• Like
  • Save
Security in an Interconnected and Complex World of Software
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Security in an Interconnected and Complex World of Software

  • 588 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
588
On SlideShare
0
From Embeds
0
Number of Embeds
12

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • http://www.hpenterprisesecurity.com/ponemon-2013-cost-of-cyber-crime-study-reportshttps://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdfhttp://www.symantec.com/about/news/release/article.jsp?prid=20131001_01
  • Datalossdb.org – 48% from hacking, 8% fraud, 7% stolen laptopVerizon DBR – 52% involved hacking
  • 28% of all web threats detected by Sophos and 91% by AVG are due to this exploit kit
  • $2,200 – base pricebooby-trap hacked and malicious Web sites so that they foist drive-by downloadshttp://krebsonsecurity.com/2013/04/phoenix-exploit-kit-author-arrested-in-russia/

Transcript

  • 1. Security in an Interconnected and Complex World of Software Michael Coates @_mwc michael.coates@owasp.org
  • 2. About • Chairman OWASP Board • Shape Security – Director of Product Security • Mozilla – Director of Security Assurance • 2012 SC Magazine Influential Security Mind
  • 3. Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012
  • 4. Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $113 Billion – Global price tag of consumer cybercrime US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012 2013 Norton Report by Symantec
  • 5. Cost of Security • Cybercrime cost to companies – 26% increase 2012 to 2013 • Cybercrime cost to individual – 50% increase 2012 to 2013 • Cost per breached record to company – Average US $136 / JPY ¥13,923
  • 6. Hacking Becomes Leading Cause of Data Breaches Another Day, Another Retailer in a Massive Credit Card Breach Secret Service investigating possible data breach at Sears Report: Verizon Uncovers Two More Retail Breaches … Adobe Breach Impacted At Least 38 Million Users
  • 7. Largest Single Culprit : Hacking Verizon Data Breach Report 20132013 Incidents by Breach Type datalossdb.org 48% from Hacking 52% involved Hacking
  • 8. THE ENEMY
  • 9. Enemy • Script Kiddies – Scanners & generic tools • Organized Crime – Exploit kits • Targeted & Specialized – Precise, 0-day, determined
  • 10. Opportunistic Scanners • Scan web for common vulnerabilities • Highly leverage automation • Often untargeted 75% Attacks Opportunistic Verizon Data Breach Report 2013
  • 11. Organized Cybercrime • Financial motivation • Business groups of attackers • Evolved systems for exploitation
  • 12. Blackhole
  • 13. CrimePack
  • 14. Phoenix
  • 15. Account Takeover – Web Brute Force
  • 16. Underground Market Prices 2013 Dell SecureWorks USD JPY Visa, American Express, Discover $4-$8 ¥409 - ¥818 Credit Card with track 1 and 2 data $12 ¥1227 Full user information $25 ¥2557 1,000 Infected Computers $20 ¥2046 DDOS Attacks (per hour) $3-$5 ¥306 - ¥511
  • 17. .onion TLD via Tor
  • 18. Underground Financial Services
  • 19. Underground Financial Services
  • 20. Underground Marketplace Stolen Account Balance US $700-$4100 JP ¥760,00 – ¥420,000 Underground Price US $90-$322 JP ¥9,200 - ¥33,000
  • 21. Marketplace For Credit Card Fraud List of vulnerable sites for “carding”
  • 22. COMPLEXITY The future is more complex
  • 23. 180 Million Active Sites
  • 24. Cloud
  • 25. Internet of Things techcrunch.com/2013/05/25/making-sense-of-the-internet-of-things/
  • 26. REALITY CHECK Security & Elements of Consideration
  • 27. Secure Code vs. Secure Software Fixing a single security bug Ensuring no critical bugs are introduced to software
  • 28. Secure Code vs. Secure Software Fixing a single security bug • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code Ensuring no critical bugs are introduced to software
  • 29. Secure Code vs. Secure Software Fixing a single security bug • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code Ensuring no critical bugs are introduced to software HardEasy (generally)
  • 30. Question the Models • Industry Drivers – PCI, Sarbanes Oxley, Hipaa, Self Regulation • Business Drivers – Innovation, fail fast, time to market, competitive disadvantage • Development Practices – Code Reuse, Libraries, Patching
