SlideShare a Scribd company logo

Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors

Download as PPTX, PDF
R
Ryan Elkins

Derbycon 2012 Presentation

Technology
1 of 59
SIMPLE SECURITY DEFENSE… TO THWART AN ARMY OF CYBER NINJA WARRIORS Ryan Elkins DerbyCon 2012 Twitter: the_ryan_elkins
ABOUT ME • Information Security Engineer • Specialized Experience: • Application Security • Database Security • Penetration Testing • Secure Programming • Master’s degree in Information Security • One of the DerbyCon CTF creators • Twitter: the_ryan_elkins
BUT WHY… HOW CAN SECURITY BE SIMPLE? • Hackers use the same tactics over and over to get in. • If the same tactics could not be used over and over, there would be no script kiddies • Probably a lot less information on Pastebin from SQL Injection database dumps • Automated tools would not be so prevalent • Hacking methodologies would not be as successful • www.pentest-standard.org - Excellent resource site for all skills levels.
BUILDING AN EFFECTIVE SECURITY PROGRAM • Let’s deep dive into the necessary components of a successful and effective program. • Your company’s security posture is like a puzzle… • All of the pieces have an important part in the big picture. • All of the pieces need to be in place for a strong security posture.
YOU DON’T NEED BOTTOMLESS POCKETS • Security does not have to be a major cost center for your company. • Implementing a strong foundation will offer unlimited potential for future investments. • The good thing is: a security foundation is not expensive! • But it is necessary.
IT IS NOT EXPENSIVE! • However: • It requires passionate people. • It requires planning. • You cannot buy security.
LETS BEGIN BUILDING A PROGRAM
BUT WAIT, I HAVE A ZERO DAY…. NOW WHAT!? • You don’t have to be “one zero-day away from compromise” • Imagine your CSO or CISO telling the CEO that the company is “one zero-day away from compromise” • I would not base my job security on this viewpoint • There is no comfort in security without layers.
LET’S START WITH AN EXPLOIT • What is a common attack vector that always seems to be vulnerable?
LET’S CALL THIS EXPLOIT: CURIOSITY_1337 • Is anyone familiar with Java vulnerabilities or recent Internet Explorer vulnerabilities? • It makes sense to utilize the Social Engineering attack vector. If you are persistent enough, it typically has a 100% success rate.
TYPICAL SOCIAL ENGINEERING/PHISHING ATTACK • Let’s attempt to exploit a system with the latest Java vulnerability available in SET.
AND HERE IS OUR SHELL
ANALYZE THE ATTACK • What layers did we have to breach for a maximum impact attack: • User account privileges (local admin, privileged domain account, restrictive account) • Firewall rules allowing the reverse shell port directly out • Antivirus detection • User awareness
SECURITY DEFENSES TO IMPLEMENT • User Awareness Training • End-Point System Protection • Network Protection • Application Security • Database Security • Vulnerability Management • Incident Response • Governance, Compliance, and Policies
USER AWARENESS • People will always be an inherent risk to the security posture of an organization. • Most likely the biggest vulnerability. • The cool thing is, people also have the potential to be the most valuable security asset. • How great would it be to tell others that your security team is the size of the entire associate population!
MAKE SECURITY THE TREND • Make it cool. • Engrain security everywhere. • Teach your associates to have a security mindset. • Awareness and training is an invaluable investment. • Security articles integrated with corporate communications. • Awareness weeks • Newsletters • Posters, bulletins, screen savers
GAME TIME
WHAT DO YOU SEE?
HACKER ANSWER • I see a way to bypass your company’s physical security perimeter attack dogs. • This guy should have had a hot dog with him.
PROTECT YOUR USERS • Ensure standard user accounts are least-privileged. • Deny local administrative access when possible. • Create separate administrative level accounts. • Provide ongoing user awareness throughout the year.
END-POINT SYSTEM PROTECTION • Install antivirus software. • Sure, a good attacker will test their payload at www.virustotal.com, but this will combat against known viruses and malicious signatures. • Apply security patches as soon as they are available. • Patch management • Vulnerability mitigation • Uninstall unused programs • Ensure that all systems are on the domain. • Require full disk encryption on user devices.
UTILIZE CENTRALIZED MANAGEMENT • Active directory is a huge asset for security. • Group policy objects. • Password Policies • Enforce security baselines – we will discuss later • Provision administrative security groups • Map users to their provisioned file shares so they do not keep all of their company data on the laptops
NETWORK PROTECTION Don’t Allow This! • Restrict direct outbound (egress) connections • Utilize whitelist approach for all direct connections outbound. • Force web (80, 443) traffic through a proxy server.
APPLICATION SECURITY • Applications are essential to every aspect of the business. • The doorways and portals to intellectual property, consumer data, financials, access controls, databases, and your product.
