Security in an Interconnected and
Complex World of Software
Michael Coates
@_mwc
michael.coates@owasp.org
About
• Chairman OWASP Board
• Shape Security
– Director of Product Security
• Mozilla
– Director of Security Assurance
• ...
Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $170 Billion – Apple Annual Revenue 2013...
Billion Dollar Cybercrime
~US $350 Billion – Global Drug Trafficking Estimates
US $113 Billion – Global price tag of consu...
Cost of Security
• Cybercrime cost to companies
– 26% increase 2012 to 2013
• Cybercrime cost to individual
– 50% increase...
Hacking Becomes Leading Cause of
Data Breaches
Another Day, Another Retailer in a Massive Credit Card
Breach
Secret Servic...
Largest Single Culprit : Hacking
Verizon Data Breach Report 20132013 Incidents by Breach Type
datalossdb.org
48% from Hack...
THE ENEMY
Enemy
• Script Kiddies
– Scanners & generic tools
• Organized Crime
– Exploit kits
• Targeted & Specialized
– Precise, 0-d...
Opportunistic Scanners
• Scan web for common vulnerabilities
• Highly leverage automation
• Often untargeted
75% Attacks O...
Organized Cybercrime
• Financial motivation
• Business groups of attackers
• Evolved systems for exploitation
Blackhole
CrimePack
Phoenix
Account Takeover – Web Brute Force
Underground Market Prices
2013 Dell SecureWorks
USD JPY
Visa, American Express, Discover $4-$8 ¥409 - ¥818
Credit Card wit...
.onion TLD via Tor
Underground Financial Services
Underground Financial Services
Underground Marketplace
Stolen Account Balance
US $700-$4100
JP ¥760,00 – ¥420,000
Underground Price
US $90-$322
JP ¥9,200...
Marketplace For Credit Card Fraud
List of vulnerable sites
for “carding”
COMPLEXITY
The future is more complex
180 Million Active Sites
Cloud
Internet of Things
techcrunch.com/2013/05/25/making-sense-of-the-internet-of-things/
REALITY CHECK
Security & Elements of Consideration
Secure Code vs. Secure Software
Fixing a single security bug Ensuring no critical bugs are
introduced to software
Secure Code vs. Secure Software
Fixing a single security bug
• While moving fast
• With minimal impact to
developers
• Wit...
Secure Code vs. Secure Software
Fixing a single security bug
• While moving fast
• With minimal impact to
developers
• Wit...
Question the Models
• Industry Drivers
– PCI, Sarbanes Oxley, Hipaa, Self Regulation
• Business Drivers
– Innovation, fail...
Standards Based Security is Failing
• Motivates for compliance over security
• Complex & unrealistic in many scenarios
• R...
Business Motivation
• Security sometimes viewed as tax
• Tradeoff of time to market
• Put off by aggressive security requi...
ORGANIZING FOR SECURITY
Company Structure is Critical
Humans Don’t Scale Well
Humans Don’t Scale Well
Hiring More Security Isn’t Realistic
Security Professionals
– Expensive
– Hard to find
– Competition for employment
Centralized Security Organization
• Accountability & leadership
• Increases communication
• Enables security vision &
forw...
Centralized Security Organization
• Build bridges throughout company
• Become partners with groups
• Increase communicatio...
Influence instead of Dictate
• Teach security
approaches
throughout org
• Build tools & guidance
• Avoid processes that
re...
Embedding Approach
• Embedding security
inside dev team
– team effort to deliver
product
– real time
collaboration
– elimi...
Organizational Strategy
• Scaling via Security Champions
• Primary Role: Developer, Secondary: Security
• Scales Effective...
Security Throughout SDLC
Development
• Developer Training
• Coding Guidelines
– Cheat Sheets
– Concise, Usable
owasp.org/index.php/Cheat_Sheets
Development
• Security Libraries & Services
– Abstract away internals of security code
– Standardized security libraries
•...
Safety Proof & Shift Burden
Current
• Developer must remember
to enable security
• Ability to build anything –
for better ...
Smart Automation
• Dynamic security
analysis built for
developers
– Report what can be
found >95% accuracy
– Skip issues w...
Automation
Static / Dynamic Analysis
Can scale if homogenous environment
Careful of human involvement
Security X as a Serv...
Quality Assurance
• Security validation within QA
• Functional testing of forms + basic sec tests
• Follow patterns of cur...
Post Release - Bounty Programs!
Engage Security Community
Post Release – Defend The App
• Detect and repel common
attacks
– Web Application Firewall
• Detect and repel custom
attac...
