Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AppSec is Eating Security

7,607 views

Published on

This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.

Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI

Published in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

AppSec is Eating Security

  1. 1. AppSec is Eating Security P R E S E N T E D B Y A l e x S t a m o s A p p S e c C a l i | J a n u a r y 2 7 , 2 0 1 5
  2. 2. 2
  3. 3. Most enterprises are not safe 3
  4. 4. Most enterprises are not safe 3 • Big Banks + other FIs • Defense Industrial Base • Oil and Gas • Critical Infrastructure • Big Tech • Some Retail “SECURE 100”
  5. 5. Most enterprises are not safe 3 • Big Banks + other FIs • Defense Industrial Base • Oil and Gas • Critical Infrastructure • Big Tech • Some Retail Everybody Else “SECURE 100” “TOASTED 400”
  6. 6. Most enterprises are not safe 3 • Big Banks + other FIs • Defense Industrial Base • Oil and Gas • Critical Infrastructure • Big Tech • Some Retail Everybody Else “SECURE 100” What are they missing? • Secure software engineering • Engineering focused IR • Ability to create, not buy, solutions “TOASTED 400”
  7. 7. Almost no users are safe 4
  8. 8. 5 Arista 7508E 1152 x 10GbE 30Tbps backplane 5kW Security hardware is becoming un-buyable
  9. 9. 5 Arista 7508E 1152 x 10GbE 30Tbps backplane 5kW Palo Alto 7050 120Gbps throughput 2.4kW Security hardware is becoming un-buyable
  10. 10. 6
  11. 11. 6
  12. 12. 6 5kW 600kW
  13. 13. Containerization collapses the security perimeter 7 Diagrams from docker.com
  14. 14. Containerization collapses the security perimeter 7 No: • Virtual soundcard • Guest OS patching • VT-x enforcement • Network controls • Stable naming • 1:1 service relationshipsDiagrams from docker.com
  15. 15. Containerization collapses the security perimeter 7 In the long run, this is a good thing! In the short term, it’s a mess to deal with! No: • Virtual soundcard • Guest OS patching • VT-x enforcement • Network controls • Stable naming • 1:1 service relationshipsDiagrams from docker.com
  16. 16. The Internet of Unpatchable Crap Things 8 store.idevices.com
  17. 17. What AppSec Needs to Accomplish
  18. 18. Apps have to be secure by default 10 https://code.google.com/p/mustache-security/ by cure53.de
  19. 19. Apps have to be secure by default 10 How many developers understand the security risk they imported? https://code.google.com/p/mustache-security/ by cure53.de
  20. 20. App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames
  21. 21. App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames ▪ 100Gb Ethernet = 6.7ns between frames
  22. 22. App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames ▪ 100Gb Ethernet = 6.7ns between frames
  23. 23. App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames ▪ 100Gb Ethernet = 6.7ns between frames Is this actually necessary? No. Is it a good idea? Probably not.
  24. 24. 12 by Flickr user Keith Allison CC-BY-SA
  25. 25. 12 by Flickr user Keith Allison CC-BY-SA by Warren Sharp www.sharpfootballanalysis.com
  26. 26. Bug bounty communities need to reform to grow 13
  27. 27. Accept that the browser is the new OS 14 I hate it when good points get twisted to prevent progress
  28. 28. Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why….
  29. 29. Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why…. › Complexity: dnsviz.net via @jpmens
  30. 30. Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why…. › Complexity: › Not end-to-end. How much do you trust your DNS provider? dnsviz.net via @jpmens
  31. 31. Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why…. › Complexity: › Not end-to-end. How much do you trust your DNS provider? › Invisible to user applications! dnsviz.net via @jpmens
  32. 32. Build apps that are safe, not just secure 16 ▪ Way too little focus on user experience ▪ Classic difficult example is cert info (see APF tonight)
  33. 33. What is a safe app? 17 ▪ Safest mode is the default
  34. 34. What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself
  35. 35. What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures
  36. 36. What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures ▪ Recognizes the difficulties it’s users face
  37. 37. What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures ▪ Recognizes the difficulties it’s users face ▪ Takes into account the entire lifecycle of the user
  38. 38. What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures ▪ Recognizes the difficulties it’s users face ▪ Takes into account the entire lifecycle of the user Yes, I’m a security paternalist
  39. 39. Passwords are dead 18 Every big password dump has 10-20% matches
  40. 40. Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries
  41. 41. Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries ▪ TOTP › Bad user experience › Many apps means no control over seeds
  42. 42. Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries ▪ Push notifications › Much more secure › Require more user interaction ▪ TOTP › Bad user experience › Many apps means no control over seeds
  43. 43. Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries ▪ Push notifications › Much more secure › Require more user interaction ▪ TOTP › Bad user experience › Many apps means no control over seeds None solve the account lifecycle management problem This is the #1 issue for user safety
  44. 44. So… 19 Looks like we all have a lot of work to do to:
  45. 45. So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections
  46. 46. So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines
  47. 47. So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines • Provide end-to-end and transformable encryption
  48. 48. So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines • Provide end-to-end and transformable encryption • Make browsers more trustworthy than the OS
  49. 49. So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines • Provide end-to-end and transformable encryption • Make browsers more trustworthy than the OS • More work for AppSec, less for the rest of security • Can we solve some of these problems without selling product
  50. 50. Shameless Pitch 20 At Yahoo, our security goal is for all users to be safe using any of our products from any country on any platform. I’m currently looking for a Director of Product Security to reinvent how we build safe products and meet this goal for 1.3B users
  51. 51. Thank you stamos@yahoo-inc.com @alexstamos

×