  • 31. Standards Based Security is Failing • Motivates for compliance over security • Complex & unrealistic in many scenarios • Retroactive removal of certification
  • 32. Business Motivation • Security sometimes viewed as tax • Tradeoff of time to market • Put off by aggressive security requirements – An overly secure system used by no one provides no security
  • 33. ORGANIZING FOR SECURITY Company Structure is Critical
  • 34. Humans Don’t Scale Well
  • 35. Humans Don’t Scale Well
  • 36. Hiring More Security Isn’t Realistic Security Professionals – Expensive – Hard to find – Competition for employment
  • 37. Centralized Security Organization • Accountability & leadership • Increases communication • Enables security vision & forward planning • Cohesive vision across security disciplines Application Security Network Ops Security Corporate Security Information Security
  • 38. Centralized Security Organization • Build bridges throughout company • Become partners with groups • Increase communication & support Dev QA Product PR IT Legal Security
  • 39. Influence instead of Dictate • Teach security approaches throughout org • Build tools & guidance • Avoid processes that require security staff involvement Avoid security choke point Influence without blocking
  • 40. Embedding Approach • Embedding security inside dev team – team effort to deliver product – real time collaboration – eliminates “us” vs “them” – build alliance Developer Team Developer Team Developer Team Security Team
  • 41. Organizational Strategy • Scaling via Security Champions • Primary Role: Developer, Secondary: Security • Scales Effectively • Liaison to security team Developer Team Security Champion Developer Team
  • 42. Security Throughout SDLC
  • 43. Development • Developer Training • Coding Guidelines – Cheat Sheets – Concise, Usable owasp.org/index.php/Cheat_Sheets
  • 44. Development • Security Libraries & Services – Abstract away internals of security code – Standardized security libraries • OWASP ESAPI – an example of what you should build within your organization • Engineered web services for security
  • 45. Safety Proof & Shift Burden Current • Developer must remember to enable security • Ability to build anything – for better or worse Necessary • Security fully enabled, opt- out of security with caution • Pre-packaged code widgets – Appeal to masses – Limited customization – Safe for beginners
  • 46. Smart Automation • Dynamic security analysis built for developers – Report what can be found >95% accuracy – Skip issues where accuracy is low – Accurate Tool > Tool which requires security team wiki.mozilla.org/Security/Projects/Minion
  • 47. Automation Static / Dynamic Analysis Can scale if homogenous environment Careful of human involvement Security X as a Service Yes! The Future!
  • 48. Quality Assurance • Security validation within QA • Functional testing of forms + basic sec tests • Follow patterns of current QA – Pass / Fail – Self contained testing – no need for security evaluation “><script>alert(‘problem’)</script>
  • 49. Post Release - Bounty Programs! Engage Security Community
  • 50. Post Release – Defend The App • Detect and repel common attacks – Web Application Firewall • Detect and repel custom attacks at business layer – Integrated application defense – OWASP AppSensor • Disable ability for automated attacks owasp.org/index.php/OWASP_AppSensor_Project
  • 51. Post Release – Defend at Scale • Design for Scale – Automated attack blocking & deflection – No human analysis in critical path. • Human interaction – Slow – Ineffective against distributed attacks
  • 52. Key Points Adversary is motivated and talented – Organized criminal attackers – Resourced and focused
  • 53. Key Points Satisfying security standards is a false sense of security – Focus on activities brining value – Meet required standards & understand lack of value
  • 54. Key Points Complex systems require comprehensive security – Integrate security in every step of software development – Build to scale with business needs & development speed
  • 55. Thanks! @_mwc michael.coates@owasp.org