Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Make it Fixable, Living with Risk (Paranoia 2017)

267 views

Published on

Coming into a code base can be overwhelming. Taking responsibility for the security of a project can be truly terrifying. This talk will describe a set of common scenarios for a project, and how to counteract them. Hopefully, this will help to move your codebase and project to a state where you will be more prepared to handle incoming vulnerability reports. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent.

Published in: Technology
  • Be the first to comment

Make it Fixable, Living with Risk (Paranoia 2017)

  1. 1. @pati_gallardo
  2. 2. Make it Fixable Living with Risk Patricia Aas Paranoia by Watchcom 2017 @pati_gallardo
  3. 3. Who am I? @pati_gallardo
  4. 4. Patricia Aas Programmer - mainly in C++ and Java Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo
  5. 5. Security is Hard @pati_gallardo
  6. 6. Just Remember : - You live in the real world - Take one step at a time - Make a Plan @pati_gallardo
  7. 7. You Need A Security “Hotline” security@company.com Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo
  8. 8. Risk Management - Make it Fixable - Unable to Roll Out Fixes - No Control over Dependencies - The Team is Gone - It’s in Our Code - My Boss Made Me Do It @pati_gallardo
  9. 9. Unable to Roll Out Fixes @pati_gallardo
  10. 10. Unable to Roll out Fixes ● Relying on User Updates ● Unable to Build ● Unable to Deploy ● Regression Fear ● No Issue Tracking ● No Release Tags ● No Source ● Issue in infrastructure @pati_gallardo
  11. 11. Internet of Things Toys: My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork @pati_gallardo Unable to Roll Out Fixes.
  12. 12. Fix : Ship It! Code ● Get the Code ● Use Version Control ● Keep Build Environment ● Write Integration Tests Holy Grail : Auto Update Configuration Management ● Have Security Contact ● Track issues ● Make a Deployment Plan ● Control Infrastructure @pati_gallardo
  13. 13. Internet of Things - Auto-update - Different default passwords - Unboxing security “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software @pati_gallardo Fix : Ship It!
  14. 14. No Control over Dependencies @pati_gallardo
  15. 15. No Control over Dependencies ● Too Many Dependencies ● Frameworks are Abandoned ● Libraries Disappear ● Insecure Platform APIs ● Insecure Tooling ● End-of-Life OS (Windows) ● Licenses expire/change ● Known Issues not Fixed ● OS Not Updated (Android) @pati_gallardo
  16. 16. Stagefright Bugs in the multimedia library on android Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library @pati_gallardo No Control over Dependencies
  17. 17. Fix: Control It! Be conservative ● Is it needed? ● Do you understand it? Goal : Dependency Control Be cautious ● Audit your upstream ● Avoid forking ● Have an upgrade plan ● Have someone responsible @pati_gallardo
  18. 18. Stagefright - Workaround in apps calling into stagefright Heartbleed - Control over production environment Left-Pad - Removing unnecessary dependency @pati_gallardo Fix: Control It!
  19. 19. The Team is Gone @pati_gallardo
  20. 20. The Team Is Gone ● Team were consultants ● They were downsized ● The job was outsourced ● “Bus factor” ● “Binary blob” ● Abandonware @pati_gallardo
  21. 21. @pati_gallardo “Public Sector” - Leaves the code with subcontractor - No build environment - Third-party access to production environment Abandoned frameworks - Framework interdependency - Unable to upgrade - Known bugs The Team is Gone
  22. 22. Fix : Own It! Take it on yourselves ● Build competence in-house ● Fork, take control ● “Barely Sufficient” Docs ● Ship It and Control It Goal : Regain Control Outsource ● Maintenance Contract ● Add Security Clause ● Own deployment channel @pati_gallardo
  23. 23. Fix : Own It! “Public Sector” - Backsourcing - Bring back work previously outsourced Abandoned frameworks - Replace with equivalent (OSS) - Remove dependency - Fork @pati_gallardo
  24. 24. It’s in Our Code @pati_gallardo
  25. 25. It’s in Our Code ● Injection ● Exploited crash etc ● Debug code in production ● Server compromised ● Outdated platform ● Intercepted traffic ● Mined local data ● Good old fashioned BUG @pati_gallardo
  26. 26. REMA 1000 Æ App - Reporter: Hallvard Nygård (@hallny) - All user data could be retrieved - Badly handled report - “Bug” (Lack of security) in App BEST CASE SCENARIO@pati_gallardo It’s in Our Code
  27. 27. Fix : Live It! Prevent ● Sanitize your input ● Send crash reports ● Code review + tests ● Review server security ● Encrypt all traffic ● Review local storage ● Work around old platform ● Sign and check Goal : Prevent & Cure Cure ● Ship it! @pati_gallardo
  28. 28. Browsers are very experienced - But boring ;) gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency@pati_gallardo Fix : Live It!
  29. 29. My Boss Made Me Do It @pati_gallardo
  30. 30. My Boss Made Me Do It The Feature is the Bug How? ● Security Problem ● Privacy Problem ● Unethical ● Illegal @pati_gallardo
  31. 31. Capcom's Street Fighter V - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi @pati_gallardo My Boss Made Me Do It
  32. 32. Fix : Protect It! Prevent : Protect your team ● Workers rights ● Build trust Goal : Protect your user Cure : Protect your company ● Find a Powerful Ally ● Do Risk Analysis : Brand Reputation, Trust ● Use the Law LAST RESORT : Whistleblowing & Quitting @pati_gallardo
  33. 33. Statoil - Internal reports of security incidents after outsourcing - Only public after serious IRL incidents Nødnett - Transitive outsourcing - National Security These are often the Unsung Heros (Last Resort : Edward Snowden)@pati_gallardo Fix : Protect It!
  34. 34. Ship It, Control It, Own It, Live It @pati_gallardo Protect It
  35. 35. Security is Hard Protect Your User @pati_gallardo
  36. 36. Make it Fixable Living with Risk Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com
  37. 37. Designing the User Experience of Security @pati_gallardo
  38. 38. The Users Won’t Read Error blindness Most users will mentally erase permanent error notifiers - they won’t read “Just click next” Most users will accept the defaults - they won’t read “Make it go away” The user will try to make the error dialog go away - they won’t read @pati_gallardo
  39. 39. Fix : Less is More Don’t leave it to the user Just do the right thing, you don’t have to ask Have good defaults Make sure that clicking next will leave the user in a good place Be very explicit when needed If the user is in a “dangerous” situation - design carefully and if you have to explain : use language the user can understand @pati_gallardo
  40. 40. They Trust You With Personal information They trust you to protect them from both hackers and governments With Data They trust you to protect their pictures, documents, email ... With Money They trust you to protect their payment information and passwords @pati_gallardo
  41. 41. Fix : Be Trustworthy Only store what you have to Try to use end-to-end encryption, so that even you don’t have access. Otherwise, encrypt as much as you can Back up everything Your users can’t afford to lose their baby pictures Use third party payment Avoid having responsibility for their money @pati_gallardo
  42. 42. The Spaces We Create Online Are REAL @pati_gallardo
  43. 43. Protect Your User - Be a Force For Good @pati_gallardo
  44. 44. Make it Fixable Living with Risk Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com

×