SlideShare una empresa de Scribd logo

Inconvenient Truth(s) - On Application Security (from 2007)

Descargar como PPT, PDF
Dinis Cruz
Dinis Cruz

Presented at "SANS WhatWorks in Application Security Summit 2007"

1 de 42
Inconvenient Truth(s) Dinis Cruz, SANS “What Works in Application Security”
2 Who am I?  Director of Advanced Technologies, Ounce Labs  Chief OWASP Evangelist  Independent Consultant, various  Skills: – Researcher on .NET Security – Reverse Engineering – Source Code Security Reviews – Development of Secure Architectures – Developer (from ASM to C#, from Amiga to x86) – Irreverent
3 Inconvenient Truth  Software security is a mess!!!!!  Not because the software industry creates exploitable vulnerabilities, but because it doesn’t understand what those vulnerabilities look like and doesn’t learn from past mistakes!  The buyers/users have no visibility on the ‘real’ security status of our software world  Software is everywhere (from cars, to websites, to medical appliances, to banking systems, to toys, to elevators, to weapons, to communication devices, to energy transportation systems, etc…) – Our society is currently very dependent on software and will become even more in the future  And nobody has a complete picture of how big this mess is, since its complexity has outgrown the human capacity to analyze it!
4 Inconvenient #1 There are no metrics!
5 There are no metrics!  How can customers purchase secure solutions if they can’t measure security?  I know more about an Orange Juice I buy from the local store than I know about the software I buy (winzip for example)  My only decision is to accept (or not) the EULA  Image from OWASP’s metrics project & Jeff Williams’ Presentation (http://www.owasp.org/index.php /Types_of_application_security_metrics)
6 Inconvenient #2 Global Warming ~ Software InSecurity
7 Global Warming ~ Software InSecurity  Al Gore’s Global Warming – Should in fact be called The impact of Mankind on Earth’s Ecosystem  Both are man made  Both are the results of Complex Systems and feedback loops whose consequences are not fully understood  Both are actually an Accountancy and Economics problem  Both ‘could’ have disastrous consequences
8 Inconvenient #3 Secure software doesn’t make business sense
9 Secure software doesn’t make business sense ‘Information security is not a technological problem. It is an economics problem. And the way to improve information security is to fix the economics problem. If this is done, companies will come up with the right technological solutions that vendors will happily implement. Fail to solve the economics problem, and vendors will not bother implementing or researching any security technologies, regardless of how effective they are.’ Bruce Schneier  See John Viega’s (Vice President and Chief Security Architect of McAfee) BlackHat 2007 presentation: Building an Effective Application Security Practice on a Shoestring Budget  This presentation makes the business case for not investing on Security! “If I know that doing a security audit on product XYZ I will find (per Mloc) 90 serious vulnerabilities (30 Critical, 60 High), but in the past year only 1 of those vulnerabilities have been publicly disclosed, then it is cheaper to have a small and agile CERT, than it is to find and patch those issues before shipping”. John Viega
10 Inconvenient #4 Secure software doesn’t make business sense
11 Secure software doesn’t make business sense  Clients are not able to measure the ‘security’ of the products and services they are purchasing (or developing)  The attackers are not exploiting the vulnerabilities created by insecure applications / solutions  Governments don’t know what is going on (or what to do)  Software companies (both traditional and Open Source) are rewarded (with sales or eyeballs) for delivering: – Features that either (from the users point of view): • a) improve business operations • b) increase profitability • c) create new sources of revenue – Performance, Scalability, Reporting – Time to market – GUIs (ease of use)  In 2007 Software Security is still a ‘damage control’ exercise and only short-term actions are implemented – Important note: This would not be a problem if the attacker’s business model wasn’t evolving
12 Inconvenient #5 Our systems are safe today!
13 Our systems are safe today!  How many people in this room have suffered ‘severe’ losses (either economical or personal) due to a criminal exploitation of vulnerabilities in Software?  How many companies bankrupt?  How many wars started? Or won?  How many lives lost?  How many dollars lost? (as a percentage of profits/losses) Interesting statistic: In the UK, in the assessment of road building schemes, lives saved due to road safety improvements are valued at around £1 million per person. http://news.bbc.co.uk/1/hi/world/europe/6597743.stm
14 Inconvenient #6 Our systems are safe today!
15 Our systems are safe today!  Apart from: – Kids – Criminals with simple malicious business models: • spamming, phishing, credit card fraud, software piracy • sell compromised accounts (& bot nets) • blackmail • obvious (& easily detectable) stock market manipulation – Small number of elite criminals who know what they are doing and never will be caught  We are pretty safe! – Which is good because our defenses (AV, IDS, IPS, Operating Systems, Applications) are not able to contain targeted attacks by skillful and knowledgeable attackers
16 What is RISK?  RISK = Vulnerability * Impact * Frequency Number of Attacks Frequency = -------------------------- Time Period Number of Attacks RISK = Vulnerability * Impact * -------------------------- Time Period  At the moment (Aug 2007), we are in a LOW RISK DefCon mode: – the Vulnerabilities and Impact are very HIGH, but – the number of attacks (over the last years) is very LOW
17 Inconvenient #7 We will be doomed!
18 We will be doomed!  If the business model of our attackers evolve!  If these attackers are able to make money by exploiting our insecure software / web applications  If the number of ‘profitable’ attackers reaches critical mass  If we don’t change our current software development business model  If we don’t change our understanding and visibility of the security implications of our interconnected systems  If we are attacked directly!
19 Inconvenient #8 The attacker's business model is still immature
20 The attacker's business model is still immature  Mainly still: – spamming, phishing, credit card fraud, software piracy – selling compromised accounts or botnets, – blackmail – obvious (& easily detectable) stock market manipulation  We will have a serious problem when the attackers are able to monetize digital accesses to company’s: – Content Management Systems – Backend Transactions Systems – Digital assets (Emails, Documents, VPNs) – Payment Systems – Business related assets: • Capability to do business • Availability of Services • Confidentially of information stored / processed • Data Integrity
