1. Security in an Interconnected and
Complex World of Software
Michael Coates
@_mwc
michael.coates@owasp.org

2. About
• Chairman OWASP Board
• Shape Security
– Director of Product Security
• Mozilla
– Director of Security Assurance
• 2012 SC Magazine Influential
Security Mind

3. Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $170 Billion – Apple Annual Revenue 2013
US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP)
US $469 Billion – Walmart Annual Revenue 2013
US $95 Billion – Morocco 2012 Gross Domestic Product (GDP)
US $112 Billion – Hewlett-Packard Annual Revenue 2013
US $104 Billion – Honda Annual Revenue 2012

4. Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $113 Billion – Global price tag of consumer cybercrime
US $170 Billion – Apple Annual Revenue 2013
US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP)
US $469 Billion – Walmart Annual Revenue 2013
US $95 Billion – Morocco 2012 Gross Domestic Product (GDP)
US $112 Billion – Hewlett-Packard Annual Revenue 2013
US $104 Billion – Honda Annual Revenue 2012
2013 Norton Report by Symantec

5. Cost of Security
• Cybercrime cost to companies
– 26% increase 2012 to 2013
• Cybercrime cost to individual
– 50% increase 2012 to 2013
• Cost per breached record to company
– Average US $136 / JPY ¥13,923

6. Hacking Becomes Leading Cause of
Data Breaches
Another Day, Another Retailer in a Massive Credit Card
Breach
Secret Service investigating possible data breach at
Sears
Report: Verizon Uncovers Two More Retail Breaches …
Adobe Breach Impacted At Least 38 Million Users

7. Largest Single Culprit : Hacking
Verizon Data Breach Report 20132013 Incidents by Breach Type
datalossdb.org
48% from Hacking 52% involved Hacking

8. THE ENEMY

9. Enemy
• Script Kiddies
– Scanners & generic tools
• Organized Crime
– Exploit kits
• Targeted & Specialized
– Precise, 0-day, determined

10. Opportunistic Scanners
• Scan web for common vulnerabilities
• Highly leverage automation
• Often untargeted
75% Attacks Opportunistic
Verizon Data Breach Report 2013

11. Organized Cybercrime
• Financial motivation
• Business groups of attackers
• Evolved systems for exploitation

12. Blackhole

13. CrimePack

14. Phoenix

15. Account Takeover – Web Brute Force

16. Underground Market Prices
2013 Dell SecureWorks
USD JPY
Visa, American Express, Discover $4-$8 ¥409 - ¥818
Credit Card with track 1 and 2 data $12 ¥1227
Full user information $25 ¥2557
1,000 Infected Computers $20 ¥2046
DDOS Attacks (per hour) $3-$5 ¥306 - ¥511

17. .onion TLD via Tor

18. Underground Financial Services

19. Underground Financial Services

20. Underground Marketplace
Stolen Account Balance
US $700-$4100
JP ¥760,00 – ¥420,000
Underground Price
US $90-$322
JP ¥9,200 - ¥33,000

21. Marketplace For Credit Card Fraud
List of vulnerable sites
for “carding”

22. COMPLEXITY
The future is more complex

23. 180 Million Active Sites

24. Cloud

25. Internet of Things
techcrunch.com/2013/05/25/making-sense-of-the-internet-of-things/

26. REALITY CHECK
Security & Elements of Consideration

27. Secure Code vs. Secure Software
Fixing a single security bug Ensuring no critical bugs are
introduced to software

28. Secure Code vs. Secure Software
Fixing a single security bug
• While moving fast
• With minimal impact to
developers
• Within an agile or constant
deployment model
• Across thousands of
developers, multiple sites
and services, and numerous
new lines of code
Ensuring no critical bugs are
introduced to software

29. Secure Code vs. Secure Software
Fixing a single security bug
• While moving fast
• With minimal impact to
developers
• Within an agile or constant
deployment model
• Across thousands of
developers, multiple sites
and services, and numerous
new lines of code
Ensuring no critical bugs are
introduced to software
HardEasy
(generally)