HOW WELL DO YOU KNOW YOUR APPS • Application security is vital for the security posture of your organization. • Do you have control over the applications being used? • Do you have an inventory? • Are you using third-party developed applications?
APPLICATION REVIEWS • Review ALL applications. • Types of Reviews: • Source code manual/automated • Dynamic manual/automated • Due Diligence • Train your developers in secure programming practices.
SECURE SOFTWARE DEVELOPMENT LIFE CYCLE • Begin from conception of development idea/planning or 3rd party software procurement • Continue throughout development cycles • Perform assessment before application is released • Perform assessment for major revisions or new releases • Perform periodic assessments to identify new exposures
BUT I DON’T KNOW CODE… • You don’t have to be a security code ninja to perform an effective application review. • Obviously: • the better you are at programming • the better you are at pentesting • the better you are at understanding security principles • the better you are at understanding compliance requirements • Will make you a better reviewer, but you have to start somewhere…
START WITH A CHECKLIST FOR DEVELOPERS • We provide a checklist to developers that highlight the primary concerns that we have for every application. • Developers don’t have time to read and understand every page or article from: • OSSTM – Open Source Security Testing Methodology Manual • OWASP – Open Web Application Security Standard • ASVS – Application Security Verification Standard • BSIMM – The Building Security in Maturity Model • PCI – Payment Card Industry • FIPS – Federal Information Processing Standard • NIST – National Institute of Standards and Technology • And there are plenty more
APPLICATION RISKS • Proper protections surrounding every input and output control within an application will remediate the risk of most vulnerabilities. • Minimize the surface area for attack
LET’S TAKE A LOOK AT THE REVIEW CHECKLIST • I like to refer to it as a cheat sheet because it makes developers feel like they are able to pass the reviews by only following these requirements. • The best part is: • Proper development surrounding these requirements will remediate nearly all vulnerabilities. • Have your security person focused on application security learn and understand the proper controls surrounding each cheat sheet item.
PASSING A SECURITY REVIEW • The CHEAT SHEET Categories: • Passwords • Accounts/Roles • Cookies • Databases • Input Validation • Output Encoding • Transport Layer Security • Web.Config • Encryption • Logging and Alerts • C/C++ Development
PASSWORDS My Online Banking!!! • 9 character passwords • Complexity (upper, lower, numbers, special chars) • Lockout functionality • Change password functionality • Logout ability from all sites • Expiration
ACCOUNTS/ROLES • Generate random password on creation • Utilize role based security (at least user/administrator levels)
COOKIES • No sensitive data in cookies • Secure Attribute • HTTP Only Attribute
DATABASES • Use parameterized or prepared statements for all SQL queries using variable values • Use least privileged accounts in connection strings (never use SA) • Use limited accounts for SQL services themselves
INPUT VALIDATION • Validate all external input for length, content, and type using regular expressions • Don’t use conversions to validate input • Use whitelist approach– no blacklists • Server side validation only – Client side can be bypassed
OUTPUT ENCODING • Use HTML encoding for any untrusted data that is displayed in literal controls (labels, tables) on a page • Use URL encoding for any untrusted parameters in a URL
TRANSPORT LAYER SECURITY • SSL for Logins/Sensitive information • Disable insecure ciphers • No certificate mismatches, untrusted CA’s, revoked certs, or self-signed certs • Disable deprecated/insecure protocol versions
WEB.CONFIG • Encrypt any sensitive sections of the config files (connection strings, keys, passwords) • Configure customErrors • Compilation debug is turned off • ValidateRequest is on • Encrypt Viewstate
I’ve found these hard-coded values from Obviex used so CRYPTOGRAPHIC STORAGE many times!!! • No hard-coded encryption keys • Use secure hashing algorithms like SHA-256 or SHA-512 • Generate a unique salt when hashing a password • You salt your potatoes, you salt your french fries, you salt your hash. • Use strong encryption algorithms like AES-256
LOGGING AND ALERTS • Log all security type events (login, logout, add/remove users, uploads, errors) • No sensitive info in logs • Provide generic error messages to users and log the details
C/C++ DEVELOPMENT • Utilize the secure alternatives for functions when available (include banned.h) • Validate all buffers before adding data
3RD PARTY APPLICATIONS
WHAT TO DO ABOUT 3RD PARTY APPLICATIONS • You will not always have 3 rd party code to review. • I always ask for the code and say that we require a code review before it can be used in the organization. • Under NDA, they often are willing to provide the code. • Worst case: they say no • Makes sense because it is usually a full ASVS review of their application for free. • Could count as an audit checkmark for a third party code review.
