The Internet is on fire – don't just stand there, grab a bucket!

25
DONT JUST STAND THERE GRAB A BUCKET THE INTERNET IS ON FIRE

Transcript of The Internet is on fire – don't just stand there, grab a bucket!

DON’T JUST STAND THERE – GRAB A BUCKET

THE INTERNET IS ON FIRE

This needs to change, or there is no sustainable, digital future.

THE INTERNET IS ON FIRE AND EVERY

CONNECTED DEVICE IS AT RISK

I’m calling every developer to pick up the proverbial bucket.

And if you deploy any kind of code, that includes you.

Yes, you.

THIS IS A CALL TO ARMS

| WHERE ARE WE?

Our technology is not optional anymore.

| WHERE ARE WE?

In the wake of the digitalization of everything and our rapid and greedy

adoption of new technology, criminals and spies have followed.

The internet, all our technology and the digitalized society is under constant

attack from criminals, spies and in some cases even our own governments.

The Internet is “on fire”, and every connected device – and user – is at risk.

This is a reality. It’s not up for discussion anymore.

| WHERE ARE WE?

We don’t know how many security incidents go undetected,

but the very realistic fear is that it may be a vast majority of them.

Of the detected incidents only 30 % were

detected by the targeted organization themselves.

Of these 30 %, a whopping 90 % were detected during exfiltration.

The average time of detection of an espionage incident is over 200 days.

| WHERE ARE WE?

There are typically at least 10 errors or defects in every 1 000 lines of code.

This can typically be reduced to less than 1 error or defect in every 1 000 lines

of production code after rigorous testing.

There is typically left 1 exploitable vulnerability per 1 000 000 lines of code.

Every year there are several severe and exploitable vulnerabilities in the

majority of popular software. The same seems to be true for hardware.

| WHERE ARE WE?

And yet, code now runs almost everything, everywhere.

There is hardly any aspect of life where we aren’t using modern IT technology.

To quote Melissa Hathaway: “We have put every critical system on the backbone

of the Internet, but the Internet wasn't ready for it.”

The proof is readily available. Every month you hear about major security

breaches with big consequences for people, companies and countries.

| WHERE ARE WE?

We’ve joined the party without proper protection.

| WHERE ARE WE?

The technological foundation of digitalized society is crumbling.

| HOW DID WE GET HERE?

By being lazy…

| HOW DID WE GET HERE?

By making wrongful assumtions…

| HOW DID WE GET HERE?

| HOW DID WE GET HERE?

| HOW DID WE GET HERE?

Conclusion: Only 3 % of all detected security incidents were detected

by the targeted organization themselves before it was to late.

Background: Badly written, badly deployed and badly configured code are

the enablers for a huge part of the avalanche of security

incidents we are currently experiencing.

Consequence: The vulnerabilities we introduce in code and IT infrastructure

are threatening our personal lives, our businesses, our

governments and in reality also our societies.

| WHERE ARE WE HEADING?

Towards the proverbial, digital cliff…?

| WHERE ARE WE HEADING?

You need to be aware of how terrible this technology is.

It is not protecting you.

This is not the safe version of the future you’ve seen on Star Trek.

This is the dirty ugly version of the future.

Everything is a bad neighborhood now.

– Dr. Paul Vixie

| WHERE ARE WE HEADING?

Possibly to a near future were we can’t trust our digital ground.

| HOW CAN WE AVOID THIS?

Customer demands.

Probably not until it’s “too late”…

Industry self-regulation and competition.

Few signs of that happening…

Laws and regulations.

Too little, too late – and probably not the way we’d want it…

| HOW CAN WE AVOID THIS?

But we can also do it bottom-up.

| HOW CAN WE AVOID THIS?

We can – and should – educate ourselves, and do better.

• Accept that your code will be deployed in ways you never imagined.

• Accept that absolutely all code you deploy will be attacked.

• Don’t assume that anyone else will mitigate vulnerabilities in your code.

• Don’t assume that exploiting your code will only affect your application .

• Accept that lives at some point will depend on the robustness of your code.

OUR SUSTAINABLE DIGITAL

FUTURE STARTS WITH YOU

DEPLOYING BETTER CODE

http://iamthecavalry.org/

@iamthecavalry

Go pick up a bucket

and say after me:

I’ll pitch in to fix it,

I am the Cavalry!

Be the Cavalry. Build more secure and robust systems even if no-one demands it.

We need a better and more sustainable digital future, and the

world needs your contribution

SECURITY IS ALL ABOUT

SUSTAINABILITY

/presenter$ whoami

• Name: Frode Hommedal

• Homepage: http://frodehommedal.no/

• Twitter: @FrodeHommedal

• LinkedIn: https://no.linkedin.com/in/hommedal