30. Question the Models
• Industry Drivers
– PCI, Sarbanes Oxley, Hipaa, Self Regulation
• Business Drivers
– Innovation, fail fast, time to market, competitive
disadvantage
• Development Practices
– Code Reuse, Libraries, Patching

31. Standards Based Security is Failing
• Motivates for compliance over security
• Complex & unrealistic in many scenarios
• Retroactive removal of certification

32. Business Motivation
• Security sometimes viewed as tax
• Tradeoff of time to market
• Put off by aggressive security requirements
– An overly secure system used by no one provides
no security

33. ORGANIZING FOR SECURITY
Company Structure is Critical

34. Humans Don’t Scale Well

35. Humans Don’t Scale Well

36. Hiring More Security Isn’t Realistic
Security Professionals
– Expensive
– Hard to find
– Competition for employment

37. Centralized Security Organization
• Accountability & leadership
• Increases communication
• Enables security vision &
forward planning
• Cohesive vision across
security disciplines Application
Security
Network Ops
Security
Corporate
Security
Information
Security

38. Centralized Security Organization
• Build bridges throughout company
• Become partners with groups
• Increase communication & support
Dev
QA
Product
PR
IT
Legal
Security

39. Influence instead of Dictate
• Teach security
approaches
throughout org
• Build tools & guidance
• Avoid processes that
require security staff
involvement
Avoid security choke point
Influence without blocking

40. Embedding Approach
• Embedding security
inside dev team
– team effort to deliver
product
– real time
collaboration
– eliminates “us” vs
“them”
– build alliance
Developer
Team
Developer
Team
Developer
Team
Security Team

41. Organizational Strategy
• Scaling via Security Champions
• Primary Role: Developer, Secondary: Security
• Scales Effectively
• Liaison to security team
Developer Team
Security Champion
Developer Team

42. Security Throughout SDLC

43. Development
• Developer Training
• Coding Guidelines
– Cheat Sheets
– Concise, Usable
owasp.org/index.php/Cheat_Sheets

44. Development
• Security Libraries & Services
– Abstract away internals of security code
– Standardized security libraries
• OWASP ESAPI – an example of what you should build
within your organization
• Engineered web services for security

45. Safety Proof & Shift Burden
Current
• Developer must remember
to enable security
• Ability to build anything –
for better or worse Necessary
• Security fully enabled, opt-
out of security with caution
• Pre-packaged code widgets
– Appeal to masses
– Limited customization
– Safe for beginners

46. Smart Automation
• Dynamic security
analysis built for
developers
– Report what can be
found >95% accuracy
– Skip issues where
accuracy is low
– Accurate Tool > Tool
which requires
security team
wiki.mozilla.org/Security/Projects/Minion

47. Automation
Static / Dynamic Analysis
Can scale if homogenous environment
Careful of human involvement
Security X as a Service
Yes! The Future!

48. Quality Assurance
• Security validation within QA
• Functional testing of forms + basic sec tests
• Follow patterns of current QA
– Pass / Fail
– Self contained testing – no need for security
evaluation
“><script>alert(‘problem’)</script>

49. Post Release - Bounty Programs!
Engage Security Community

50. Post Release – Defend The App
• Detect and repel common
attacks
– Web Application Firewall
• Detect and repel custom
attacks at business layer
– Integrated application defense
– OWASP AppSensor
• Disable ability for automated
attacks
owasp.org/index.php/OWASP_AppSensor_Project

51. Post Release – Defend at Scale
• Design for Scale
– Automated attack
blocking & deflection
– No human analysis in
critical path.
• Human interaction
– Slow
– Ineffective against
distributed attacks

52. Key Points
Adversary is motivated and talented
– Organized criminal attackers
– Resourced and focused

53. Key Points
Satisfying security standards is a false sense of
security
– Focus on activities brining value
– Meet required standards & understand lack of
value

54. Key Points
Complex systems require comprehensive
security
– Integrate security in every step of software
development
– Build to scale with business needs & development
speed

55. Thanks!
@_mwc
michael.coates@owasp.org