3RD PARTY REVIEW WITHOUT CODE • Very hesitant to allow third party applications on external perimeter without full code review. • Utilize tools like: • .NET Reflector to open binaries if .Net applications • JD-GUI for opening Java binaries • IDA-Pro to search strings • Look closely at authentication mechanisms for hard-coded values and backdoors • Search for hard-coded cryptographic information (encryption keys, IVs, Salt values) • Perform a due-diligence review of the vendor. • Questionnaire regarding security programming process, developer training • Internet research regarding the company (past vulnerabilities, breaches)
APPLICATION REVIEW RESULTS • Since the application program has been deployed globally • Findings in internally developed applications have decreased tremendously • Developers are eager to learn and implement security • The key is teaching, sharing, and patience. They are not reading about security 24/7 like us. • Internally developed applications have a much stronger security posture than 3 rd party developed applications • Require source code reviews for all externally facing applications.
DATABASE SECURITY • Leverage your application security program as a window into your databases. • The majority of databases that I have seen have an application communicating with it.
QUICK DATABASE SECURITY WINS • Utilize integrated authentication and disable local database accounts when applicable. • This centralizes account and password policies to Active Directory • Ensure that application connection strings utilize least privileges (never SA) • Keep database servers separate from web and application servers • Utilize network segmentation and DMZs for externally facing or DBs with sensitve/confidential information • Separation of duties between administrators and developers.
VULNERABILITY MANAGEMENT • Patching processes (operating systems, applications, hardware) • Timelines for applying updates based on criticality • Maintain a list of approved and supported applications • Restrict users from installing applications • Scheduled vulnerability scans and device discovery • Integrate application and database review findings into tracking/remediation processes
DATA LOSS PREVENTION – CLOUD STORAGE • Do you know how much of your data is going to the cloud? • Are your users backing up their computers to the cloud? • Provide corporate shares for your users to minimize business information on personal devices.
CENTRALIZATION IS KEY TO EFFECTIVENESS • Centralize the management of everything you can • Standard computer and server images • Connect everything to the domain for Group Policy management • Know and understand the architecture of every application • Ensure that all network segments are included in vulnerability scans • Maintain a list of all external websites • Track and remediate all vulnerabilities discovered
SO WHERE DO I BEGIN? • If you implement everything so far, your program will not be successful without several core components: • Policies • Baselines • Risk Acceptance Model • Yes, these are the most boring components, but are absolutely vital for building a successful program.
POLICIES • Without a policy, enforcement and accountability cannot occur • These are the laws of the organization • If they did not exist, associates could not be charged for breaking them • Types of policies/categories: • Acceptable Use • Data Classification • Application Security • Network Security • Database Security • Some of these could be wrapped in an Information Security Policy
BASELINES • These are the technical details • Baselines should be created for all supported technologies: • Operating Systems • Databases • Network Devices • Applications
RISK ACCEPTANCE • The security team will not always be willing to sign-off on everything. • At times, you have to advise, identify risks, and the business may decide it is worth the risk. • Utilize a risk acceptance model where an executive or business manager must sign-off and accept the risks identified by the security team. • The risk acceptance documents can then be reviewed periodically by internal audit teams • Require a remediation plan and timeline to mitigate accepted risks
TIME TO BUILD • Once you have these foundational security defenses in place, you are ready to begin investing in additional security technologies to advance your security posture. • How many of you already have all of this in place? • It is a daily process as the organizations changes (technology, processes, associates) Don’t let your security program look like this!
CLOSING THOUGHTS • You have to be passionate about what you do to be successful. • Be the positive change the world needs. • Bring out the best in others. • Use the hard times to grow and become a better person. You may be able to use your experiences to help others through their hardships. • All of these are vital for being happy in your career, even when you are doing something you love. • Never stop learning.
FIND TIME TO ENJOY THE BEAUTY OF LIFE

