Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Make it Fixable (CppCon 2018)


Published on

From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, and an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture of fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective measures. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent. Finally we will show examples of how difficult it is to design the user experience of security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Make it Fixable (CppCon 2018)

  1. 1. @pati_gallardo T S
  2. 2. Make it Fixable Living with Risk Patricia Aas CppCon 2018 T S @pati_gallardo
  3. 3. Patricia Aas - Consultant Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her T S @pati_gallardo
  4. 4. Security is Hard @pati_gallardo 5
  5. 5. Just Remember : - You live in the real world - Take one step at a time - Make a Plan @pati_gallardo 6
  6. 6. You Need A Security “Hotline” Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo 7
  7. 7. - What is a System? - What is a vulnerability? - @pati_gallardo 8
  8. 8. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo 9
  9. 9. Unable to Roll Out Fixes 1 @pati_gallardo 10
  10. 10. Unable to Roll out Fixes Unable to Update Unable to Build @pati_gallardo 11
  11. 11. Internet of Things Toys: My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork Unable to Roll Out Fixes. 12 @pati_gallardo
  12. 12. Internet of Things - Auto-update - Different default passwords - Unboxing security (make the user change the password) “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software Fix : Ship It! Unable to Roll Out Fixes. 13 @pati_gallardo
  13. 13. Fix : Ship It! Holy Grail : Continuous Deployment and Auto Update - A Build Environment - Update Mechanism Unable to Roll Out Fixes. 14 @pati_gallardo
  14. 14. Some systems should not be “fixed” A major election software maker allowed remote access on its systems for years Exceptions? 15 @pati_gallardo
  15. 15. No Control over Dependencies 2 @pati_gallardo
  16. 16. No Control over Dependencies No inventory No update routines No auditing @pati_gallardo 17
  17. 17. Equifax Breach Known vulunerability in Apache Struts 2 Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library No Control over Dependencies 18 @pati_gallardo
  18. 18. Equifax Breach Continuous Dependency Auditing Heartbleed Control over production environment Left-Pad Remove unnecessary dependencies Fix: Control It! No Control over Dependencies 19 @pati_gallardo
  19. 19. Fix: Control It! Goal : Largely Automated Dependency Monitoring Remember transitive dependencies Monitor and Update No Control over Dependencies @pati_gallardo 20
  20. 20. The Team is Gone 3 @pati_gallardo 21
  21. 21. The Team Is Gone - Team were consultants - They were downsized - The job was outsourced - “Bus factor” - “Binary blob” - Abandonware @pati_gallardo 22
  22. 22. Fix : Own It! Goal : Complete Build Environment Fork it, own it The Team Is Gone. @pati_gallardo 23
  23. 23. Use It! @pati_gallardo 24
  24. 24. It’s in Our Code 4 @pati_gallardo 25
  25. 25. It’s in Our Code Congratulations! This is Actually the BEST CASE SCENARIO @pati_gallardo 26
  26. 26. Keeper Password Manager - Reporter: Tavis Ormandy (@taviso) - “allowing any website to steal any password” - Browser plugin preinstalled on Windows - Badly handled report: Sues news reporter Dan Goodin It’s In Our Code 27 @pati_gallardo
  27. 27. - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency Breeds Trust That is how you recover Fix : Live It! It’s In Our Code 28 @pati_gallardo
  28. 28. Fix : Live It! Goal : Prevent & Cure Prevention is great, but the Cure is to Ship It’s In Our Code 29 @pati_gallardo
  29. 29. My Boss Made Me Do It 5 @pati_gallardo 30
  30. 30. My Boss Made Me Do It The Feature is the Bug How? - Security Problem - Privacy Problem - Unethical - Illegal @pati_gallardo 31
  31. 31. Capcom's Street Fighter V - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi My Boss Made Me Do It 32 @pati_gallardo
  32. 32. KrebsOnSecurity: "For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records" @pati_gallardo 33
  33. 33. Fix : Protect It! Goal : Protect your user Prevent : Protect your team - Workers rights - Team can diffuse blame Cure : Protect your company - Find a Powerful Ally - Do Risk Analysis : Brand Reputation, Trust - Use the Law LAST RESORT : Whistleblowing & Quitting My Boss Made Me Do It 34 @pati_gallardo
  34. 34. Google: DragonFly - "A plan to launch a censored search engine in China" - Employee authors a memo - Internal protests Maersk: NotPetya - Ransomware spreads globally, insufficient network segmentation - “IT executives had pushed for a preemptive security redesign” These are often the Unsung Heroes (Last Resort : Edward Snowden) Fix : Protect It! My Boss Made Me Do It 35 @pati_gallardo
  35. 35. Ship It, Control It, Own It, Live It & Protect It @pati_gallardo 36
  36. 36. - You need a Security Hotline - You Have to Ship Recap @pati_gallardo 37
  37. 37. Designing the User Experience of Security 6 @pati_gallardo 38
  38. 38. @pati_gallardo 39
  39. 39. The Users Won’t Read Error blindness “Just click next” “Make it go away” 40 @pati_gallardo
  40. 40. Fix : Less is More Don’t leave it to the user Have good defaults Be very explicit when needed 41 @pati_gallardo
  41. 41. They Trust You With Personal Information With Data With Money 42 @pati_gallardo
  42. 42. Fix : Be Trustworthy Only store what you have to Back up everything Use third party payment Be loyal to your end user 43 @pati_gallardo
  43. 43. Ship It, Control It, Own It, Live It & Protect It Design For It @pati_gallardo 44
  44. 44. T S P f . Patricia Aas, T S @pati_gallardo
  45. 45. @pati_gallardo T S