Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Software Security AusteritySecurity Debt in Modern Software DevelopmentOllie Whitehouse, Associate Director, NCC Group
Agenda• Introduction• Software Security Debt• Debt Management• Conclusions
Before we begin…    metaphor abuse warning!
… before we begin part 2… there is a white paper available
Security debt
Technical debt"Shipping first time code is like going into debt. Alittle debt speeds development so long as it ispaid back...
Security debt…• Present in all software• Analogous to development and bugs    • security is just a type of bug• Analogous ...
Security debt…• You get good…• .. you get a new problem• Too many vulnerabilities!• You focus on just the  critical / seri...
Security debt – types?• Known – identified, but yet to be addressed• Unknown – latent issues yet to be discovered
Security debt – source?• Selfmy development• Supply chainmy outsourced development• DependencyCOTS component use without f...
Security debt and SDLs• SDL does not mean 0 debt• SDL means known security debt   • with a repayment plan• No SDL means la...
Security debt and SDLs• Why accelerated discovery?   • requirements reviews   • static code analysis   • manual code analy...
Accruing debt based on risk• Financial cost versus    • Revenue    • Cost of a response incident    • Brand impact    • Li...
Accruing debt based on risk• Impact versus    • Discovery    • Mitigations    • Complexity and      prerequisite condition...
Latent debt resilience• Latent debt will always exist    • through own activities    • through suppliers    • through depe...
Debt Management
Why we care• Client expectation• Regulatory requirements• Increasing cost of debt• Attacker capability evolution• Increase...
Why we care
Why we care
Assigning interest rates to security debt• Interest rate = Priority• Priority = risk• Risk = informed
Assigning interest rates to security debt Threat = f (Motivation, Capability, Opportunity, Impact)
Assigning interest rates to security debt               DREAD
Assigning interest rates to security debt                 CVSS
Assigning interest rates to security debt• Impact• Distribution• Disclosure• Likelihood of discovery• Presence of mitigati...
Repayment – New version requirements
Repayment – Severity prioritization• Next release (any type)• Next release (major version)• Next release +1 (any type)• Ne...
Repayment – Percentage reduction          Severity   Percentage to be resolved          Critical                      100%...
Repayment – Forced
Debt Expiry
Debt Overhang• Stuart Myers paper (1977)  ‘Determinants of Corporate Borrowing’• Debt mountain equals death by a thousand ...
Strategic Debt Restructuring
Bankruptcy
Non Repayment – Consequence Planning"We may be at the point of diminishing returns bytrying to buy down vulnerability," th...
Conclusions• Zero debt is not good business practice• SDLs enable debt discovery and repayment• A pure risk approach allow...
Thanks! Questions? UK Offices                North American Offices   Australian Offices Manchester - Head Office   San Fra...
Upcoming SlideShare
Loading in …5
×

NCC Group - Software Security Austerity - Software security debt in modern software development

1,578 views

Published on

Ollie Whitehouse, Associate Director - NCC group spoke at the CIO Event (dot) com

  • Hello there! Get Your Professional Job-Winning Resume Here! http://bit.ly/topresum
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

NCC Group - Software Security Austerity - Software security debt in modern software development

  1. 1. Software Security AusteritySecurity Debt in Modern Software DevelopmentOllie Whitehouse, Associate Director, NCC Group
  2. 2. Agenda• Introduction• Software Security Debt• Debt Management• Conclusions
  3. 3. Before we begin… metaphor abuse warning!
  4. 4. … before we begin part 2… there is a white paper available
  5. 5. Security debt
  6. 6. Technical debt"Shipping first time code is like going into debt. Alittle debt speeds development so long as it ispaid back promptly with a rewrite. The dangeroccurs when the debt is not repaid. Every minutespent on not-quite-right code counts as intereston that debt."
  7. 7. Security debt…• Present in all software• Analogous to development and bugs • security is just a type of bug• Analogous to development and tech debt• The trade off between • fix everything and ship nothing -versus- • fix only the critical -versus- • real world business
  8. 8. Security debt…• You get good…• .. you get a new problem• Too many vulnerabilities!• You focus on just the critical / serious• … the low / medium mountain grows
  9. 9. Security debt – types?• Known – identified, but yet to be addressed• Unknown – latent issues yet to be discovered
  10. 10. Security debt – source?• Selfmy development• Supply chainmy outsourced development• DependencyCOTS component use without formal support
  11. 11. Security debt and SDLs• SDL does not mean 0 debt• SDL means known security debt • with a repayment plan• No SDL means latent security debt • with no repayment plan• SDL means more bugs than resources • quite quickly / in the short to medium term• SDL means accelerated discovery • you get too good
  12. 12. Security debt and SDLs• Why accelerated discovery? • requirements reviews • static code analysis • manual code analysis • automated testing (fuzzing) • increased awareness and knowledge • root cause analysis and variations
  13. 13. Accruing debt based on risk• Financial cost versus • Revenue • Cost of a response incident • Brand impact • Liability• Time cost versus • Resources • Time to market • Financial costs
  14. 14. Accruing debt based on risk• Impact versus • Discovery • Mitigations • Complexity and prerequisite conditions • Access requirements • Marker expectation
  15. 15. Latent debt resilience• Latent debt will always exist • through own activities • through suppliers • through dependencies• The need to feed upstream• The need to build resilient software
  16. 16. Debt Management
  17. 17. Why we care• Client expectation• Regulatory requirements• Increasing cost of debt• Attacker capability evolution• Increased external focus
  18. 18. Why we care
  19. 19. Why we care
  20. 20. Assigning interest rates to security debt• Interest rate = Priority• Priority = risk• Risk = informed
  21. 21. Assigning interest rates to security debt Threat = f (Motivation, Capability, Opportunity, Impact)
  22. 22. Assigning interest rates to security debt DREAD
  23. 23. Assigning interest rates to security debt CVSS
  24. 24. Assigning interest rates to security debt• Impact• Distribution• Disclosure• Likelihood of discovery• Presence of mitigations• Complexity of exploitation• Access requirements• Customer expectation
  25. 25. Repayment – New version requirements
  26. 26. Repayment – Severity prioritization• Next release (any type)• Next release (major version)• Next release +1 (any type)• Next release +2 (any type)• Next release +3 (any type)
  27. 27. Repayment – Percentage reduction Severity Percentage to be resolved Critical 100% Serious 50% Moderate 30% Low 20% Other 0 to 5 %
  28. 28. Repayment – Forced
  29. 29. Debt Expiry
  30. 30. Debt Overhang• Stuart Myers paper (1977) ‘Determinants of Corporate Borrowing’• Debt mountain equals death by a thousand cuts• Leading to inability to accrue more security debt• Leading to slower innovation
  31. 31. Strategic Debt Restructuring
  32. 32. Bankruptcy
  33. 33. Non Repayment – Consequence Planning"We may be at the point of diminishing returns bytrying to buy down vulnerability," the generalobserved. Instead, he added, "maybe it’s time toplace more emphasis on coping with theconsequences of a successful attack, and trying todevelop networks that can "self-heal" or "self-limit“the damages inflicted upon them. "
  34. 34. Conclusions• Zero debt is not good business practice• SDLs enable debt discovery and repayment• A pure risk approach allows the mountain to grow• Outsourcing carries risk of larger latent debt• A mature model is to understand and plan payment• … while educating upstream• … while paying down the mountain• … while still using risk
  35. 35. Thanks! Questions? UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Ollie Whitehouse Munich – Germany Zurich - Switzerland ollie.whitehouse@nccgroup.com

×