Recommended

Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testingAdrian Munteanu
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 

Recommended

Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testingAdrian Munteanu
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...LINE Corporation
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changerJaap Karan Singh
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOpsPawel Krawczyk
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integrationIrene Michlin
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityAnne Oikarinen
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Website on aws
Website on awsWebsite on aws
Website on awsmydatasync
 
(Gps312) Application Services
(Gps312) Application Services(Gps312) Application Services
(Gps312) Application ServicesDinah Barrett
 

More Related Content

What's hot

Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...LINE Corporation
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Digital Bond
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changerJaap Karan Singh
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integrationIrene Michlin
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityAnne Oikarinen
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 

What's hot (20)

Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...Life as an enterprise security geek from underground. (What enterprises want ...
Life as an enterprise security geek from underground. (What enterprises want ...
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application Security
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 

Viewers also liked

Website on aws
Website on awsWebsite on aws
Website on awsmydatasync
 
(Gps312) Application Services
(Gps312) Application Services(Gps312) Application Services
(Gps312) Application ServicesDinah Barrett
 
Go Global Fearless(I18N & L10N)
Go Global Fearless(I18N & L10N)Go Global Fearless(I18N & L10N)
Go Global Fearless(I18N & L10N)Venkat Rajesh
 
Aws building fault_tolerant_applications
Aws building fault_tolerant_applicationsAws building fault_tolerant_applications
Aws building fault_tolerant_applicationsSebin John
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for StartupsAWS Germany
 

Viewers also liked (10)

Website on aws
Website on awsWebsite on aws
Website on aws
 
(Gps312) Application Services
(Gps312) Application Services(Gps312) Application Services
(Gps312) Application Services
 
Go Global Fearless(I18N & L10N)
Go Global Fearless(I18N & L10N)Go Global Fearless(I18N & L10N)
Go Global Fearless(I18N & L10N)
 
Awsgsg wah
Awsgsg wahAwsgsg wah
Awsgsg wah
 
Aws building fault_tolerant_applications
Aws building fault_tolerant_applicationsAws building fault_tolerant_applications
Aws building fault_tolerant_applications
 
Espiritu santo
Espiritu santoEspiritu santo
Espiritu santo
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for Startups
 
Sefeko presentation
Sefeko presentationSefeko presentation
Sefeko presentation
 
CV udayan
CV udayan CV udayan
CV udayan
 
PPT - Powerful Presentation Techniques
PPT - Powerful Presentation TechniquesPPT - Powerful Presentation Techniques
PPT - Powerful Presentation Techniques
 

Similar to Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors

So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A PentesterNorthBayWeb
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnSamuel Reed
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security OverviewNoah Jaehnert
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentMark Szewczul, CISSP
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applicationseightbit
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 

Similar to Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors (20)

So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A Pentester
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
C days2015
C days2015C days2015
C days2015
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product Development
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 