Post Release – Defend at Scale
• Design for Scale
– Automated attack
blocking & deflection
– No human analysis in
critical...
Key Points
Adversary is motivated and talented
– Organized criminal attackers
– Resourced and focused
Key Points
Satisfying security standards is a false sense of
security
– Focus on activities brining value
– Meet required ...
Key Points
Complex systems require comprehensive
security
– Integrate security in every step of software
development
– Bui...
Thanks!
@_mwc
michael.coates@owasp.org
Upcoming SlideShare
Loading in …5
×

Security in an Interconnected and Complex World of Software

7,071 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,071
On SlideShare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • http://www.hpenterprisesecurity.com/ponemon-2013-cost-of-cyber-crime-study-reportshttps://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdfhttp://www.symantec.com/about/news/release/article.jsp?prid=20131001_01
  • Datalossdb.org – 48% from hacking, 8% fraud, 7% stolen laptopVerizon DBR – 52% involved hacking
  • 28% of all web threats detected by Sophos and 91% by AVG are due to this exploit kit
  • $2,200 – base pricebooby-trap hacked and malicious Web sites so that they foist drive-by downloadshttp://krebsonsecurity.com/2013/04/phoenix-exploit-kit-author-arrested-in-russia/
  • Security in an Interconnected and Complex World of Software

    1. 1. Security in an Interconnected and Complex World of Software Michael Coates @_mwc michael.coates@owasp.org
    2. 2. About • Chairman OWASP Board • Shape Security – Director of Product Security • Mozilla – Director of Security Assurance • 2012 SC Magazine Influential Security Mind
    3. 3. Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012
    4. 4. Billion Dollar Cybercrime ~US $350 Billion – Global Drug Trafficking Estimates US $113 Billion – Global price tag of consumer cybercrime US $170 Billion – Apple Annual Revenue 2013 US $263 Billion – Hong Kong 2012 Gross Domestic Product (GDP) US $469 Billion – Walmart Annual Revenue 2013 US $95 Billion – Morocco 2012 Gross Domestic Product (GDP) US $112 Billion – Hewlett-Packard Annual Revenue 2013 US $104 Billion – Honda Annual Revenue 2012 2013 Norton Report by Symantec
    5. 5. Cost of Security • Cybercrime cost to companies – 26% increase 2012 to 2013 • Cybercrime cost to individual – 50% increase 2012 to 2013 • Cost per breached record to company – Average US $136 / JPY ¥13,923
    6. 6. Hacking Becomes Leading Cause of Data Breaches Another Day, Another Retailer in a Massive Credit Card Breach Secret Service investigating possible data breach at Sears Report: Verizon Uncovers Two More Retail Breaches … Adobe Breach Impacted At Least 38 Million Users
    7. 7. Largest Single Culprit : Hacking Verizon Data Breach Report 20132013 Incidents by Breach Type datalossdb.org 48% from Hacking 52% involved Hacking
    8. 8. THE ENEMY
    9. 9. Enemy • Script Kiddies – Scanners & generic tools • Organized Crime – Exploit kits • Targeted & Specialized – Precise, 0-day, determined
    10. 10. Opportunistic Scanners • Scan web for common vulnerabilities • Highly leverage automation • Often untargeted 75% Attacks Opportunistic Verizon Data Breach Report 2013
    11. 11. Organized Cybercrime • Financial motivation • Business groups of attackers • Evolved systems for exploitation
    12. 12. Blackhole
    13. 13. CrimePack
    14. 14. Phoenix
    15. 15. Account Takeover – Web Brute Force
    16. 16. Underground Market Prices 2013 Dell SecureWorks USD JPY Visa, American Express, Discover $4-$8 ¥409 - ¥818 Credit Card with track 1 and 2 data $12 ¥1227 Full user information $25 ¥2557 1,000 Infected Computers $20 ¥2046 DDOS Attacks (per hour) $3-$5 ¥306 - ¥511
    17. 17. .onion TLD via Tor
    18. 18. Underground Financial Services
    19. 19. Underground Financial Services
    20. 20. Underground Marketplace Stolen Account Balance US $700-$4100 JP ¥760,00 – ¥420,000 Underground Price US $90-$322 JP ¥9,200 - ¥33,000
    21. 21. Marketplace For Credit Card Fraud List of vulnerable sites for “carding”
    22. 22. COMPLEXITY The future is more complex
    23. 23. 180 Million Active Sites
    24. 24. Cloud
    25. 25. Internet of Things techcrunch.com/2013/05/25/making-sense-of-the-internet-of-things/
    26. 26. REALITY CHECK Security & Elements of Consideration
    27. 27. Secure Code vs. Secure Software Fixing a single security bug Ensuring no critical bugs are introduced to software
    28. 28. Secure Code vs. Secure Software Fixing a single security bug • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code Ensuring no critical bugs are introduced to software
