From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Security in an Interconnected and Complex World of Software
1. Security in an Interconnected and
Complex World of Software
Michael Coates
@_mwc
michael.coates@owasp.org
2. About
• Chairman OWASP Board
• Shape Security
– Director of Product Security
• Mozilla
– Director of Security Assurance
• 2012 SC Magazine Influential
Security Mind
3. Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $170 Billion – Apple Annual Revenue 2013
US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP)
US $469 Billion – Walmart Annual Revenue 2013
US $95 Billion – Morocco 2012 Gross Domestic Product (GDP)
US $112 Billion – Hewlett-Packard Annual Revenue 2013
US $104 Billion – Honda Annual Revenue 2012
4. Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $113 Billion – Global price tag of consumer cybercrime
US $170 Billion – Apple Annual Revenue 2013
US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP)
US $469 Billion – Walmart Annual Revenue 2013
US $95 Billion – Morocco 2012 Gross Domestic Product (GDP)
US $112 Billion – Hewlett-Packard Annual Revenue 2013
US $104 Billion – Honda Annual Revenue 2012
2013 Norton Report by Symantec
5. Cost of Security
• Cybercrime cost to companies
– 26% increase 2012 to 2013
• Cybercrime cost to individual
– 50% increase 2012 to 2013
• Cost per breached record to company
– Average US $136 / JPY ¥13,923
6. Hacking Becomes Leading Cause of
Data Breaches
Another Day, Another Retailer in a Massive Credit Card
Breach
Secret Service investigating possible data breach at
Sears
Report: Verizon Uncovers Two More Retail Breaches …
Adobe Breach Impacted At Least 38 Million Users
7. Largest Single Culprit : Hacking
Verizon Data Breach Report 20132013 Incidents by Breach Type
datalossdb.org
48% from Hacking 52% involved Hacking
10. Opportunistic Scanners
• Scan web for common vulnerabilities
• Highly leverage automation
• Often untargeted
75% Attacks Opportunistic
Verizon Data Breach Report 2013
27. Secure Code vs. Secure Software
Fixing a single security bug Ensuring no critical bugs are
introduced to software
28. Secure Code vs. Secure Software
Fixing a single security bug
• While moving fast
• With minimal impact to
developers
• Within an agile or constant
deployment model
• Across thousands of
developers, multiple sites
and services, and numerous
new lines of code
Ensuring no critical bugs are
introduced to software
29. Secure Code vs. Secure Software
Fixing a single security bug
• While moving fast
• With minimal impact to
developers
• Within an agile or constant
deployment model
• Across thousands of
developers, multiple sites
and services, and numerous
new lines of code
Ensuring no critical bugs are
introduced to software
HardEasy
(generally)
30. Question the Models
• Industry Drivers
– PCI, Sarbanes Oxley, Hipaa, Self Regulation
• Business Drivers
– Innovation, fail fast, time to market, competitive
disadvantage
• Development Practices
– Code Reuse, Libraries, Patching
31. Standards Based Security is Failing
• Motivates for compliance over security
• Complex & unrealistic in many scenarios
• Retroactive removal of certification
32. Business Motivation
• Security sometimes viewed as tax
• Tradeoff of time to market
• Put off by aggressive security requirements
– An overly secure system used by no one provides
no security
38. Centralized Security Organization
• Build bridges throughout company
• Become partners with groups
• Increase communication & support
Dev
QA
Product
PR
IT
Legal
Security
39. Influence instead of Dictate
• Teach security
approaches
throughout org
• Build tools & guidance
• Avoid processes that
require security staff
involvement
Avoid security choke point
Influence without blocking
40. Embedding Approach
• Embedding security
inside dev team
– team effort to deliver
product
– real time
collaboration
– eliminates “us” vs
“them”
– build alliance
Developer
Team
Developer
Team
Developer
Team
Security Team
41. Organizational Strategy
• Scaling via Security Champions
• Primary Role: Developer, Secondary: Security
• Scales Effectively
• Liaison to security team
Developer Team
Security Champion
Developer Team
44. Development
• Security Libraries & Services
– Abstract away internals of security code
– Standardized security libraries
• OWASP ESAPI – an example of what you should build
within your organization
• Engineered web services for security
45. Safety Proof & Shift Burden
Current
• Developer must remember
to enable security
• Ability to build anything –
for better or worse Necessary
• Security fully enabled, opt-
out of security with caution
• Pre-packaged code widgets
– Appeal to masses
– Limited customization
– Safe for beginners
46. Smart Automation
• Dynamic security
analysis built for
developers
– Report what can be
found >95% accuracy
– Skip issues where
accuracy is low
– Accurate Tool > Tool
which requires
security team
wiki.mozilla.org/Security/Projects/Minion
47. Automation
Static / Dynamic Analysis
Can scale if homogenous environment
Careful of human involvement
Security X as a Service
Yes! The Future!
48. Quality Assurance
• Security validation within QA
• Functional testing of forms + basic sec tests
• Follow patterns of current QA
– Pass / Fail
– Self contained testing – no need for security
evaluation
“><script>alert(‘problem’)</script>
49. Post Release - Bounty Programs!
Engage Security Community
50. Post Release – Defend The App
• Detect and repel common
attacks
– Web Application Firewall
• Detect and repel custom
attacks at business layer
– Integrated application defense
– OWASP AppSensor
• Disable ability for automated
attacks
owasp.org/index.php/OWASP_AppSensor_Project
51. Post Release – Defend at Scale
• Design for Scale
– Automated attack
blocking & deflection
– No human analysis in
critical path.
• Human interaction
– Slow
– Ineffective against
distributed attacks
52. Key Points
Adversary is motivated and talented
– Organized criminal attackers
– Resourced and focused
53. Key Points
Satisfying security standards is a false sense of
security
– Focus on activities brining value
– Meet required standards & understand lack of
value
54. Key Points
Complex systems require comprehensive
security
– Integrate security in every step of software
development
– Build to scale with business needs & development
speed
28% of all web threats detected by Sophos and 91% by AVG are due to this exploit kit
$2,200 – base pricebooby-trap hacked and malicious Web sites so that they foist drive-by downloadshttp://krebsonsecurity.com/2013/04/phoenix-exploit-kit-author-arrested-in-russia/