Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecCon Boston 2018: Secure by Design by Chris Wysopal

211 views

Published on

DevSecCon Boston 2018: Secure by Design by Chris Wysopal

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DevSecCon Boston 2018: Secure by Design by Chris Wysopal

  1. 1. BOSTON 10-11 SEPT 2018 Secure by Design CHRIS WYSOPAL CTO & CO-FOUNDER VERACODE
  2. 2. BOSTON 10-11 SEPT 2018 In the past… • Vendors didn’t think about security from the beginning of the software development process • The result was “patch and pray” • Vendors were reactive and subsequently customers had to be reactive • This is not sustainable
  3. 3. BOSTON 10-11 SEPT 2018 Then application penetration testing was born… • Vendors hired experts to test software right before release • A mixture of manual and automated tools were used to generate a list of security issues • Vendor decided how much they could fix and what delay they could tolerate
  4. 4. BOSTON 10-11 SEPT 2018 We went from fixing nothing to fixing only the most critical issues in the most expensive way and causing the most delay.
  5. 5. BOSTON 10-11 SEPT 2018 This doesn’t cut it anymore Attackers are everywhere and their attacks are more and more automated Customers expect more Losing customer trust means losing money
  6. 6. BOSTON 10-11 SEPT 2018 Principles of Secure by Design Continuous – security is built-in throughout the entire software lifecycle Measurability – ensure the activities performed are producing the desired result and can be optimized Transparency – ability to describe your secure development process and the security mechanisms you used to regulators and customers
  7. 7. BOSTON 10-11 SEPT 2018 Security features are requirements (functional and non-functional) placed into the backlog Security champions are members of the development team who can determine when new backlog items need threat modeling or secure code review Minimize “touchpoints” with security team Automated security testing is built into the tools developers use: the IDE, CI/CD pipeline, ticketing systems Continuous Security
  8. 8. BOSTON 10-11 SEPT 2018 Need to be continuous about dependencies • Libraries • Packages • Containers How quickly can you update?
  9. 9. BOSTON 10-11 SEPT 2018 Percentage of vulnerabilities not in NVD – 31% Language CVE Reserved CVE SVE % SVE Low % SVE High JS 604 47 490 42.94% 44.79% PHP 522 14 128 19.28% 19.69% DOTNET 58 0 1 1.69% 1.69% JAVA 749 60 335 29.28% 30.90% RUBY 284 43 268 45.04% 48.55% PYTHON 389 59 228 33.73% 36.95% GO 90 5 218 69.65% 70.78% CPP 193 8 12 5.63% 5.85% OBJECTIVEC 631 14 9 1.38% 1.41% CSHARP 33 3 0 0.00% 0.00% 3553 253 1689 30.74% 32.22% % SVE Low assumes reserved CVEs overlap with SVEs % SVE High assumes reserved CVEs do not overlap with SVEs
  10. 10. BOSTON 10-11 SEPT 2018 For Java, Ruby and Python, less than 5% of products that contain a library with a vulnerability are vulnerable repos analyzed % component vulnerabilities that make the products vulnerable Ruby 510 3.50% Java 5232 4.15% Python 585 0.69%
  11. 11. BOSTON 10-11 SEPT 2018 Consistency of tools used across all applications developed System of record with all results from multiple testing processes Track activities to correlate with defect and fix rates Measurability
  12. 12. BOSTON 10-11 SEPT 2018 SANDBOX SCANNING IMPACT ON FIX RATE Flaw Density—Last ScanFlaw Density—First Scan Using Sandbox Scans 41.16 31.16 39.93 33.4 0 5 10 15 20 25 30 35 40 45 Flaw / MB Policy Scans Only Reduction 10 6.53 Fix Rate 24.3% 16.4% Difference 48.2%
  13. 13. BOSTON 10-11 SEPT 2018 CA Veracode State of Software Security 2017 Remediation Coaching
  14. 14. BOSTON 10-11 SEPT 2018
  15. 15. BOSTON 10-11 SEPT 2018 External documentation – security features, tools, process, components (SBoM) Third party validation – verified results Transparency
  16. 16. BOSTON 10-11 SEPT 2018 Thank you! Chris Wysopal cwysopal@veracode.com @weldpond

×