• Save
Security in an Interconnected and Complex World of Software
Upcoming SlideShare
Loading in...5
×
 

Security in an Interconnected and Complex World of Software

on

  • 655 views


Statistics

Views

Total Views
655
Views on SlideShare
639
Embed Views
16

Actions

Likes
0
Downloads
0
Comments
0

7 Embeds 16

http://michael-coates.blogspot.com 7
https://www.linkedin.com 2
http://feedly.com 2
http://michael-coates.blogspot.in 2
http://michael-coates.blogspot.com.br 1
http://michael-coates.blogspot.gr 1
http://michael-coates.blogspot.ro 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • http://www.hpenterprisesecurity.com/ponemon-2013-cost-of-cyber-crime-study-reportshttps://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdfhttp://www.symantec.com/about/news/release/article.jsp?prid=20131001_01
  • Datalossdb.org – 48% from hacking, 8% fraud, 7% stolen laptopVerizon DBR – 52% involved hacking
  • 28% of all web threats detected by Sophos and 91% by AVG are due to this exploit kit
  • $2,200 – base pricebooby-trap hacked and malicious Web sites so that they foist drive-by downloadshttp://krebsonsecurity.com/2013/04/phoenix-exploit-kit-author-arrested-in-russia/

Security in an Interconnected and Complex World of Software Security in an Interconnected and Complex World of Software Presentation Transcript