Recently uploaded

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors

  • 1. SIMPLE SECURITY DEFENSE… TO THWART AN ARMY OF CYBER NINJA WARRIORS Ryan Elkins DerbyCon 2012 Twitter: the_ryan_elkins
  • 2. ABOUT ME • Information Security Engineer • Specialized Experience: • Application Security • Database Security • Penetration Testing • Secure Programming • Master’s degree in Information Security • One of the DerbyCon CTF creators • Twitter: the_ryan_elkins
  • 3. BUT WHY… HOW CAN SECURITY BE SIMPLE? • Hackers use the same tactics over and over to get in. • If the same tactics could not be used over and over, there would be no script kiddies • Probably a lot less information on Pastebin from SQL Injection database dumps • Automated tools would not be so prevalent • Hacking methodologies would not be as successful • www.pentest-standard.org - Excellent resource site for all skills levels.
  • 4. BUILDING AN EFFECTIVE SECURITY PROGRAM • Let’s deep dive into the necessary components of a successful and effective program. • Your company’s security posture is like a puzzle… • All of the pieces have an important part in the big picture. • All of the pieces need to be in place for a strong security posture.
  • 5. YOU DON’T NEED BOTTOMLESS POCKETS • Security does not have to be a major cost center for your company. • Implementing a strong foundation will offer unlimited potential for future investments. • The good thing is: a security foundation is not expensive! • But it is necessary.
  • 6. IT IS NOT EXPENSIVE! • However: • It requires passionate people. • It requires planning. • You cannot buy security.
  • 8. BUT WAIT, I HAVE A ZERO DAY…. NOW WHAT!? • You don’t have to be “one zero-day away from compromise” • Imagine your CSO or CISO telling the CEO that the company is “one zero-day away from compromise” • I would not base my job security on this viewpoint • There is no comfort in security without layers.
  • 9. LET’S START WITH AN EXPLOIT • What is a common attack vector that always seems to be vulnerable?
  • 10. LET’S CALL THIS EXPLOIT: CURIOSITY_1337 • Is anyone familiar with Java vulnerabilities or recent Internet Explorer vulnerabilities? • It makes sense to utilize the Social Engineering attack vector. If you are persistent enough, it typically has a 100% success rate.
  • 11. TYPICAL SOCIAL ENGINEERING/PHISHING ATTACK • Let’s attempt to exploit a system with the latest Java vulnerability available in SET.
  • 12. AND HERE IS OUR SHELL
  • 13. ANALYZE THE ATTACK • What layers did we have to breach for a maximum impact attack: • User account privileges (local admin, privileged domain account, restrictive account) • Firewall rules allowing the reverse shell port directly out • Antivirus detection • User awareness
  • 14. SECURITY DEFENSES TO IMPLEMENT • User Awareness Training • End-Point System Protection • Network Protection • Application Security • Database Security • Vulnerability Management • Incident Response • Governance, Compliance, and Policies
  • 15. USER AWARENESS • People will always be an inherent risk to the security posture of an organization. • Most likely the biggest vulnerability. • The cool thing is, people also have the potential to be the most valuable security asset. • How great would it be to tell others that your security team is the size of the entire associate population!
  • 16. MAKE SECURITY THE TREND • Make it cool. • Engrain security everywhere. • Teach your associates to have a security mindset. • Awareness and training is an invaluable investment. • Security articles integrated with corporate communications. • Awareness weeks • Newsletters • Posters, bulletins, screen savers
  • 18. WHAT DO YOU SEE?
  • 19. HACKER ANSWER • I see a way to bypass your company’s physical security perimeter attack dogs. • This guy should have had a hot dog with him.
  • 20. PROTECT YOUR USERS • Ensure standard user accounts are least-privileged. • Deny local administrative access when possible. • Create separate administrative level accounts. • Provide ongoing user awareness throughout the year.
  • 21. END-POINT SYSTEM PROTECTION • Install antivirus software. • Sure, a good attacker will test their payload at www.virustotal.com, but this will combat against known viruses and malicious signatures. • Apply security patches as soon as they are available. • Patch management • Vulnerability mitigation • Uninstall unused programs • Ensure that all systems are on the domain. • Require full disk encryption on user devices.
  • 22. UTILIZE CENTRALIZED MANAGEMENT • Active directory is a huge asset for security. • Group policy objects. • Password Policies • Enforce security baselines – we will discuss later • Provision administrative security groups • Map users to their provisioned file shares so they do not keep all of their company data on the laptops
  • 23. NETWORK PROTECTION Don’t Allow This! • Restrict direct outbound (egress) connections • Utilize whitelist approach for all direct connections outbound. • Force web (80, 443) traffic through a proxy server.
  • 24. APPLICATION SECURITY • Applications are essential to every aspect of the business. • The doorways and portals to intellectual property, consumer data, financials, access controls, databases, and your product.
