bsides london jedi mind tricks combined

39
David Rook Jedi mind tricks for building application security programs SecurityBSides, London

Upload: jcowper

Post on 07-Apr-2018

229 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 1/39

David Rook

Jedi mind tricks for building application

security programs

SecurityBSides, London

Page 2: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 2/39

if (slide == introduction)

System.out.println("I’m David Rook");

• Security Analyst, Realex Payments, IrelandCISSP, CISA, GCIH and many other acronyms

• Security Ninja (www.securityninja.co.uk)

• Speaker at international security conferences

• Nominated for multiple blog awards

• A mentor in the InfoSecMentors project

• Developed and released Agnitio

Page 3: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 3/39

• Using Jedi mind tricks on your developers

• s/Application Security Alien/Business Language/i;

Agenda

Page 4: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 4/39

Using Jedi mind tricks on developers

• Most developers actually want to write secure code

• You need to take ownership of the app sec problems with them

• Developers generally like producing quality code, use this!

• They want security knowledge with good practices and tools

Page 5: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 5/39

Using Jedi mind tricks on developers

Jim Bird, blog comment:

“I’m a software guy. I don’t need a meme. I need practices and tools thatwork, that help me get software out the door, better software that is morereliable and more secure.”

http://securosis.com/blog/good-programming-practices-vs.-rugged-development

Page 6: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 6/39

Using Jedi mind tricks on developers

• How you can help developers?

• Help them understand how to write secure code

• Own application security problems with them

• Don’t dictate! Speak, listen, learn and improve things

Page 7: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 7/39

Application Security Alien

• We speak an alien language

• We talk of injections, jackings and pwnings

Page 8: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 8/39

Page 9: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 9/39

Page 10: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 10/39

Page 11: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 11/39

Application Security Alien

• We speak an alien language

• We talk of injections, jackings and pwnings

• We present findings in weird formats with a side order of FUD

Page 12: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 12/39

Application Security Alien

• I will use CVSS as an example

• Let’s pretend we are analysing a SQL Injection vulnerability

Page 13: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 13/39

Page 14: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 14/39

Application Security Alien

CVSS base score equation

BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)Impact =10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))Exploitability =20*AccessComplexity*Authentication*AccessVectorf(Impact) = 0 if 

Impact=0; 1.176 otherwise

Page 15: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 15/39

Application Security Alien

CVSS Temporal Equation

TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfidence

Page 16: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 16/39

Application Security Alien

CVSS Environmental Equation

EnvironmentalScore=(AdjustedTemporal+(10-AdjustedTemporal)*CollateralDamagePotential) *TargetDistributionAdjustedTemporal = TemporalScore recomputed with

the Impact sub-equation replaced with the following AdjustedImpactequation.AdjustedImpact = Min(10, 10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1-AvailImpact*AvailReq)))

Page 17: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 17/39

Page 18: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 18/39

Application Security Alien

• We speak an alien language

• We talk of injections, jackings and pwnings

• We present findings in weird formats with a side order of FUD

• We feel security should just happen without having to justify it

Page 19: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 19/39

The Business Language

• We need to speak the business language

• We need to talk about things the business cares about

• We need to present findings in a format that makes sense

Page 20: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 20/39

The Business Language

• How does your business score risks?

• Let’s pretend we are analysing a SQL Injection vulnerability

Page 21: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 21/39

The Business Language

A simple (common!) risk equation

Probability*Impact

Probability Impact Score

3 5 15

Appetite

12

Page 22: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 22/39

The Business Language

• We need to speak the business language

• We need to talk about things the business cares about

• Present findings in a format that makes sense to the business

• Application security is no exception when it comes to resourcing

Page 23: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 23/39

Jedi mind tricks and alien translations

• Apply the KISS principle to everything you do

• Keep everything as simple as possible, complexity doesn’t help

• Understand what developers want and need to write secure code

• Work with the business and use their language and formats

Page 24: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 24/39

www.securityninja.co.uk

@securityninja

QUESTIONS?

/realexninja

/securityninja

/realexninja

Page 25: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 25/39

Chris Wysopal

CTO & Co-founder

Jedi mind tricksfor building

applicationsecurity programs

Page 26: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 26/39

The formative years Padawan?

It was all about attack.

Early web app testing: Lotus Domino, Cold Fusion

Windows Security: Netcat for Windows, L0phtCrack

Early disclosure policies: RFPolicy, L0pht Advisories

Page 27: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 27/39

Now with professional PR team

Time to help the defensive side

Led @stake research team@stake application security consultant

Published Art of Software Security Testing

Veracode CTO and Co-Founder 

Page 28: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 28/39

Why do we need executive buy in?

