The document discusses whether "OK" is good enough for software security. It covers the current state of software security testing, including limitations of automated scanners. It analyzes justification models from other industries like earthquake building codes. Finally, it proposes some potential models for improving software security justifications, such as tailoring responses based on limited resources and prioritizing elimination of common vulnerabilities.

1. Software Security: Is OK Good
Enough?
Appsec USA 2011
September 22, 2011
John B. Dickson, CISSP
Denim Group, Ltd.
@johnbdickson
© Copyright 2011 Denim Group - All Rights Reserved

2. OWASP AppSec 2011
© Copyright 2011 Denim Group - All Rights Reserved 1

3. OWASP AppSec 2011
© Copyright 2011 Denim Group - All Rights Reserved 2

4. OWASP AppSec 2011
© Copyright 2011 Denim Group - All Rights Reserved 3

5. Personal Background
© Copyright 2011 Denim Group - All Rights Reserved 4

6. Personal Background
© Copyright 2011 Denim Group - All Rights Reserved 5

7. OWASP AppSec 2011
© Copyright 2011 Denim Group - All Rights Reserved 6

8. Software Security: Is OK Good Enough?
• Current State of Affairs in Software Security
• What we can Learn from Other Justification Models
• Potential Software Security Justification Models
• Questions and Answers
© Copyright 2011 Denim Group - All Rights Reserved 7

9. Current State of Affairs in Software Security
• Testing approaches differ wildly
• Incredible amount of energy focused on technical merits and demerits
of testing activities
– Existing application security scanners identify a subset of vulnerabilities in
applications
– 30-40% Coverage level is accepted norm
– SQL injection/XSS – yes
– Authorization & business logic – not so much
© Copyright 2011 Denim Group - All Rights Reserved 8

10. 1996 Network Security Question?
Firewall?
© Copyright 2011 Denim Group - All Rights Reserved

11. 2011 Application Security Question?
I’ve run my Automated SQL
Injection & XSS Application
Scanner?
© Copyright 2011 Denim Group - All Rights Reserved

12. © Copyright 2011 Denim Group - All Rights Reserved

13. Checkbox Culture
• Compliance culture and resource constraints have limited software
security coverage
• This cuts to the heart of “OK”
• Heartland Payments Systems breach and PCI test coverage
– Organizations try to limit PCI audit by design, even if many view PCI DSS as the
most rigorous application security compliance framework
© Copyright 2011 Denim Group - All Rights Reserved 12

14. © Copyright 2011 Denim Group - All Rights Reserved 13

15. (drawn to scale)
© Copyright 2011 Denim Group - All Rights Reserved 14

16. © Copyright 2011 Denim Group - All Rights Reserved 15

17. © Copyright 2011 Denim Group - All Rights Reserved 16

18. Going Concern: In accounting,
"going concern" refers to a
company's ability to continue
functioning as a business entity.
© Copyright 2011 Denim Group - All Rights Reserved 17

19. © Copyright 2011 Denim Group - All Rights Reserved 18

20. What do Street Vendor food and iTunes applications have in
common?
© Copyright 2011 Denim Group - All Rights Reserved 19

21. Introduction of malware into iTunes & Droid Apps stores
• Applications submitted to the Apple iTunes AppStore and the Google
Android store do not undergo rigorous security testing
• Both application stores do not do "white listing” per se
© Copyright 2011 Denim Group - All Rights Reserved 20

22. New York City
• 24,000 restaurants inspected/year
• Point-based rating scale
• 3 Categories of violations
• Public health hazard (7 points)
• Critical violation (5 points)
• General violation (2 points)
© Copyright 2011 Denim Group - All Rights Reserved 21

23. Venture a Guess?
• 3 Categories of violations
• Public health hazard (7 points)
• Critical violation (5 points)
• General violation (2 points)
© Copyright 2011 Denim Group - All Rights Reserved 22

24. Venture a Guess?
• 3 Categories of violations
• Public health hazard (7 points)
• Critical violation (5 points)
• General violation (2 points)
© Copyright 2011 Denim Group - All Rights Reserved 23

25. What we can Learn from Other Justification Models
– Earthquake Building Codes
Haiti vs. Chile
© Copyright 2011 Denim Group - All Rights Reserved 24

26. What we can Learn from Other Justification Models
• What we can learn from these two models?
• No model is based purely on industry-driven compliance
– Have no regulation is bad
• Starting point is a generally accepted need for regulation
– Buyers need to demand software “seatbelts”
– Political consensus in Chile & California to enforce more stringent building codes
• Must have Rule of Law present to enforce regulation
– Building codes were in place in both Chile & Haiti
• Misguided regulation may be more destructive than no regulation at all
– e.g., Sarbanes Oxley
© Copyright 2011 Denim Group - All Rights Reserved 25

27. So where do you go from here?
© Copyright 2011 Denim Group - All Rights Reserved 26

28. Software Security Justification Models in an “OK” World
What can be Done Globally?
© Copyright 2011 Denim Group - All Rights Reserved 27

29. We need more Earthquakes
© Copyright 2011 Denim Group - All Rights Reserved 28

30. We Need Better Mainstream Scary Stories
© Copyright 2011 Denim Group - All Rights Reserved 29

31. We Need Better Mainstream Scary Stories
© Copyright 2011 Denim Group - All Rights Reserved 30

32. We Need Smarter buyers
© Copyright 2011 Denim Group - All Rights Reserved 31

33. There’s an App for That!
© Copyright 2011 Denim Group - All Rights Reserved 32

34. Software Security Justification Models in an “OK” World
- In the World you Influence
© Copyright 2011 Denim Group - All Rights Reserved 33

35. Tailor Responses for Limited Resources
- ASVS “Applied” Case Study
• Financial Services firm services 2,000 + banks
• Before
• Reactive testing
• No repeatable or predictable
• Poor coverage
• After
• Acceptable level of security testing
• Applied 80/20 rule to clients
• Predictable results
• Mutually understood results
© Copyright 2011 Denim Group - All Rights Reserved 34

36. Tailor Responses for Limited Resources
- Open Software Security Maturity Model (OpenSAMM)
© Copyright 2011 Denim Group - All Rights Reserved 35

37. Tailor Responses for Limited Resources
Measure, Measure, Measure
© Copyright 2011 Denim Group - All Rights Reserved 36

38. Realize that Sales & Marketing is our #1 Job
© Copyright 2011 Denim Group - All Rights Reserved 37

39. We Need Better Developers
• Is it enough to say you are “Rugged”
• We need software developers to elevate their coding practices to
lower the number of obvious security vulnerabilities
• These developers need better tools
– Modern frameworks
– Static analysis baked into build
• Starting point – software engineers need to be further along out of
college
• Industry responses
– Carrot & stick models
© Copyright 2011 Denim Group - All Rights Reserved 38

40. The New Negligence:
Eliminate SQL Injections and XSS
© Copyright 2011 Denim Group - All Rights Reserved 39

41. The Negligence:
SQL Injections and XSS
XSS &
SQL Injections
© Copyright 2011 Denim Group - All Rights Reserved 40

42. We need better coverage of attack space
© Copyright 2011 Denim Group - All Rights Reserved 41

43. We need better coverage of attack space
© Copyright 2011 Denim Group - All Rights Reserved 42

44. We need better coverage of attack space
© Copyright 2011 Denim Group - All Rights Reserved 43

45. Questions, Answers, & Contact
John B. Dickson, CISSP
john@denimgroup.com
(210) 572-4400
www.denimgroup.com
blog.denimgroup.com
Twitter: @johnbdickson
© Copyright 2011 Denim Group - All Rights Reserved 44