  • 25. HOW WELL DO YOU KNOW YOUR APPS • Application security is vital for the security posture of your organization. • Do you have control over the applications being used? • Do you have an inventory? • Are you using third-party developed applications?
  • 26. APPLICATION REVIEWS • Review ALL applications. • Types of Reviews: • Source code manual/automated • Dynamic manual/automated • Due Diligence • Train your developers in secure programming practices.
  • 27. SECURE SOFTWARE DEVELOPMENT LIFE CYCLE • Begin from conception of development idea/planning or 3rd party software procurement • Continue throughout development cycles • Perform assessment before application is released • Perform assessment for major revisions or new releases • Perform periodic assessments to identify new exposures
  • 28. BUT I DON’T KNOW CODE… • You don’t have to be a security code ninja to perform an effective application review. • Obviously: • the better you are at programming • the better you are at pentesting • the better you are at understanding security principles • the better you are at understanding compliance requirements • Will make you a better reviewer, but you have to start somewhere…
  • 29. START WITH A CHECKLIST FOR DEVELOPERS • We provide a checklist to developers that highlight the primary concerns that we have for every application. • Developers don’t have time to read and understand every page or article from: • OSSTM – Open Source Security Testing Methodology Manual • OWASP – Open Web Application Security Standard • ASVS – Application Security Verification Standard • BSIMM – The Building Security in Maturity Model • PCI – Payment Card Industry • FIPS – Federal Information Processing Standard • NIST – National Institute of Standards and Technology • And there are plenty more
  • 30. APPLICATION RISKS • Proper protections surrounding every input and output control within an application will remediate the risk of most vulnerabilities. • Minimize the surface area for attack
  • 31. LET’S TAKE A LOOK AT THE REVIEW CHECKLIST • I like to refer to it as a cheat sheet because it makes developers feel like they are able to pass the reviews by only following these requirements. • The best part is: • Proper development surrounding these requirements will remediate nearly all vulnerabilities. • Have your security person focused on application security learn and understand the proper controls surrounding each cheat sheet item.
  • 32. PASSING A SECURITY REVIEW • The CHEAT SHEET Categories: • Passwords • Accounts/Roles • Cookies • Databases • Input Validation • Output Encoding • Transport Layer Security • Web.Config • Encryption • Logging and Alerts • C/C++ Development
  • 33. PASSWORDS My Online Banking!!! • 9 character passwords • Complexity (upper, lower, numbers, special chars) • Lockout functionality • Change password functionality • Logout ability from all sites • Expiration
  • 34. ACCOUNTS/ROLES • Generate random password on creation • Utilize role based security (at least user/administrator levels)
  • 35. COOKIES • No sensitive data in cookies • Secure Attribute • HTTP Only Attribute
  • 36. DATABASES • Use parameterized or prepared statements for all SQL queries using variable values • Use least privileged accounts in connection strings (never use SA) • Use limited accounts for SQL services themselves
  • 37. INPUT VALIDATION • Validate all external input for length, content, and type using regular expressions • Don’t use conversions to validate input • Use whitelist approach– no blacklists • Server side validation only – Client side can be bypassed
  • 38. OUTPUT ENCODING • Use HTML encoding for any untrusted data that is displayed in literal controls (labels, tables) on a page • Use URL encoding for any untrusted parameters in a URL
  • 39. TRANSPORT LAYER SECURITY • SSL for Logins/Sensitive information • Disable insecure ciphers • No certificate mismatches, untrusted CA’s, revoked certs, or self-signed certs • Disable deprecated/insecure protocol versions
  • 40. WEB.CONFIG • Encrypt any sensitive sections of the config files (connection strings, keys, passwords) • Configure customErrors • Compilation debug is turned off • ValidateRequest is on • Encrypt Viewstate
  • 41. I’ve found these hard-coded values from Obviex used so CRYPTOGRAPHIC STORAGE many times!!! • No hard-coded encryption keys • Use secure hashing algorithms like SHA-256 or SHA-512 • Generate a unique salt when hashing a password • You salt your potatoes, you salt your french fries, you salt your hash. • Use strong encryption algorithms like AES-256
  • 42. LOGGING AND ALERTS • Log all security type events (login, logout, add/remove users, uploads, errors) • No sensitive info in logs • Provide generic error messages to users and log the details
  • 43. C/C++ DEVELOPMENT • Utilize the secure alternatives for functions when available (include banned.h) • Validate all buffers before adding data
  • 45. WHAT TO DO ABOUT 3RD PARTY APPLICATIONS • You will not always have 3 rd party code to review. • I always ask for the code and say that we require a code review before it can be used in the organization. • Under NDA, they often are willing to provide the code. • Worst case: they say no • Makes sense because it is usually a full ASVS review of their application for free. • Could count as an audit checkmark for a third party code review.
