Who owns Software Security

33
Who Owns Software Security? Tim Buntel @tbuntel

Transcript of Who owns Software Security

Page 1: Who owns Software Security

Who Owns Software Security?

Tim Buntel

@tbuntel

Page 2: Who owns Software Security

(obligatory)  About  Me  

Smarter  in  the  City  

Page 3: Who owns Software Security

2010 2013 Injection 1   Injection

Broken Auth & Session Mgmt

2  Cross Site Scripting (XSS)

Cross Site Scripting (XSS)

3  Broken Auth & Session Mgmt

Insecure Direct Obj References

4  Insecure Direct Obj References h2p://starwars.wikia.com/  

Page 4: Who owns Software Security

Applica<on  Security  Risks,  Frozen  in  Time    OWASP  Top  10  –  2010  (old)   OWASP  Top  10  –  2013  (New)  

2010-­‐A1  –  InjecCon   2013-­‐A1  –  InjecCon  

2010-­‐A2  –  Cross  Site  ScripCng  (XSS)   2013-­‐A2  –  Broken  AuthenCcaCon  and  Session  Management  

2010-­‐A3  –  Broken  AuthenCcaCon  and  Session  Management   2013-­‐A3  –  Cross  Site  ScripCng  (XSS)  

2010-­‐A4  –  Insecure  Direct  Object  References   2013-­‐A4  –  Insecure  Direct  Object  References  

2010-­‐A5  –  Cross  Site  Request  Forgery  (CSRF)   2013-­‐A5  –  Security  MisconfiguraCon  

2010-­‐A6  –  Security  MisconfiguraCon   2013-­‐A6  –  SensiCve  Data  Exposure  

2010-­‐A7  –  Insecure  Cryptographic  Storage   2013-­‐A7  –  Missing  FuncCon  Level  Access  Control  

2010-­‐A8  –  Failure  to  Restrict  URL  Access   2013-­‐A8  –    Cross-­‐Site  Request  Forgery  (CSRF)  

2010-­‐A9  –  Insufficient  Transport  Layer  ProtecCon   2013-­‐A9  –  Using  Known  Vulnerable  Components  (NEW)  

2010-­‐A10  –  Unvalidated  Redirects  and  Forwards  (NEW)   2013-­‐A10  –  Unvalidated  Redirects  and  Forwards  

3  Primary  Changes:   §  Merged:  2010-­‐A7  and  2010-­‐A9  -­‐>  2013-­‐A6  

§  Added  New  2013-­‐A9:  Using  Known  Vulnerable  Components   §  2010-­‐A8  broadened  to  2013-­‐A7  

renamed  

combined  

Page 5: Who owns Software Security

BIG PROBLEM?

At least 1Billion records of PII were leaked in 2014

Page 6: Who owns Software Security

Still! Breaches by SQLi into 2015

3rd most common attack type (after DDoS and Malware)

Page 7: Who owns Software Security

Do you scan your apps for cybersecurity vulnerabilities before making them available?

No  40%  

How much do you budget towards securing mobile apps built for customers?

$0  

Page 8: Who owns Software Security

FIX THE DAMNED SOFTWARE!

Page 9: Who owns Software Security

“It seems that application security is just not considered to be as important as network security, even though vulnerabilities in applications are consistently being exploited by hackers of all types in order to access network resources and data.” Michael Cobb in SearchSecurity

Page 10: Who owns Software Security

Why? Time  to  market  

Training  Cost  Tools  Agile  

Page 11: Who owns Software Security

Time to Market

Duh.

Are You Under Pressure to Release New Applications Faster, and Why?

Yes, Customer demand Yes, Competitive actions

Yes, Revenue shortfalls No

Sorry, I was just f*&%ing with you, it’s YES

60%  60%  

19%  6%  6%  

Page 12: Who owns Software Security

Training? What Training?

No "secure development lifecycle" in the vast majority of universities' degree program

How many years of software development experience do you have?

>12 years! 34%

4-12 years! 30%

How much previous application security training have you received?

None 30%

<1 day 20%

>3 days 25%

1-3 days 25%

Page 13: Who owns Software Security

No Tools?

Page 14: Who owns Software Security

Problematic Tools

$$  

“Security Team” vs  

Page 15: Who owns Software Security

New Tools?

•  Endpoint profiling •  Endpoint forensics •  Network forensics •  “Secure” platforms

Page 16: Who owns Software Security

LOCK THE DAMNED DOOR!

Page 17: Who owns Software Security

Agile?

h2p://www.expertprogrammanagement.com/  

Pen Testing

DAST

Enterprise SAST

Network protection

Page 18: Who owns Software Security

But I don’t have anything worth hacking!

PII

VC$

Consulting  

Acquisition  

Page 19: Who owns Software Security

But enough about the problems…

The Quality Metaphor

Page 20: Who owns Software Security

QA

Quality Then

Page 21: Who owns Software Security

Quality Today

•  Patterns, frameworks, and good design

•  Do it early, do it often (and automate it)

•  High quality people make high quality software

•  It’s everyone’s responsibility

Doing it right is actually quicker in the end!

Page 22: Who owns Software Security

GOOD SOFTWARE IS SECURE. SECURE SOFTWARE IS GOOD SOFTWARE.  

Page 23: Who owns Software Security

Your  4  Step  Plan!  YOUR 4 STEP PLAN  

1. Study successes

2. Inventory yourself

3. Make it agile

4. Drive the culture

Page 24: Who owns Software Security

Describes software security initiatives at 67 well-known companies

https://www.bsimm.com

1 Study Successes  

Page 25: Who owns Software Security

112 activities organized in twelve practices

1

Page 26: Who owns Software Security

1 Study Successes  

•  Java •  Node •  Rails •  .NET

failures

Page 27: Who owns Software Security

Know your stack!

Your Code

Frameworks

Languages

Third Party Services

OSS

“Technical  debt”  

2

Page 28: Who owns Software Security

Know your app

•  Store a password •  Login a user •  Upload a photo •  Display user contributed content •  Concatenate strings

•  What’s secret? Credentials for DB access, machine accts, etc. – “Principle of Least Privilege”

What data is moving where?

2

Page 29: Who owns Software Security

Agile Quality == Agile Security

Add security to your “definition of done”

3

Page 30: Who owns Software Security

Tools (help) scale the process “Incorporate static analysis into the code review process in order to make code review more efficient and more consistent.”

3

IDE’s with “checkers”

“Near-real-time” tools

Build tools

IntelliJ

Klocwork, Codiscope, Coverity

Brakeman

Page 31: Who owns Software Security

Culture; the toughest part 1.  Even a little security

is better than none. Don't wait for a “big initiative”

2.  Don’t make security a “special event”

3.  Get trained! Train Champions.

4.  Have a plan for when something does go wrong

4

Page 32: Who owns Software Security

GOOD SOFTWARE IS SECURE. SECURE SOFTWARE IS GOOD SOFTWARE.  

Page 33: Who owns Software Security

Thanks! [email protected] @tbuntel www.codiscope.com