21 ‘Software enabled’ malicious business models  Sell Business Intelligence (& victim’s assets) – From corporate espionage to selling airline tickets via compromised ‘Air Miles’ system  Stock Market Manipulation – What if 10% of all stock market transactions were not real?  Accounting Scams – Enron via database manipulation, money ‘creation’, money laundering  Control media agenda – Mind control, political agenda control, elections manipulation  Serious blackmail / credit card fraud – James Bond style  Destruction of financial organization to hide bad investments – Think ‘Hedge fund gone bust’ with interest in wiping Bank’s XYZ debt management system (which is only a database after all)  Artificial ‘lack of energy resources’ – or other consumer goods  Digital Wars  Etc… (ask DHS or Bruce Schneier for more movie plots stories)
22 Inconvenient #9 Physical Extremism doesn't scale (but Digital Extremism does)
23 Physical Extremism doesn't scale (but Digital Extremism does)  Extremism is part of our world  Physical Extremism (from Islamic Terrorism, to Animal Right’s campaigners, to Environmental activists) doesn't scale: – Good at delivering one-off hits – Hard at creating large numbers of attacks • High exposure when delivering attack usually compromises cell (and its connections) • Hard to do without strong grass roots support (which protects the attackers) – Successful attacks can’t be easily replicated and executed on other locations  Digital Extremism will scale since they could bring our economy down (think: Stock market collapse, debt vanishing, etc…)  The good news is that there is limited money generated by Extremist actions (and lets stay away from ‘conspiracy theories’ :)). – This is actually the most important point, because at the end of the day what matters is MONEY (which is why the business model of the attackers matter so much)
24 Inconvenient #10 We need better engineering
25 We need better engineering  Software engineering today is (in most cases) still a very immature process  Just compare it with how Microchips are designed, tested and deployed  Software ‘soft’ capabilities are its downfall – Hey, if there is a problem, we just issue a patch later ! (the customer will never notice!)  Even companies who were ‘forced’ to take security seriously (Microsoft) are still on a reactive mode (and are not learning from past mistakes)
26 Inconvenient #11 We need containment
27 We need containment QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture.  Where we are going on the right direction:
28 Sandbox anybody? (or ‘Can I 0wn you please?’)  And where we are NOT going on the right direction: QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture.
29 Going mobile  Who owns an iPhone? (can I 0wn you too?) QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture.
30 Inconvenient #12 Open Source security is a myth
31 Open Source security is a myth  ‘Many eyeballs’ is true, but the number of eyeballs with security knowledge looking at Open Source projects is very limited  The fact that the code is available doesn’t mean that somebody will actually review it  Non existent Open Source culture and processes to perform regular manual and tool-based source code reviews  There is no certification of ‘secure’ Open Source applications  Open Source community think they are secure  Very few seem to understand the problems with user-land security (mainly due to the lack of attacks)  Open Source community doesn’t want Full Disclosure of Zero-days (their ‘responsible disclose policy’ is very similar to Microsoft’s one)  Bottom Line: The fact that an application is Open Source doesn’t make it secure  And since its users can’t measure the security of the Open Source tools they are using, several Open Source projects shown the same disregard for end-user’s security as its ‘proprietary’ counterparts
32 Inconvenient #13 Most Source Code must be disclosed
33 All Source Code must be disclosed  That said, we (the clients buying and using software) need access to the code in order to review and analyze its security  For the ones that don’t have those reviewing capabilities in-house they should be able to pay independent companies to do it – Even governments should be involved in these evaluations  The days of selling ‘black boxes’ that nobody knows what is inside are numbered  Note that this doesn't mean that all software will be Open Source (just that its code will be available for review)
34 Inconvenient #14 Most IT Security products have negative ROI
35 Most IT Security products have negative ROI  Anybody want to challenge this item?  Note that most ‘security products’ are developed with the same mind-set and priorities of normal software which means that making it ‘secure’ is usually not on the ‘real’ agenda – Unfortunately, today, it doesn’t make business sense to create ‘secure’ Security Software – Note how many vulnerabilities exist in ‘Security Software’ (and appliances)
36 Inconvenient #15 The long tail of attackers is saving us
37 The Long Tail of Attackers is saving us  Will this shape continue?  Most capable to exploit seem to be employed by you with no motive to go to the ‘dark side’  Is our current ‘mess’ creating a new generation of attackers? – Currently making money by exploiting (for example): • online gambling • community websites • vulnerable eCommerce websites http://en.wikipedia.org/wiki/The_Long_Tail
38 Inconvenient #15 The 'digital Armageddon' will never happen
39 The 'digital Armageddon' will never happen  We are very close and it can be done (for 10 years at least)  Super-Elite skills are not required (large number of BlackHat / DefCon participants could do it)  But it hasn’t happened so far!  So, what should it?  The important question : Can somebody make money with it? – What is the Business model of a 'digital Armageddon'  Awareness of this global weakness and existence of large numbers of ‘single points of failure’ is (I think) very limited at C- Level and Government executives  Maybe the good guys should show that it can be done
40 Solution?  Visibility – Understand the security implications – Understand the Risk – Understand the interconnections and interdependencies – Disclosure of Known vulnerabilities (metrics)  Reward and Accountability – Business models that reward this visibility and the development of ‘secure’ applications – Procurement pressure will work (but needs to be backup by law)  Containment – Execute code in Sandboxed run-time-environments where exploitation of vulnerabilities (or of malicious code) are • a) not possible or • b) successfully contained  Government, Laws, Privacy and Anonymity
41 Security Public Relations Excuse Bingo  Would be funny if wasn’t true QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. From www.crypto.com/bingo/pr
42 Thanks  Any Questions?  Fell free to contact me at: dinis.cruz@ouncelabs.com