  • Security in an Interconnected and Complex World of Software Michael Coates @_mwc michael.coates@owasp.org
  • About • Chairman OWASP Board • Shape Security – Director of Product Security • Mozilla – Director of Security Assurance • 2012 SC Magazine Influential Security Mind
  • Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012
  • Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $113 Billion – Global price tag of consumer cybercrime US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012 2013 Norton Report by Symantec
  • Cost of Security • Cybercrime cost to companies – 26% increase 2012 to 2013 • Cybercrime cost to individual – 50% increase 2012 to 2013 • Cost per breached record to company – Average US $136 / JPY ¥13,923
  • Hacking Becomes Leading Cause of Data Breaches Another Day, Another Retailer in a Massive Credit Card Breach Secret Service investigating possible data breach at Sears Report: Verizon Uncovers Two More Retail Breaches … Adobe Breach Impacted At Least 38 Million Users
  • Largest Single Culprit : Hacking Verizon Data Breach Report 20132013 Incidents by Breach Type datalossdb.org 48% from Hacking 52% involved Hacking
  • THE ENEMY
  • Enemy • Script Kiddies – Scanners & generic tools • Organized Crime – Exploit kits • Targeted & Specialized – Precise, 0-day, determined
  • Opportunistic Scanners • Scan web for common vulnerabilities • Highly leverage automation • Often untargeted 75% Attacks Opportunistic Verizon Data Breach Report 2013
  • Organized Cybercrime • Financial motivation • Business groups of attackers • Evolved systems for exploitation
  • Blackhole
  • CrimePack
  • Phoenix
  • Account Takeover – Web Brute Force
  • Underground Market Prices 2013 Dell SecureWorks USD JPY Visa, American Express, Discover $4-$8 ¥409 - ¥818 Credit Card with track 1 and 2 data $12 ¥1227 Full user information $25 ¥2557 1,000 Infected Computers $20 ¥2046 DDOS Attacks (per hour) $3-$5 ¥306 - ¥511
  • .onion TLD via Tor
  • Underground Financial Services
  • Underground Financial Services
  • Underground Marketplace Stolen Account Balance US $700-$4100 JP ¥760,00 – ¥420,000 Underground Price US $90-$322 JP ¥9,200 - ¥33,000
  • Marketplace For Credit Card Fraud List of vulnerable sites for “carding”
  • COMPLEXITY The future is more complex
  • 180 Million Active Sites
  • Cloud
  • Internet of Things techcrunch.com/2013/05/25/making-sense-of-the-internet-of-things/
  • REALITY CHECK Security & Elements of Consideration
  • Secure Code vs. Secure Software Fixing a single security bug Ensuring no critical bugs are introduced to software
  • Secure Code vs. Secure Software Fixing a single security bug • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code Ensuring no critical bugs are introduced to software
  • Secure Code vs. Secure Software Fixing a single security bug • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code Ensuring no critical bugs are introduced to software HardEasy (generally)
  • Question the Models • Industry Drivers – PCI, Sarbanes Oxley, Hipaa, Self Regulation • Business Drivers – Innovation, fail fast, time to market, competitive disadvantage • Development Practices – Code Reuse, Libraries, Patching
  • Standards Based Security is Failing • Motivates for compliance over security • Complex & unrealistic in many scenarios • Retroactive removal of certification
  • Business Motivation • Security sometimes viewed as tax • Tradeoff of time to market • Put off by aggressive security requirements – An overly secure system used by no one provides no security
  • ORGANIZING FOR SECURITY Company Structure is Critical
  • Humans Don’t Scale Well
  • Humans Don’t Scale Well
  • Hiring More Security Isn’t Realistic Security Professionals – Expensive – Hard to find – Competition for employment
  • Centralized Security Organization • Accountability & leadership • Increases communication • Enables security vision & forward planning • Cohesive vision across security disciplines Application Security Network Ops Security Corporate Security Information Security
  • Centralized Security Organization • Build bridges throughout company • Become partners with groups • Increase communication & support Dev QA Product PR IT Legal Security
  • Influence instead of Dictate • Teach security approaches throughout org • Build tools & guidance • Avoid processes that require security staff involvement Avoid security choke point Influence without blocking
  • Embedding Approach • Embedding security inside dev team – team effort to deliver product – real time collaboration – eliminates “us” vs “them” – build alliance Developer Team Developer Team Developer Team Security Team
  • Organizational Strategy • Scaling via Security Champions • Primary Role: Developer, Secondary: Security • Scales Effectively • Liaison to security team Developer Team Security Champion Developer Team
  • Security Throughout SDLC
  • Development • Developer Training • Coding Guidelines – Cheat Sheets – Concise, Usable owasp.org/index.php/Cheat_Sheets
  • Development • Security Libraries & Services – Abstract away internals of security code – Standardized security libraries • OWASP ESAPI – an example of what you should build within your organization • Engineered web services for security
  • Safety Proof & Shift Burden Current • Developer must remember to enable security • Ability to build anything – for better or worse Necessary • Security fully enabled, opt- out of security with caution • Pre-packaged code widgets – Appeal to masses – Limited customization – Safe for beginners
  • Smart Automation • Dynamic security analysis built for developers – Report what can be found >95% accuracy – Skip issues where accuracy is low – Accurate Tool > Tool which requires security team wiki.mozilla.org/Security/Projects/Minion
  • Automation Static / Dynamic Analysis Can scale if homogenous environment Careful of human involvement Security X as a Service Yes! The Future!
  • Quality Assurance • Security validation within QA • Functional testing of forms + basic sec tests • Follow patterns of current QA – Pass / Fail – Self contained testing – no need for security evaluation “><script>alert(‘problem’)</script>
  • Post Release - Bounty Programs! Engage Security Community
  • Post Release – Defend The App • Detect and repel common attacks – Web Application Firewall • Detect and repel custom attacks at business layer – Integrated application defense – OWASP AppSensor • Disable ability for automated attacks owasp.org/index.php/OWASP_AppSensor_Project
  • Post Release – Defend at Scale • Design for Scale – Automated attack blocking & deflection – No human analysis in critical path. • Human interaction – Slow – Ineffective against distributed attacks
  • Key Points Adversary is motivated and talented – Organized criminal attackers – Resourced and focused
  • Key Points Satisfying security standards is a false sense of security – Focus on activities brining value – Meet required standards & understand lack of value
  • Key Points Complex systems require comprehensive security – Integrate security in every step of software development – Build to scale with business needs & development speed
  • Thanks! @_mwc michael.coates@owasp.org