Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Make It Fixable (Sikkert NOK 2017)

189 views

Published on

Trying to prepare your project or organisation to be able to receive vulnerability reports is a daunting task. And often far more complex and cross disciplinary than one first expects. This talk describes some of the most common challenges and how to counteract them.

Published in: Software
  • Be the first to comment

Make It Fixable (Sikkert NOK 2017)

  1. 1. @pati_gallardo
  2. 2. Make it Fixable Living with Risk Patricia Aas Sikkert NOK 2017 @pati_gallardo
  3. 3. Who am I? @pati_gallardo
  4. 4. Patricia Aas Programmer - mainly in C++ and Java Currently : Vivaldi Technologies Previously : Cisco Systems, Knowit, Opera Software Master in Computer Science Twitter : @pati_gallardo
  5. 5. Security is Hard @pati_gallardo
  6. 6. Just Remember : - You live in the real world - Take one step at a time - Make a Plan @pati_gallardo
  7. 7. You Need A Security “Hotline” security@example.com Symbiotic relationship Be polite Be grateful Be professional Be efficient and transparent @pati_gallardo
  8. 8. Everybody's An Expert @pati_gallardo
  9. 9. - They Are. Really. - @pati_gallardo
  10. 10. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Outline @pati_gallardo
  11. 11. Unable to Roll Out Fixes @pati_gallardo 1
  12. 12. Unable to Roll out Fixes - Relying on User Updates - Unable to Build - Unable to Deploy - Regression Fear - No Issue Tracking - No Release Tags - No Source - Issue in infrastructure @pati_gallardo
  13. 13. Internet of Things Toys: My Friend Cayla, i-Que Intelligent Robots, Hello Barbie Mirai: Botnets created with IOT devices, users don’t update “Shelfware” No Maintenance contract Abandonware Closed source - no way to fix/fork @pati_gallardo Unable to Roll Out Fixes.
  14. 14. Fix : Ship It! Holy Grail : Auto Update Code - Get the Code - Use Version Control - Keep Build Environment - Write Integration Tests Configuration Management - Have Security Contact - Track issues - Make a Deployment Plan - Control Infrastructure @pati_gallardo Unable to Roll Out Fixes.
  15. 15. Internet of Things - Auto-update - Different default passwords - Unboxing security “Shelfware” - Get maintenance contract - Change supplier - Do in-house - Use only Open Source Software Fix : Ship It! @pati_gallardoUnable to Roll Out Fixes.
  16. 16. No Control over Dependencies @pati_gallardo 2
  17. 17. No Control over Dependencies - Too Many Dependencies - Frameworks are Abandoned - Libraries Disappear - Insecure Platform APIs - Insecure Tooling - End-of-Life OS (Windows) - Licenses expire/change - Known Issues not Fixed - OS Not Updated (Android) @pati_gallardo
  18. 18. Stagefright Bugs in the multimedia library on Android Heartbleed Bug in openssl Left-Pad Developer unpublished a mini-Js library @pati_gallardo No Control over Dependencies
  19. 19. Fix: Control It! Goal : Dependency Control Be conservative - Is it needed? - Do you understand it? Be cautious - Audit your upstream - Avoid forking - Have an upgrade plan - Have someone responsible @pati_gallardo No Control over Dependencies
  20. 20. Stagefright Workaround in apps calling into stagefright Heartbleed Control over production environment Left-Pad Removing unnecessary dependency Fix: Control It! @pati_gallardoNo Control over Dependencies
  21. 21. The Team is Gone @pati_gallardo 3
  22. 22. The Team Is Gone - Team were consultants - They were downsized - The job was outsourced - “Bus factor” - “Binary blob” - Abandonware @pati_gallardo
  23. 23. “Public Sector” - Leaves the code with subcontractor - No build environment - Third-party access to production environment Abandoned frameworks - Framework interdependency - Unable to upgrade - Known bugs The Team is Gone @pati_gallardo
  24. 24. Fix : Own It! Goal : Regain Control Take it on yourselves - Build competence in-house - Fork, take control - “Barely Sufficient” Docs - Ship It and Control It Outsource - Maintenance Contract - Add Security Clause - Own deployment channel @pati_gallardo The Team Is Gone.
  25. 25. Fix : Own It! “Public Sector” - Backsourcing - Bring back work previously outsourced Abandoned frameworks - Replace with equivalent (OSS) - Remove dependency - Fork if you don’t have a choice @pati_gallardoThe Team Is Gone.