Recomendados

New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5Dinis Cruz
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachSonatype
 

Recomendados

New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5Dinis Cruz
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachSonatype
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing TEST Huddle
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Dinis Cruz
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Shift left-testing
Shift left-testingShift left-testing
Shift left-testingAlan Richardson
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...Cyber Security Alliance
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 

Más contenido relacionado

La actualidad más candente

Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing TEST Huddle
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Dinis Cruz
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 

La actualidad más candente (20)

Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery World
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack Models
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
 
Shift left-testing
Shift left-testingShift left-testing
Shift left-testing
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 

Similar a Inconvenient Truth(s) - On Application Security (from 2007)

ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...Cyber Security Alliance
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
Security economics
Security economicsSecurity economics
Security economicsYansi Keim
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteSandraPaiva
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
 
Staying Ahead in the Cybersecurity Game: What Matters Now
Staying Ahead in the Cybersecurity Game: What Matters NowStaying Ahead in the Cybersecurity Game: What Matters Now
Staying Ahead in the Cybersecurity Game: What Matters NowCapgemini
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftEoin Keary
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developerstechtutorus
 
Presentation 'a web application security' challenge
Presentation 'a web application security' challengePresentation 'a web application security' challenge
Presentation 'a web application security' challengeDinis Cruz
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMatthew Rosenquist
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
The Top 7 Causes of Major Security Breaches
The Top 7 Causes of Major Security BreachesThe Top 7 Causes of Major Security Breaches
The Top 7 Causes of Major Security BreachesKaseya
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Agora Group
 
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Capgemini
 

Similar a Inconvenient Truth(s) - On Application Security (from 2007) (20)

ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
Security economics
Security economicsSecurity economics
Security economics
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference Keynote
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
 
Staying Ahead in the Cybersecurity Game: What Matters Now
Staying Ahead in the Cybersecurity Game: What Matters NowStaying Ahead in the Cybersecurity Game: What Matters Now
Staying Ahead in the Cybersecurity Game: What Matters Now
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
 
Presentation 'a web application security' challenge
Presentation 'a web application security' challengePresentation 'a web application security' challenge
Presentation 'a web application security' challenge
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
The Top 7 Causes of Major Security Breaches
The Top 7 Causes of Major Security BreachesThe Top 7 Causes of Major Security Breaches
The Top 7 Causes of Major Security Breaches
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010
 
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
 

Más de Dinis Cruz

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febDinis Cruz
 

Más de Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Inconvenient Truth(s) - On Application Security (from 2007)