Application security programs will require

developer training

Application security programs will require

tools/services

Application security programs will impactdelivery schedules

Application security cannot be “voluntary”

Authority

Page 29: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 29/39

Speaking the language of executives

CEOs

CFOs

CIOs

Page 30: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 30/39

If money is the language of execs what do theysay?

How do I grow my top line?

How do I lower costs?

How do I mitigate risk?

Talk in terms of business risk and

use monetary terms when

possible.

Then we can we can speak the

same language.

Page 31: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 31/39

Different types of risk

Legal risk – Legal costs, settlement

costs, finesCompliance risk – fines, lost business

Brand risk – lost business

Security risk - ????

Page 32: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 32/39

Translate technical risk to monetary risk

What is the monetary risk from vulnerabilities in your application

portfolio?

Monetary risk is your expected loss; derived from your 

vulnerabilities, your breach cost, threat space data

32

Your 

Vulnerabilities

Your 

BreachCost

Threat

SpaceData

Page 33: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 33/39

Your Breach Cost

33

Use cost analysis from your earlier breaches

Use breach cost from public sources

 – Example: April 2010 Ponemon Institute Report(US Dollars) Detection &

Escalation

Notification Ex-Post

Response

Lost

Business

Total

Average 264,208 500,321 1,514,819 4,472,030 6,751,451

Per-capita 8 15 46 135 204

Comm

unicati

on

Consu

mer 

Educat

ion

Energ

y

Financi

al

Health

care

Hotel

&

Leisur e

Manu

facturin

g

Media Pharma Researc

h

Retail Serv

ices

Tech

nology

Transp

ortatio

n

209 159 203 237 248 294 153 136 149 310 266 133 256 192 121

Ponemon per-capita data by US industry sector (US Dollars)

Ponemon average and per-capita US breach cost (US Dollars)

Page 34: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 34/39

Threat Space Data

34

40% of data breaches are due to hacking

Source: Verizon 2010 Data Breach Investigations Report

0% 20% 40% 60%

Malware

Hacking

Social

Misuse

Physical

Error  Attack Type

0% 10% 20% 30% 40%

Backdoor/Control ChannelSQL Injection

Command InjectionXSS

Insufficient AuthenticationInsufficient Authorization

Remote File Inclusion

Hacking Root Cause (VulnerabilityCategory)

Top 7 application vulnerability categories

62% of organizations experienced breaches incritical applications in 12 month period

Source: Forrester 2009 Application Risk Management and Business Survey

Page 35: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 35/39

How to Derive Your Expected Loss

35

Baseline expected loss for your organization due to SQL Injection*

*If your SQL Injection prevalence is similar to average SQL Injection prevalence,assumes 100,000 records

expected lossvulnerability category

= f (% of orgs breached  X 

breach cost  X 

breach likelihood from vuln. category

)

expected loss Sql injection = f 

62% X 

$248 X 100,00 X 

25% )(

Page 36: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 36/39

Monetary Risk Derived From Relative Prevalence

Vulnerability

Category

Breach

Likelihoo

d

Baseline

Expected

loss

Average % of 

Apps Affected1

 Your % of 

Apps

Affected2

 Your Monetary

Risk

Backdoor/ControlChannel

29% $4,459,040 8% 15% higher 

SQL Injections 25% 3,844,000 24% 10% lower 

CommandInjection

14% 2,152,640 7% 6% same

XSS 9% 1,383,840 34% 5% lower 

InsufficientAuthentication

7% 1,076,320 5% 2% lower 

InsufficientAuthorization

7% 1,076,320 7% 7% same

Remote FileInclusion

2% 307,520 <1% <1% same

36

Assume 100,000 customer records.For SQLi the expected loss is:62% * $248 * 100,000 * 25% = $3,844,000

1. Veracode 2010 State of Software Security Report, Vol. 22. De-identified financial service company data from Veracode industry data

Page 37: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 37/39

Executives want

An organizational wide view. Am I lowering overall

application risk?

 – Internal code – Outsourced

 – Vendor supplied

 – Open source

A program that has achievable objectives. What am I

getting for the money I am spending?

A program that is measurable: metrics and reporting.

Am I marching toward the objectives? – Which dev teams, outsourcers are performing well?

 – How is my organization doing relative to my peers?

Page 38: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 38/39

Tips to make the program successful

The right people have to understand what is

going to happen before you start

Do a real world pen test or assessment of a

project. Demonstrate relevant risk.

Integrate into existing processes SDLC

Procurement/legal

M&A

Page 39: Bsides London Jedi Mind Tricks Combined

8/6/2019 Bsides London Jedi Mind Tricks Combined

http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 39/39

39

Q&ASpeaker Contact

Information:

Chris Wysopal([email protected])Twitter: @WeldPond

@securityninja

/realexninja

/securityninja

/realexninja

www.securityninja.co.uk

David Rook