  • 46. 3RD PARTY REVIEW WITHOUT CODE • Very hesitant to allow third party applications on external perimeter without full code review. • Utilize tools like: • .NET Reflector to open binaries if .Net applications • JD-GUI for opening Java binaries • IDA-Pro to search strings • Look closely at authentication mechanisms for hard-coded values and backdoors • Search for hard-coded cryptographic information (encryption keys, IVs, Salt values) • Perform a due-diligence review of the vendor. • Questionnaire regarding security programming process, developer training • Internet research regarding the company (past vulnerabilities, breaches)
  • 47. APPLICATION REVIEW RESULTS • Since the application program has been deployed globally • Findings in internally developed applications have decreased tremendously • Developers are eager to learn and implement security • The key is teaching, sharing, and patience. They are not reading about security 24/7 like us. • Internally developed applications have a much stronger security posture than 3 rd party developed applications • Require source code reviews for all externally facing applications.
  • 48. DATABASE SECURITY • Leverage your application security program as a window into your databases. • The majority of databases that I have seen have an application communicating with it.
  • 49. QUICK DATABASE SECURITY WINS • Utilize integrated authentication and disable local database accounts when applicable. • This centralizes account and password policies to Active Directory • Ensure that application connection strings utilize least privileges (never SA) • Keep database servers separate from web and application servers • Utilize network segmentation and DMZs for externally facing or DBs with sensitve/confidential information • Separation of duties between administrators and developers.
  • 50. VULNERABILITY MANAGEMENT • Patching processes (operating systems, applications, hardware) • Timelines for applying updates based on criticality • Maintain a list of approved and supported applications • Restrict users from installing applications • Scheduled vulnerability scans and device discovery • Integrate application and database review findings into tracking/remediation processes
  • 51. DATA LOSS PREVENTION – CLOUD STORAGE • Do you know how much of your data is going to the cloud? • Are your users backing up their computers to the cloud? • Provide corporate shares for your users to minimize business information on personal devices.
  • 52. CENTRALIZATION IS KEY TO EFFECTIVENESS • Centralize the management of everything you can • Standard computer and server images • Connect everything to the domain for Group Policy management • Know and understand the architecture of every application • Ensure that all network segments are included in vulnerability scans • Maintain a list of all external websites • Track and remediate all vulnerabilities discovered
  • 53. SO WHERE DO I BEGIN? • If you implement everything so far, your program will not be successful without several core components: • Policies • Baselines • Risk Acceptance Model • Yes, these are the most boring components, but are absolutely vital for building a successful program.
  • 54. POLICIES • Without a policy, enforcement and accountability cannot occur • These are the laws of the organization • If they did not exist, associates could not be charged for breaking them • Types of policies/categories: • Acceptable Use • Data Classification • Application Security • Network Security • Database Security • Some of these could be wrapped in an Information Security Policy
  • 55. BASELINES • These are the technical details • Baselines should be created for all supported technologies: • Operating Systems • Databases • Network Devices • Applications
  • 56. RISK ACCEPTANCE • The security team will not always be willing to sign-off on everything. • At times, you have to advise, identify risks, and the business may decide it is worth the risk. • Utilize a risk acceptance model where an executive or business manager must sign-off and accept the risks identified by the security team. • The risk acceptance documents can then be reviewed periodically by internal audit teams • Require a remediation plan and timeline to mitigate accepted risks
  • 57. TIME TO BUILD • Once you have these foundational security defenses in place, you are ready to begin investing in additional security technologies to advance your security posture. • How many of you already have all of this in place? • It is a daily process as the organizations changes (technology, processes, associates) Don’t let your security program look like this!
  • 58. CLOSING THOUGHTS • You have to be passionate about what you do to be successful. • Be the positive change the world needs. • Bring out the best in others. • Use the hard times to grow and become a better person. You may be able to use your experiences to help others through their hardships. • All of these are vital for being happy in your career, even when you are doing something you love. • Never stop learning.
  • 59. FIND TIME TO ENJOY THE BEAUTY OF LIFE