  • 1. Inconvenient Truth(s) Dinis Cruz, SANS “What Works in Application Security”
  • 2. 2 Who am I?  Director of Advanced Technologies, Ounce Labs  Chief OWASP Evangelist  Independent Consultant, various  Skills: – Researcher on .NET Security – Reverse Engineering – Source Code Security Reviews – Development of Secure Architectures – Developer (from ASM to C#, from Amiga to x86) – Irreverent
  • 3. 3 Inconvenient Truth  Software security is a mess!!!!!  Not because the software industry creates exploitable vulnerabilities, but because it doesn’t understand what those vulnerabilities look like and doesn’t learn from past mistakes!  The buyers/users have no visibility on the ‘real’ security status of our software world  Software is everywhere (from cars, to websites, to medical appliances, to banking systems, to toys, to elevators, to weapons, to communication devices, to energy transportation systems, etc…) – Our society is currently very dependent on software and will become even more in the future  And nobody has a complete picture of how big this mess is, since its complexity has outgrown the human capacity to analyze it!
  • 5. 5 There are no metrics!  How can customers purchase secure solutions if they can’t measure security?  I know more about an Orange Juice I buy from the local store than I know about the software I buy (winzip for example)  My only decision is to accept (or not) the EULA  Image from OWASP’s metrics project & Jeff Williams’ Presentation (http://www.owasp.org/index.php /Types_of_application_security_metrics)
  • 6. 6 Inconvenient #2 Global Warming ~ Software InSecurity
  • 7. 7 Global Warming ~ Software InSecurity  Al Gore’s Global Warming – Should in fact be called The impact of Mankind on Earth’s Ecosystem  Both are man made  Both are the results of Complex Systems and feedback loops whose consequences are not fully understood  Both are actually an Accountancy and Economics problem  Both ‘could’ have disastrous consequences
  • 8. 8 Inconvenient #3 Secure software doesn’t make business sense
  • 9. 9 Secure software doesn’t make business sense ‘Information security is not a technological problem. It is an economics problem. And the way to improve information security is to fix the economics problem. If this is done, companies will come up with the right technological solutions that vendors will happily implement. Fail to solve the economics problem, and vendors will not bother implementing or researching any security technologies, regardless of how effective they are.’ Bruce Schneier  See John Viega’s (Vice President and Chief Security Architect of McAfee) BlackHat 2007 presentation: Building an Effective Application Security Practice on a Shoestring Budget  This presentation makes the business case for not investing on Security! “If I know that doing a security audit on product XYZ I will find (per Mloc) 90 serious vulnerabilities (30 Critical, 60 High), but in the past year only 1 of those vulnerabilities have been publicly disclosed, then it is cheaper to have a small and agile CERT, than it is to find and patch those issues before shipping”. John Viega
  • 10. 10 Inconvenient #4 Secure software doesn’t make business sense
  • 11. 11 Secure software doesn’t make business sense  Clients are not able to measure the ‘security’ of the products and services they are purchasing (or developing)  The attackers are not exploiting the vulnerabilities created by insecure applications / solutions  Governments don’t know what is going on (or what to do)  Software companies (both traditional and Open Source) are rewarded (with sales or eyeballs) for delivering: – Features that either (from the users point of view): • a) improve business operations • b) increase profitability • c) create new sources of revenue – Performance, Scalability, Reporting – Time to market – GUIs (ease of use)  In 2007 Software Security is still a ‘damage control’ exercise and only short-term actions are implemented – Important note: This would not be a problem if the attacker’s business model wasn’t evolving
  • 13. 13 Our systems are safe today!  How many people in this room have suffered ‘severe’ losses (either economical or personal) due to a criminal exploitation of vulnerabilities in Software?  How many companies bankrupt?  How many wars started? Or won?  How many lives lost?  How many dollars lost? (as a percentage of profits/losses) Interesting statistic: In the UK, in the assessment of road building schemes, lives saved due to road safety improvements are valued at around £1 million per person. http://news.bbc.co.uk/1/hi/world/europe/6597743.stm