    29. 29. Secure Code vs. Secure Software Fixing a single security bug • While moving fast • With minimal impact to developers • Within an agile or constant deployment model • Across thousands of developers, multiple sites and services, and numerous new lines of code Ensuring no critical bugs are introduced to software HardEasy (generally)
    30. 30. Question the Models • Industry Drivers – PCI, Sarbanes Oxley, Hipaa, Self Regulation • Business Drivers – Innovation, fail fast, time to market, competitive disadvantage • Development Practices – Code Reuse, Libraries, Patching
    31. 31. Standards Based Security is Failing • Motivates for compliance over security • Complex & unrealistic in many scenarios • Retroactive removal of certification
    32. 32. Business Motivation • Security sometimes viewed as tax • Tradeoff of time to market • Put off by aggressive security requirements – An overly secure system used by no one provides no security
    33. 33. ORGANIZING FOR SECURITY Company Structure is Critical
    34. 34. Humans Don’t Scale Well
    35. 35. Humans Don’t Scale Well
    36. 36. Hiring More Security Isn’t Realistic Security Professionals – Expensive – Hard to find – Competition for employment
    37. 37. Centralized Security Organization • Accountability & leadership • Increases communication • Enables security vision & forward planning • Cohesive vision across security disciplines Application Security Network Ops Security Corporate Security Information Security
    38. 38. Centralized Security Organization • Build bridges throughout company • Become partners with groups • Increase communication & support Dev QA Product PR IT Legal Security
    39. 39. Influence instead of Dictate • Teach security approaches throughout org • Build tools & guidance • Avoid processes that require security staff involvement Avoid security choke point Influence without blocking
    40. 40. Embedding Approach • Embedding security inside dev team – team effort to deliver product – real time collaboration – eliminates “us” vs “them” – build alliance Developer Team Developer Team Developer Team Security Team
    41. 41. Organizational Strategy • Scaling via Security Champions • Primary Role: Developer, Secondary: Security • Scales Effectively • Liaison to security team Developer Team Security Champion Developer Team
    42. 42. Security Throughout SDLC
    43. 43. Development • Developer Training • Coding Guidelines – Cheat Sheets – Concise, Usable owasp.org/index.php/Cheat_Sheets
    44. 44. Development • Security Libraries & Services – Abstract away internals of security code – Standardized security libraries • OWASP ESAPI – an example of what you should build within your organization • Engineered web services for security
    45. 45. Safety Proof & Shift Burden Current • Developer must remember to enable security • Ability to build anything – for better or worse Necessary • Security fully enabled, opt- out of security with caution • Pre-packaged code widgets – Appeal to masses – Limited customization – Safe for beginners
    46. 46. Smart Automation • Dynamic security analysis built for developers – Report what can be found >95% accuracy – Skip issues where accuracy is low – Accurate Tool > Tool which requires security team wiki.mozilla.org/Security/Projects/Minion
    47. 47. Automation Static / Dynamic Analysis Can scale if homogenous environment Careful of human involvement Security X as a Service Yes! The Future!
    48. 48. Quality Assurance • Security validation within QA • Functional testing of forms + basic sec tests • Follow patterns of current QA – Pass / Fail – Self contained testing – no need for security evaluation “><script>alert(‘problem’)</script>
    49. 49. Post Release - Bounty Programs! Engage Security Community
    50. 50. Post Release – Defend The App • Detect and repel common attacks – Web Application Firewall • Detect and repel custom attacks at business layer – Integrated application defense – OWASP AppSensor • Disable ability for automated attacks owasp.org/index.php/OWASP_AppSensor_Project
    51. 51. Post Release – Defend at Scale • Design for Scale – Automated attack blocking & deflection – No human analysis in critical path. • Human interaction – Slow – Ineffective against distributed attacks
    52. 52. Key Points Adversary is motivated and talented – Organized criminal attackers – Resourced and focused
    53. 53. Key Points Satisfying security standards is a false sense of security – Focus on activities brining value – Meet required standards & understand lack of value
    54. 54. Key Points Complex systems require comprehensive security – Integrate security in every step of software development – Build to scale with business needs & development speed
    55. 55. Thanks! @_mwc michael.coates@owasp.org

    ×