  26. 26. Use It! @pati_gallardo
  27. 27. It’s in Our Code @pati_gallardo 4
  28. 28. It’s in Our Code - Injection - Exploited crash etc - Debug code in production - Server compromised - Outdated platform - Intercepted traffic - Mined local data - Good old fashioned BUG @pati_gallardo
  29. 29. REMA 1000 Æ App - Reporter: Hallvard Nygård (@hallny) - All user data could be retrieved - Badly handled report - “Bug” (Lack of security) in App BEST CASE SCENARIO @pati_gallardo It’s In Our Code
  30. 30. Fix : Live It! Goal : Prevent & Cure Prevent - Sanitize your input - Send crash reports - Code review + tests - Review server security - Encrypt all traffic - Review local storage - Sign and check Cure - Ship it! @pati_gallardo It’s In Our Code
  31. 31. Browsers are very experienced - And therefore boring ;) gitlab.com - “rm -rf” - Sysadmin maintenance - Cascading errors as backups fail - All logged Publicly in real time Transparency Fix : Live It! @pati_gallardo It’s In Our Code
  32. 32. My Boss Made Me Do It @pati_gallardo 5
  33. 33. My Boss Made Me Do It The Feature is the Bug How? - Security Problem - Privacy Problem - Unethical - Illegal @pati_gallardo
  34. 34. Capcom's Street Fighter V - Installed a driver - “anti-crack solution” “...disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions..” - Reddit user extrwi My Boss Made Me Do It @pati_gallardo
  35. 35. Fix : Protect It! Goal : Protect your user Prevent : Protect your team - Workers rights - Build trust Cure : Protect your company - Find a Powerful Ally - Do Risk Analysis : Brand Reputation, Trust - Use the Law LAST RESORT : Whistleblowing & Quitting @pati_gallardo My Boss Made Me Do It
  36. 36. Statoil - Internal reports of security incidents after outsourcing - Only public after serious IRL incidents Nødnett - Transitive outsourcing - National Security These are often the Unsung Heros (Last Resort : Edward Snowden) Fix : Protect It! @pati_gallardo My Boss Made Me Do It
  37. 37. Ship It, Control It, Own It, Live It Protect It @pati_gallardo
  38. 38. - You need a Security Hotline - You Have to Ship - You Can’t do This Alone Recap @pati_gallardo
  39. 39. Designing the User Experience of Security @pati_gallardo 6
  40. 40. The Users Won’t Read Error blindness - Most users will mentally erase permanent error notifiers - they won’t read “Just click next” - Most users will accept the defaults - they won’t read “Make it go away” - The user will try to make the error dialog go away - they won’t read @pati_gallardo
  41. 41. Fix : Less is More Don’t leave it to the user - Just do the right thing, you don’t have to ask Have good defaults - Make sure that clicking next will leave the user in a good place Be very explicit when needed - If the user is in a “dangerous” situation - design carefully and if you have to explain : use language the user can understand @pati_gallardo
  42. 42. They Trust You With Personal information - They trust you to protect them from both hackers and governments With Data - They trust you to protect their pictures, documents, email … With Money - They trust you to protect their payment information and passwords @pati_gallardo
  43. 43. Fix : Be Trustworthy Only store what you have to - Try to use end-to-end encryption, so that even you don’t have access. Encrypt as much as you can Back up everything - Your users can’t afford to lose their baby pictures Use third party payment - Avoid having responsibility for their money @pati_gallardo
  44. 44. Everyone Is An Expert @pati_gallardo
  45. 45. 1. Unable to Roll Out Fixes 2. No Control over Dependencies 3. The Team is Gone 4. It’s in Our Code 5. My Boss Made Me Do It 6. User Experience of Security Challenges @pati_gallardo
  46. 46. Protect Your User - Be a Force For Good @pati_gallardo
  47. 47. The Spaces We Create Online Are REAL @pati_gallardo
  48. 48. Make Everyone Feel Safe To Be Themselves @pati_gallardo
  49. 49. Make it Fixable Living with Risk Patricia Aas, Vivaldi Technologies @pati_gallardo Photos from pixabay.com - CC0 Creative Commons License
  50. 50. Some Vivaldi Swag! @pati_gallardo

×