  • 15. 15 Our systems are safe today!  Apart from: – Kids – Criminals with simple malicious business models: • spamming, phishing, credit card fraud, software piracy • sell compromised accounts (& bot nets) • blackmail • obvious (& easily detectable) stock market manipulation – Small number of elite criminals who know what they are doing and never will be caught  We are pretty safe! – Which is good because our defenses (AV, IDS, IPS, Operating Systems, Applications) are not able to contain targeted attacks by skillful and knowledgeable attackers
  • 16. 16 What is RISK?  RISK = Vulnerability * Impact * Frequency Number of Attacks Frequency = -------------------------- Time Period Number of Attacks RISK = Vulnerability * Impact * -------------------------- Time Period  At the moment (Aug 2007), we are in a LOW RISK DefCon mode: – the Vulnerabilities and Impact are very HIGH, but – the number of attacks (over the last years) is very LOW
  • 18. 18 We will be doomed!  If the business model of our attackers evolve!  If these attackers are able to make money by exploiting our insecure software / web applications  If the number of ‘profitable’ attackers reaches critical mass  If we don’t change our current software development business model  If we don’t change our understanding and visibility of the security implications of our interconnected systems  If we are attacked directly!
  • 19. 19 Inconvenient #8 The attacker's business model is still immature
  • 20. 20 The attacker's business model is still immature  Mainly still: – spamming, phishing, credit card fraud, software piracy – selling compromised accounts or botnets, – blackmail – obvious (& easily detectable) stock market manipulation  We will have a serious problem when the attackers are able to monetize digital accesses to company’s: – Content Management Systems – Backend Transactions Systems – Digital assets (Emails, Documents, VPNs) – Payment Systems – Business related assets: • Capability to do business • Availability of Services • Confidentially of information stored / processed • Data Integrity
  • 21. 21 ‘Software enabled’ malicious business models  Sell Business Intelligence (& victim’s assets) – From corporate espionage to selling airline tickets via compromised ‘Air Miles’ system  Stock Market Manipulation – What if 10% of all stock market transactions were not real?  Accounting Scams – Enron via database manipulation, money ‘creation’, money laundering  Control media agenda – Mind control, political agenda control, elections manipulation  Serious blackmail / credit card fraud – James Bond style  Destruction of financial organization to hide bad investments – Think ‘Hedge fund gone bust’ with interest in wiping Bank’s XYZ debt management system (which is only a database after all)  Artificial ‘lack of energy resources’ – or other consumer goods  Digital Wars  Etc… (ask DHS or Bruce Schneier for more movie plots stories)
  • 22. 22 Inconvenient #9 Physical Extremism doesn't scale (but Digital Extremism does)
  • 23. 23 Physical Extremism doesn't scale (but Digital Extremism does)  Extremism is part of our world  Physical Extremism (from Islamic Terrorism, to Animal Right’s campaigners, to Environmental activists) doesn't scale: – Good at delivering one-off hits – Hard at creating large numbers of attacks • High exposure when delivering attack usually compromises cell (and its connections) • Hard to do without strong grass roots support (which protects the attackers) – Successful attacks can’t be easily replicated and executed on other locations  Digital Extremism will scale since they could bring our economy down (think: Stock market collapse, debt vanishing, etc…)  The good news is that there is limited money generated by Extremist actions (and lets stay away from ‘conspiracy theories’ :)). – This is actually the most important point, because at the end of the day what matters is MONEY (which is why the business model of the attackers matter so much)
  • 24. 24 Inconvenient #10 We need better engineering
  • 25. 25 We need better engineering  Software engineering today is (in most cases) still a very immature process  Just compare it with how Microchips are designed, tested and deployed  Software ‘soft’ capabilities are its downfall – Hey, if there is a problem, we just issue a patch later ! (the customer will never notice!)  Even companies who were ‘forced’ to take security seriously (Microsoft) are still on a reactive mode (and are not learning from past mistakes)
