Software Security: Is OK Good           Enough?           AppSec EU 2011           John B. Dickson, CISSP                 ...
Software Security: Is OK Good Enough?   •    Current State of Affairs in Software Security   •    What we can Learn from O...
Personal Background© Copyright 2011 Denim Group - All Rights Reserved   2
Personal Background© Copyright 2011 Denim Group - All Rights Reserved   3
Denim Group Background         – Professional services firm that builds & secures enterprise           applications       ...
Current State of Affairs in Software Security   • Focus on OWASP Top 10 List   • Testing approaches differ greatly   • Exi...
1996 Network Security Question?                                                     Firewall?© Copyright 2011 Denim Group ...
2011 Application Security Question?                                                     I’ve run my Automated SQL         ...
© Copyright 2011 Denim Group - All Rights Reserved
Checkbox Culture   • Compliance culture and resource constraints have limited software     security coverage   • This cuts...
How Many Angels Can Sit On The Head Of A Pin?© Copyright 2011 Denim Group - All Rights Reserved         10
© Copyright 2011 Denim Group - All Rights Reserved   11
(drawn to scale)© Copyright 2011 Denim Group - All Rights Reserved               12
© Copyright 2011 Denim Group - All Rights Reserved   13
© Copyright 2011 Denim Group - All Rights Reserved   14
Going Concern: In accounting,                   "going concern" refers to a                   companys ability to continue...
© Copyright 2011 Denim Group - All Rights Reserved   16
What do Street Vendor food and iTunes applications have in   common?© Copyright 2011 Denim Group - All Rights Reserved    ...
Introduction of malware into iTunes & Droid Apps stores   • Applications submitted to the Apple iTunes AppStore and the Go...
What we can Learn from Other Justification Models – Earthquake Building Codes                               Haiti         ...
What we can Learn from Other Justification Models – Earthquake Building Codes   • Shared understanding for need   • Establ...
New York City      • 24,000 restaurants inspected/year      • Point-based rating scale      • 3 Categories of violations  ...
Venture a Guess?                                                     • 3 Categories of violations                         ...
Venture a Guess?                                                     • 3 Categories of violations                         ...
What we can Learn from Other Justification Models   • What we can learn from these two models?   • No model is based purel...
So where do you go from here?© Copyright 2011 Denim Group - All Rights Reserved   25
We need more Earthquakes© Copyright 2011 Denim Group - All Rights Reserved   26
We Need Better Mainstream Scary Stories© Copyright 2011 Denim Group - All Rights Reserved   27
We Need Better Mainstream Scary Stories© Copyright 2011 Denim Group - All Rights Reserved   28
We Need Smarter buyers© Copyright 2011 Denim Group - All Rights Reserved   29
There’s an App for That!© Copyright 2011 Denim Group - All Rights Reserved   30
Potential Software Security Justification Models© Copyright 2011 Denim Group - All Rights Reserved    31
Realize that Sales & Marketing is our #1 Job© Copyright 2011 Denim Group - All Rights Reserved   32
We Need Better Developers   • Is it enough to say you are “Rugged”   • We need software developers to elevate their coding...
The New Negligence:                 Eliminate SQL Injections and XSS© Copyright 2011 Denim Group - All Rights Reserved   34
The Negligence:                 SQL Injections and XSS  XSS &  SQL Injections© Copyright 2011 Denim Group - All Rights Res...
We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved   36
We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved   37
We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved   38
Tailor Responses for Limited Resources                  • OWASP 1-2 Punch                         • ASVS                  ...
Questions, Answers, & Contact     John B. Dickson, CISSP     john@denimgroup.com     (210) 572-4400     www.denimgroup.com...
Upcoming SlideShare
Loading in …5
×

Software Security: Is OK Good Enough?

1,090 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,090
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Software Security: Is OK Good Enough?

