The document discusses how to properly invest in software security. It argues that fully securing software is impossible and unnecessary, and that the optimal approach is to find and fix bugs through practices like threat modeling, developer training, security testing, and bug bounties. The key is to train developers to write code that minimizes bugs and to have skilled hackers find and help remediate any issues.

1. Human is an amateur; the monkey is an expert.
How to stop trying to secure your software.
Vlad Styran
OSCP CISSP CISA

2. # whoami
15 years in security
10 years in appsec
5 years cofounder
Running cons for 10 years
Podcasting for 9 years
Marathons finisher
Father of two

3. Today I will show you
1. that there is no way to fully
secure our software
2. that there is no good reason to
try to do that
3. what we should do instead
4. how we should do it*
____
* Spoiler: we should train the monkey

4. There is no way
to fully secure our software

5. Bad news:
it is literally economically impossible
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
0 10 20 30 40 50 60 70 80 90 100
SecurityEfficiency
Security Investment, 1000 USD

6. Good news:
There is no reason
to try to do it

7. Good news:
There is no reason to try to do it
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
0 10 20 30 40 50 60 70 80 90 100
Probability
Security Loss, 1000 USD

8. This is what we should do instead:
Find optimal investment options
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
0 10 20 30 40 50 60 70 80 90 100

9. Gordon-Loeb model
(just in case you are interested)
Information security investment
against a certain threat scenario
should not exceed 37% of expected loss.
Cyber Security Economics, © Delft University of Technology
Wikipedia, the free encyclopedia

10. So, this is what we do
Asset value:
$1,000,000
Attack occurrence probability:
1,3%
Attack success probability:
17%
Our optimal investment =
$1,000,000 * 0.013 * 0.17 * 0.37 =
$817.70

11. How to invest in
software security

12. How to invest
into software
security
Buy a firewall and put all sensitive stuff behind it
Buy a WAF (Web Application Firewall)
Buy Static & Dynamic Application Security Testing tool
Deploy to AWS/GCP/Azure
Use military-grade encryption
Pay lawyers to carefully design EULA
Use a distributed ledger for transaction data storage

13. Wrong! It’s all about the root cause
Put it all behind a firewall, it will be secure
WAF will stop all attacks, it will be secure
NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure
Put it into “the cloud”, it will be secure
Encrypt all the data, it will be secure
Threaten to put all hackers to jail, it will be secure
Use the Blockchain (which is secure), it will be secure
Write code in a way that there are no bugs
Find and fix all the bugs

14. But let’s be honest with ourselves
Put it all behind a firewall, it will be secure
WAF will stop all attacks, it will be secure
NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure
Put it into “the cloud”, it will be secure
Encrypt all the data, it will be secure
Threaten to put all hackers to jail, it will be secure
Use the Blockchain (which is secure), it will be secure
Write code in a way that there are no fewer bugs
Find and fix all the as many bugs as you can

15. How to secure our software
1. WRITE CODE IN A WAY THAT
THERE ARE FEWER BUGS
2. FIND AND FIX AS MANY
BUGS AS YOU CAN

16. How to achieve
software security

17. Compliance
Apply one of the credible security standards:
• ISO/IEC 27002
• PCI DSS
• SOC2
• SOX
• HIPAA
• GDPR
• NIST

18. Wrong!
Compliance is security against liability.

19. Best practice
Apply generally accepted
methodologies:
• MS SDL
• BSIMM
• NIST SP800-64
• OWASP: ASVS, xSTG,
SAMM etc.

20. Wrong!
Best practice is not for everyone.

21. Real security
KNOW WHAT YOU
PROTECT
KNOW WHAT CAN
GO WRONG
KNOW WHAT YOU
WILL DO ABOUT IT
KNOW HOW TO
TEST IF YOU DID IT

22. 1. Develop more securely
• Threat Modeling
• Developer Awareness Training
• Security Requirements
• Secure Architecture & Design
• Supply Chain Security
• Incident Response
Lots of boring yet important stuff (another time)

23. 2. Find and kill fix bugs
•Security Testing
•Security Code Review
•Application Penetration Testing
•Security Bug Bounty

24. Human-Monkey dualism

25. Amos Tversky
& Daniel
Kahneman,
late 1970’

28. Realistic Development Lifecycle

29. Agile security

30. What can we do about it?

31. Hard lessons from 40
years on earth
1. We move brain activities from System2 to
System1 ASAP
2. True expertise = professional skill +
deliberate practice
3. Expert intuition exists and it’s in your
System1
Monkey knows the answer
when human doesn’t know why.

32. Wicked vs Kind learning domains
1. Patterns repeat
2. Feedback accurate and rapid
3. Rules of game well-defined
Classical music, aviation pilots,
emergency room nurse, fire fighter…
Security Testing
1. Patterns not obvious or repeating
2. Feedback delayed and inaccurate
3. Rules unclear and incomplete
Improvisational jazz, surgeon, radiologist,
financial & political analyst…
Secure Development

33. Hard lessons from 10 years in
appsec
1. We cannot slow down the DEVs
2. We cannot prevent all bugs
3. We cannot automate efficient security testing

34. Bright side of things
1. With enough skilled hackers, we can move as fast as DEVs
2. With enough practice, we can find and fix most severe bugs
3. With enough expertise, we can train to do it automatically

35. Hopes for the
future
One day we can
automate bug
hunting properly
One day the DEVs’
monkey will learn to
make fewer bugs

36. What we can do right now
Web Application Hacker’s Handbook PortSwigger Web Security Academy

37. OWASP Kyiv

38. OWASP Ukraine

39. NoNameCon

40. Start hacking legally today: Bug Bounties

42. How you find me
@arunninghacker
fb.me/arunninghacker
berezhasecurity.com