  • 27. 27 We need containment QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture.  Where we are going on the right direction:
  • 28. 28 Sandbox anybody? (or ‘Can I 0wn you please?’)  And where we are NOT going on the right direction: QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture.
  • 29. 29 Going mobile  Who owns an iPhone? (can I 0wn you too?) QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture.
  • 30. 30 Inconvenient #12 Open Source security is a myth
  • 31. 31 Open Source security is a myth  ‘Many eyeballs’ is true, but the number of eyeballs with security knowledge looking at Open Source projects is very limited  The fact that the code is available doesn’t mean that somebody will actually review it  Non existent Open Source culture and processes to perform regular manual and tool-based source code reviews  There is no certification of ‘secure’ Open Source applications  Open Source community think they are secure  Very few seem to understand the problems with user-land security (mainly due to the lack of attacks)  Open Source community doesn’t want Full Disclosure of Zero-days (their ‘responsible disclose policy’ is very similar to Microsoft’s one)  Bottom Line: The fact that an application is Open Source doesn’t make it secure  And since its users can’t measure the security of the Open Source tools they are using, several Open Source projects shown the same disregard for end-user’s security as its ‘proprietary’ counterparts
  • 32. 32 Inconvenient #13 Most Source Code must be disclosed
  • 33. 33 All Source Code must be disclosed  That said, we (the clients buying and using software) need access to the code in order to review and analyze its security  For the ones that don’t have those reviewing capabilities in-house they should be able to pay independent companies to do it – Even governments should be involved in these evaluations  The days of selling ‘black boxes’ that nobody knows what is inside are numbered  Note that this doesn't mean that all software will be Open Source (just that its code will be available for review)
  • 34. 34 Inconvenient #14 Most IT Security products have negative ROI
  • 35. 35 Most IT Security products have negative ROI  Anybody want to challenge this item?  Note that most ‘security products’ are developed with the same mind-set and priorities of normal software which means that making it ‘secure’ is usually not on the ‘real’ agenda – Unfortunately, today, it doesn’t make business sense to create ‘secure’ Security Software – Note how many vulnerabilities exist in ‘Security Software’ (and appliances)
  • 36. 36 Inconvenient #15 The long tail of attackers is saving us
  • 37. 37 The Long Tail of Attackers is saving us  Will this shape continue?  Most capable to exploit seem to be employed by you with no motive to go to the ‘dark side’  Is our current ‘mess’ creating a new generation of attackers? – Currently making money by exploiting (for example): • online gambling • community websites • vulnerable eCommerce websites http://en.wikipedia.org/wiki/The_Long_Tail
  • 38. 38 Inconvenient #15 The 'digital Armageddon' will never happen
  • 39. 39 The 'digital Armageddon' will never happen  We are very close and it can be done (for 10 years at least)  Super-Elite skills are not required (large number of BlackHat / DefCon participants could do it)  But it hasn’t happened so far!  So, what should it?  The important question : Can somebody make money with it? – What is the Business model of a 'digital Armageddon'  Awareness of this global weakness and existence of large numbers of ‘single points of failure’ is (I think) very limited at C- Level and Government executives  Maybe the good guys should show that it can be done
  • 40. 40 Solution?  Visibility – Understand the security implications – Understand the Risk – Understand the interconnections and interdependencies – Disclosure of Known vulnerabilities (metrics)  Reward and Accountability – Business models that reward this visibility and the development of ‘secure’ applications – Procurement pressure will work (but needs to be backup by law)  Containment – Execute code in Sandboxed run-time-environments where exploitation of vulnerabilities (or of malicious code) are • a) not possible or • b) successfully contained  Government, Laws, Privacy and Anonymity
  • 41. 41 Security Public Relations Excuse Bingo  Would be funny if wasn’t true QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. From www.crypto.com/bingo/pr
  • 42. 42 Thanks  Any Questions?  Fell free to contact me at: dinis.cruz@ouncelabs.com