Editor's Notes

  1. ----- Meeting Notes (9/29/12 12:12) -----Thank you for coming to listen.Focus on building a solid foundation for security program
  2. http://www.pentest-standard.org/images/ptes-2.png----- Meeting Notes (9/29/12 12:12) -----sam tactics over and overa lot less info on pastebinautomated tools less prevalenthacking methodologies less successfule
  3. http://3.bp.blogspot.com/-oQCU8gJC-JU/TdQE0CGNhLI/AAAAAAAAAA8/2iUSK_v83DM/s1600/missing-puzzle-piece-300x199.jpg
  4. http://3.bp.blogspot.com/_yG2HbYQQYOw/SZ1kqo4ZH7I/AAAAAAAAEHo/JonRVlwM4cw/s320/!0_2008_empty_pockets01.jpg
  5. https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcTmBO9qpbfXIoIEGTNVECa23etBhEjA2mQLSfQL6lzpmLeMbp-S
  6. http://www.medievalists.net/wp-content/uploads/2010/02/castle-for-sale-in-france.jpg----- Meeting Notes (9/29/12 12:12) -----our goal is to look like this
  7. http://thepoisonedappledotcom.files.wordpress.com/2012/07/shrek-onions1.pnghttp://www.wallpapersonly.net/wallpapers/dwight-schrute-the-office-1024x768.jpgThe key is to have layers of security to defend and protect.
  8. http://myengine4leads.com/wp-content/uploads/2010/03/business-people-group.jpg
  9. http://2.bp.blogspot.com/-j-qjCd-MvWM/UCONau2ZJ3I/AAAAAAAATZY/GuWpEwQXrSM/s640/curiosity+killed+the+cat.jpg
  10. http://static.guim.co.uk/sys-images/Music/Pix/pictures/2010/2/25/1267110079783/Trojan-horse-001.jpg
  11. ----- Meeting Notes (9/29/12 12:12) -----none are rocket science to implementit goes back to planning and project management
  12. http://www.flickr.com/photos/woodelfnor/268828223/http://www.yufantravel.com/images/history/viking_warriors.jpg
  13. http://www.roadflares.org/blog/wp-content/uploads/2010/09/2009_paul_blart_mall_cop_002.jpg
  14. http://www.corbisimages.com/images/Corbis-42-15557167.jpg?size=67&uid=775bbc29-ca7a-45ff-ba31-7f3ce8b2f637----- Meeting Notes (9/29/12 12:12) -----i know some of you are thinking, i hope this is not one of the replacement refs,made sure to get an official nfl ref,don't worry this is not a replacement
  15. http://media.npr.org/assets/news/2010/05/27/hotdog-b48b740d9d292d8f3243529d834cd89af866ab47.jpg
  16. http://www.bookofjoe.com/images/2008/09/08/sausage.jpg – Far lefthttp://www.flixya.com/files-photo/p/i/n/pinky-2116460.jpg - Right
  17. http://www.ranum.com/security/computer_security/calendar/nov.jpg
  18. https://wiki.elon.edu/download/attachments/14156656/screen-capture-268.jpg?version=1&modificationDate=1270323986000
  19. http://vbtelco.com/wp-content/uploads/2010/11/sticky-notes.jpg----- Meeting Notes (9/29/12 12:12) -----configuration database is for the companyhuge proponent of group policy
  20. http://www.fourmilab.ch/fourmilog/archives/firewall_2005-12-10.jpg----- Meeting Notes (9/29/12 12:12) -----packet inspection
  21. http://www.cruzine.com/wp-content/uploads/2010/12/003-caves.jpg – Pic on righthttp://4.bp.blogspot.com/_uHfoNADylu4/TSr2arvsTaI/AAAAAAAAAC0/iByK-UJ-MGM/s1600/The_Dark_Cave_by_lady_lemondrop.jpg – Cave on left----- Meeting Notes (9/29/12 12:12) -----my favorite topicwhich cave do your company's applications resemble
  22. http://troll.me/images/the-most-interesting-man-in-the-world/i-dont-always-test-my-code-but-when-i-do-i-do-it-on-production-systems-as-the-root-user.jpg----- Meeting Notes (9/29/12 12:12) -----application sprawl
  23. ----- Meeting Notes (9/29/12 12:12) -----cannot always compile code for automated scans
  24. http://1.bp.blogspot.com/_p7EhsVzzSrc/SunCgO5VagI/AAAAAAAAAUk/PfzJlBtyfKg/s400/desktop+ninja.jpg
  25. ----- Meeting Notes (9/29/12 12:12) -----also, if you are an encryption/hashing expert, you probably immediately recognize that they also either are unsalted or have a static salt
  26. ----- Meeting Notes (9/29/12 12:12) -----online tools to perform all checks for you ssllabssslshopper
  27. ----- Meeting Notes (9/29/12 12:12) -----Or other configuration files, protect with ACLsViewstate shouldn't have sensitive data, but encrypt in case - a layer
  28. ----- Meeting Notes (9/29/12 12:12) -----value a developer that truly understands how to implement cryptographic storage properly
  29. ----- Meeting Notes (9/29/12 12:12) -----emails, links
  30. https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTRYavT-T4-S1k3nkaRGuELE-n8NCQAC5gzKhCcOQDc-G3Q9s66Yg----- Meeting Notes (9/29/12 12:12) -----i've found many unknown database from reviewing applications
  31. https://encrypted-tbn1.gstatic.com/images?q=tbn:ANd9GcSQDUDgp2rRc5tFUfuoeya-hz_FGJtkqxaRvtYtnOTnxQhEV8qfLQhttps://encrypted-tbn1.gstatic.com/images?q=tbn:ANd9GcT40h6iDYL6X_pNX0qhLbq_ecHT90WsBw2gANQiptFsuBG87awH
  32. https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcSDqHEXAnnDcfsrbJVrddHpTJSIhJbx8hV8YOpah-XZlLSw0v_z----- Meeting Notes (9/29/12 12:12) -----Program service security review
  33. https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcQPmLAN-WvJkCHzFC187MnZoNHZcBV5w8he-9Gd5-SY6BYOAptI
  34. http://www.sugarslam.com/wp-content/uploads/2010/12/chuck-norris.jpg
  35. https://encrypted-tbn1.gstatic.com/images?q=tbn:ANd9GcQzwi7Aem0IIDtz5qV3-V4qR7aHz20Qc-FmqAUm9kXYD2Wk4Vy4bg
  36. http://cl.jroo.me/z3/3/I/C/c/a.aaa.jpg
  37. https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcTj9IlkBzMACkAIcr8pVtKxBk7g8SpbBtHqBMym292GWs23Pgu-jA