  1. 1. Software Security: Is OK Good Enough? AppSec EU 2011 John B. Dickson, CISSP Denim Group, Ltd. john@denimgroup.com© Copyright 2011 Denim Group - All Rights Reserved
  2. 2. Software Security: Is OK Good Enough? • Current State of Affairs in Software Security • What we can Learn from Other Justification Models • Potential Software Security Justification Models • Questions and Answers© Copyright 2011 Denim Group - All Rights Reserved 1
  3. 3. Personal Background© Copyright 2011 Denim Group - All Rights Reserved 2
  4. 4. Personal Background© Copyright 2011 Denim Group - All Rights Reserved 3
  5. 5. Denim Group Background – Professional services firm that builds & secures enterprise applications – Secure development services: • Secure .NET and Java application development • Post-assessment remediation© Copyright 2011 Denim Group - All Rights Reserved 4
  6. 6. Current State of Affairs in Software Security • Focus on OWASP Top 10 List • Testing approaches differ greatly • Existing application security scanners identify a subset of vulnerabilities in applications – 30-40% Coverage level is accepted norm – SQL injection/XSS – yes – Authorization & business logic – not so much© Copyright 2011 Denim Group - All Rights Reserved 5
  7. 7. 1996 Network Security Question? Firewall?© Copyright 2011 Denim Group - All Rights Reserved
  8. 8. 2011 Application Security Question? I’ve run my Automated SQL Injection & XSS Application Scanner?© Copyright 2011 Denim Group - All Rights Reserved
  9. 9. © Copyright 2011 Denim Group - All Rights Reserved
  10. 10. Checkbox Culture • Compliance culture and resource constraints have limited software security coverage • This cuts to the heart of “OK” • Heartland Payments Systems breach and PCI test coverage – Organizations try to limit PCI audit by design, even if many view PCI DSS as the most rigorous application security compliance framework© Copyright 2011 Denim Group - All Rights Reserved 9
  11. 11. How Many Angels Can Sit On The Head Of A Pin?© Copyright 2011 Denim Group - All Rights Reserved 10
  12. 12. © Copyright 2011 Denim Group - All Rights Reserved 11
  13. 13. (drawn to scale)© Copyright 2011 Denim Group - All Rights Reserved 12
  14. 14. © Copyright 2011 Denim Group - All Rights Reserved 13
  15. 15. © Copyright 2011 Denim Group - All Rights Reserved 14
  16. 16. Going Concern: In accounting, "going concern" refers to a companys ability to continue functioning as a business entity.© Copyright 2011 Denim Group - All Rights Reserved 15
  17. 17. © Copyright 2011 Denim Group - All Rights Reserved 16
  18. 18. What do Street Vendor food and iTunes applications have in common?© Copyright 2011 Denim Group - All Rights Reserved 17
  19. 19. Introduction of malware into iTunes & Droid Apps stores • Applications submitted to the Apple iTunes AppStore and the Google Android store do not undergo rigorous security testing • Both application stores do not do "white listing” per se© Copyright 2011 Denim Group - All Rights Reserved 18
  20. 20. What we can Learn from Other Justification Models – Earthquake Building Codes Haiti vs. Chile© Copyright 2011 Denim Group - All Rights Reserved 19
  21. 21. What we can Learn from Other Justification Models – Earthquake Building Codes • Shared understanding for need • Establish compliance regimes • Rule of law for enforcement© Copyright 2011 Denim Group - All Rights Reserved 20
  22. 22. New York City • 24,000 restaurants inspected/year • Point-based rating scale • 3 Categories of violations • Public health hazard (7 points) • Critical violation (5 points) • General violation (2 points)© Copyright 2011 Denim Group - All Rights Reserved 21
  23. 23. Venture a Guess? • 3 Categories of violations • Public health hazard (7 points) • Critical violation (5 points) • General violation (2 points)© Copyright 2011 Denim Group - All Rights Reserved 22
  24. 24. Venture a Guess? • 3 Categories of violations • Public health hazard (7 points) • Critical violation (5 points) • General violation (2 points)© Copyright 2011 Denim Group - All Rights Reserved 23
  25. 25. What we can Learn from Other Justification Models • What we can learn from these two models? • No model is based purely on industry-driven compliance – Have no regulation is bad • Starting point is a generally accepted need for regulation – Buyers need to demand software “seatbelts” – Political consensus in Chile & California to enforce more stringent building codes • Must have Rule of Law present to enforce regulation – Building codes were in place in both Chile & Haiti • Misguided regulation may be more destructive than no regulation at all – e.g., Sarbanes Oxley© Copyright 2011 Denim Group - All Rights Reserved 24
  26. 26. So where do you go from here?© Copyright 2011 Denim Group - All Rights Reserved 25
  27. 27. We need more Earthquakes© Copyright 2011 Denim Group - All Rights Reserved 26
  28. 28. We Need Better Mainstream Scary Stories© Copyright 2011 Denim Group - All Rights Reserved 27
  29. 29. We Need Better Mainstream Scary Stories© Copyright 2011 Denim Group - All Rights Reserved 28
  30. 30. We Need Smarter buyers© Copyright 2011 Denim Group - All Rights Reserved 29
  31. 31. There’s an App for That!© Copyright 2011 Denim Group - All Rights Reserved 30
  32. 32. Potential Software Security Justification Models© Copyright 2011 Denim Group - All Rights Reserved 31
  33. 33. Realize that Sales & Marketing is our #1 Job© Copyright 2011 Denim Group - All Rights Reserved 32
  34. 34. We Need Better Developers • Is it enough to say you are “Rugged” • We need software developers to elevate their coding practices to lower the number of obvious security vulnerabilities • These developers need better tools – Modern frameworks – Static analysis baked into build • Starting point – software engineers need to be further along out of college • Industry responses – Carrot & stick models© Copyright 2011 Denim Group - All Rights Reserved 33
  35. 35. The New Negligence: Eliminate SQL Injections and XSS© Copyright 2011 Denim Group - All Rights Reserved 34
  36. 36. The Negligence: SQL Injections and XSS XSS & SQL Injections© Copyright 2011 Denim Group - All Rights Reserved 35
  37. 37. We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved 36
  38. 38. We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved 37
  39. 39. We need better coverage of attack space© Copyright 2011 Denim Group - All Rights Reserved 38
  40. 40. Tailor Responses for Limited Resources • OWASP 1-2 Punch • ASVS • Open SAMM Measure, Measure, Measure© Copyright 2011 Denim Group - All Rights Reserved 39
  41. 41. Questions, Answers, & Contact John B. Dickson, CISSP john@denimgroup.com (210) 572-4400 www.denimgroup.com blog.denimgroup.com Twitter: @johnbdickson© Copyright 2011 Denim Group - All Rights Reserved 40

×