java desktops security controls are either missing or poorly configured10 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 11. Strong Security is the Expectation… Challenges across entire industry… §  Security concerns across industry are elevated §  Strong vs. poor security is difficult for users to evaluate11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 12. Risk Choices & Methodologies12 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 13. Risk vs. Reward WE MAKE CHOICES BASED UPON RISK EVERY DAY THIS IS HOW HUMANS FUNCTION13 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 14. Everyday Risk Choices Do animals drink at the water hole? Animals with big teeth may be present. –  Answer = Depends, how thirsty.14 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 15. Everyday Risk Choices Everyone treated by a doctor – has or will die. Success rate is precisely zero. Do we continue to visit doctors? –  Answer = Yes!15 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 16. Everyday Risk Choices Life is risky. Do we visit the doctor every day for a check-up? –  Answer = No!16 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 17. Risk Based Security Methodology §  Many of us today use informal risk based approaches. §  Some don’t take the next steps – formalize thoughts about risk and how it governs our behavior. §  Risk methodology helps drive security decisions17 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 18. Security Risk Applied to a Web Application Example §  A few simple considerations… –  How important is the application to the business? Dollar loss, compliance requirements, inconvenience? –  Internet facing application interfaces (web, web data services)? –  Any unauthenticated application interfaces (no logon)? –  and many more factors… §  Platforms have different concerns but the approach is similar18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 19. Security at Oracle19 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 20. Why is Security Important to Oracle?Java is at the center of ourapplications Your Apps Java Platform ORA Vendor Apps Apps20 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 21. Overview – Larger Security Policy Areas § SA/CPU RSS § Architecture Review Feeds § Peer Review § Security Blog § Security Testing Communications Development § eBlasts § Post Mortems Lifecycle § Java.com Security Security § CPU Remediation § Security Alerts21 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 22. Security Policies - Communications §  Security news & alerts are communicated via several channels –  Security Alerts (RSS feed) –  Critical Patch Update Advisories –  eBlasts –  Blogs (like blogs.oracle.com/security) §  Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html22 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 23. Security Policies - Communications Why we don’t respond to published reports of alleged security vulnerabilities in Oracle products… §  Correcting and corroborating articles provides more information to attackers §  Many reports don’t provide the required engineering details for proper verification. Technical details like: pre-conditions, impacts, remediation/ mitigation details are light or non-existent. §  Responding to individual reports forces communities to track vulnerabilities in social media sites – not good.23 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 24. Security Policies - Communications Why we don’t respond to published reports of alleged security vulnerabilities in Oracle products… §  The information Oracle releases is: precise, actionable, and everyone receives it at the same time. §  Policy: http://www.oracle.com/us/support/assurance/disclosure-policies/index.html24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 25. Security Throughout the Development Lifecycle Non-specific lifecycle methodology Concept Analysis Coding Testing DeliveryRisk Factors Project Review Peer Review Security Tests Java.com•  Less Scrutiny •  Architecture •  Manual •  Static Analysis•  More Scrutiny •  Compliance •  Automated •  FuzzingPolicy: http://www.oracle.com/us/support/assurance/development/index.html 25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 26. Outside the Development Lifecycle Throughout Development Cycle •  GPS •  Ethical Hacking •  Security Training •  Tech Talks …and more.26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 27. Security Policies - Remediation §  Common Vulnerability Scoring System (CVSS) §  Vulnerabilities reviewed and CVSS score assigned §  Remediation strongly influenced by CVSS score Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html#scoring27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 28. Security Policies - Remediation §  Critical Patch Updates (CPU) - Security patches –  October, February, June for Java Platform Group –  Java Platform Group Different from Oracle CPU –  Emergency releases are infrequent but do happen §  Policy: http://www.oracle.com/technetwork/topics/security/alerts-086861.html28 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 29. Java CPUPlanned 7 GA 7u1 7u2 7u3 7u4 7u5 7u6 7u7 7u9 CPU Non CPU CPU Non CPU CPU Non CPU SecAlert* CPU Every 4 monthsRules for Java CPUs § Main release for security vulnerabilities § Covers all families (7, 6, 5.0, 1.4.2) § CPU release triggers Auto-update § Dates published 12 months in advance § Security Alerts are released as necessary § Based off the previous (non-CPU) release § Released simultaneously on java.com and OTN29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 30. Securing Platforms vs. Securing Applications §  Different tools for securing platforms and applications –  Platform development often precedes tool features §  Platforms support a wider range of use cases §  Different techniques for securing platforms and applications30 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 31. Ongoing Security Improvements31 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 32. Theme, Preventing Drive-By Exploitation §  Defense against phishing attacks §  “Best used before” date for JRE security –  Largest number of exploits are against out-of-date software32 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 33. Theme, Preventing Drive-By Exploitation §  Easier to disable Java in Browser (Applet/JNLP) §  Encourage users to uninstall older JREs –  First step, as an applet –  Next step, component of the installer33 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 34. Theme, JRE Security Hardening §  Configurable IT security policy §  More frequent security feeds (blacklists, security baseline updates)34 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 35. Security in Development Communities35 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 36. What is Impact of Security Incidents? Schedule §  Security firefighting derails the release train Moral §  Security firefighting hits home when your staff burns nights and weekends Confidence §  Too many incidents or too severe shakes confidence36 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 37. Mitigating Security Impacts Before an Incident (otherwise known as Prevention) §  Best incident is the one you can avoid §  Ensure security investments are commensurate with risk §  What should they be? Depends, based upon security maturity During an Incident §  Have an emergency action plan. Relevant leadership? Responsibilities? Process? Actions? Expected outcomes? After an Incident §  Questions may linger for months after an incident §  Have a communications policy and plan of execution37 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 38. Open Source Projects §  Millions of eyeballs does not mean they are trained on security §  Communities focus on what is important to them - features §  If you manage a developer community - set code quality standards §  Ensure the quality standards include security (e.g., OWASP)38 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 39. Restoring Confidence Product Improvement §  Understand your vulnerabilities and get them fixed §  Make new security feature improvements as necessary §  Make it happen Communication §  Code cannot fix a confidence problem §  Likewise communication without action is meaningless §  Make improvements and then communicate your progress The currency of confidence is “hard work” and it’s slow won39 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 40. Call to Action40 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 41. Vulnerability Reporting & Security Feature Suggestions §  Report Vulnerabilities –  Support Customers: My Oracle Support –  Others: secalert_us@oracle.com Policy: http://www.oracle.com/us/support/assurance/reporting/index.html §  Suggest New Features –  http://bugreport.sun.com/bugreport/41 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 42. Upcoming CPU’s §  April 16, 2013 §  June 18, 2013 §  October 15, 2013 (transition to Oracle CPU schedule) §  January 14, 2013 §  CPUs http://www.oracle.com/technetwork/topics/security/alerts-086861.html42 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 43. Java Platform Support §  I receive many questions on support programs and to answer a few… §  3 Options –  Premier, 5 years from GA –  Extended, Premier + 3 years –  Sustaining, “as long as you own your Oracle products” Disclaimer: No, I don’t receive a commission. ;o) Ref: http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf43 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 44. Java Root Certificate Program §  Like browsers, Java ships with root certificates. §  Our roots establish intrinsic “trust” for Java users. §  Of course, users are always free to include their own certificates. §  Program rules apply, see following link. Ref: http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html44 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 45. Help Us Keep You Secure §  To end users… –  Keep your JRE’s updated (auto-update on) –  Practice defense-in-depth: virus scanner, firewall §  To developers… –  Support current JRE’s so end users can upgrade –  Sign your applications (use timestamp) –  Validate untrusted data (input/output validation) –  Follow Open Web Application Security Project, https://www.owasp.org/ §  All –  Attend new security track at JavaOne 2013 in San Francisco CA, USA45 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 46. oracle.com/javajobs46 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
  • 47. 47 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public

×