bsides london jedi mind tricks combined
TRANSCRIPT
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 1/39
David Rook
Jedi mind tricks for building application
security programs
SecurityBSides, London
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 2/39
if (slide == introduction)
System.out.println("I’m David Rook");
• Security Analyst, Realex Payments, IrelandCISSP, CISA, GCIH and many other acronyms
• Security Ninja (www.securityninja.co.uk)
• Speaker at international security conferences
• Nominated for multiple blog awards
• A mentor in the InfoSecMentors project
• Developed and released Agnitio
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 3/39
• Using Jedi mind tricks on your developers
• s/Application Security Alien/Business Language/i;
Agenda
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 4/39
Using Jedi mind tricks on developers
• Most developers actually want to write secure code
• You need to take ownership of the app sec problems with them
• Developers generally like producing quality code, use this!
• They want security knowledge with good practices and tools
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 5/39
Using Jedi mind tricks on developers
Jim Bird, blog comment:
“I’m a software guy. I don’t need a meme. I need practices and tools thatwork, that help me get software out the door, better software that is morereliable and more secure.”
http://securosis.com/blog/good-programming-practices-vs.-rugged-development
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 6/39
Using Jedi mind tricks on developers
• How you can help developers?
• Help them understand how to write secure code
• Own application security problems with them
• Don’t dictate! Speak, listen, learn and improve things
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 7/39
Application Security Alien
• We speak an alien language
• We talk of injections, jackings and pwnings
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 8/39
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 9/39
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 10/39
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 11/39
Application Security Alien
• We speak an alien language
• We talk of injections, jackings and pwnings
• We present findings in weird formats with a side order of FUD
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 12/39
Application Security Alien
• I will use CVSS as an example
• Let’s pretend we are analysing a SQL Injection vulnerability
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 13/39
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 14/39
Application Security Alien
CVSS base score equation
BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)Impact =10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))Exploitability =20*AccessComplexity*Authentication*AccessVectorf(Impact) = 0 if
Impact=0; 1.176 otherwise
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 15/39
Application Security Alien
CVSS Temporal Equation
TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfidence
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 16/39
Application Security Alien
CVSS Environmental Equation
EnvironmentalScore=(AdjustedTemporal+(10-AdjustedTemporal)*CollateralDamagePotential) *TargetDistributionAdjustedTemporal = TemporalScore recomputed with
the Impact sub-equation replaced with the following AdjustedImpactequation.AdjustedImpact = Min(10, 10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1-AvailImpact*AvailReq)))
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 17/39
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 18/39
Application Security Alien
• We speak an alien language
• We talk of injections, jackings and pwnings
• We present findings in weird formats with a side order of FUD
• We feel security should just happen without having to justify it
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 19/39
The Business Language
• We need to speak the business language
• We need to talk about things the business cares about
• We need to present findings in a format that makes sense
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 20/39
The Business Language
• How does your business score risks?
• Let’s pretend we are analysing a SQL Injection vulnerability
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 21/39
The Business Language
A simple (common!) risk equation
Probability*Impact
Probability Impact Score
3 5 15
Appetite
12
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 22/39
The Business Language
• We need to speak the business language
• We need to talk about things the business cares about
• Present findings in a format that makes sense to the business
• Application security is no exception when it comes to resourcing
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 23/39
Jedi mind tricks and alien translations
• Apply the KISS principle to everything you do
• Keep everything as simple as possible, complexity doesn’t help
• Understand what developers want and need to write secure code
• Work with the business and use their language and formats
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 24/39
www.securityninja.co.uk
@securityninja
QUESTIONS?
/realexninja
/securityninja
/realexninja
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 25/39
Chris Wysopal
CTO & Co-founder
Jedi mind tricksfor building
applicationsecurity programs
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 26/39
The formative years Padawan?
It was all about attack.
Early web app testing: Lotus Domino, Cold Fusion
Windows Security: Netcat for Windows, L0phtCrack
Early disclosure policies: RFPolicy, L0pht Advisories
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 27/39
Now with professional PR team
Time to help the defensive side
Led @stake research team@stake application security consultant
Published Art of Software Security Testing
Veracode CTO and Co-Founder
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 28/39
Why do we need executive buy in?
Application security programs will require
developer training
Application security programs will require
tools/services
Application security programs will impactdelivery schedules
Application security cannot be “voluntary”
Authority
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 29/39
Speaking the language of executives
CEOs
CFOs
CIOs
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 30/39
If money is the language of execs what do theysay?
How do I grow my top line?
How do I lower costs?
How do I mitigate risk?
Talk in terms of business risk and
use monetary terms when
possible.
Then we can we can speak the
same language.
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 31/39
Different types of risk
Legal risk – Legal costs, settlement
costs, finesCompliance risk – fines, lost business
Brand risk – lost business
Security risk - ????
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 32/39
Translate technical risk to monetary risk
What is the monetary risk from vulnerabilities in your application
portfolio?
Monetary risk is your expected loss; derived from your
vulnerabilities, your breach cost, threat space data
32
Your
Vulnerabilities
Your
BreachCost
Threat
SpaceData
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 33/39
Your Breach Cost
33
Use cost analysis from your earlier breaches
Use breach cost from public sources
– Example: April 2010 Ponemon Institute Report(US Dollars) Detection &
Escalation
Notification Ex-Post
Response
Lost
Business
Total
Average 264,208 500,321 1,514,819 4,472,030 6,751,451
Per-capita 8 15 46 135 204
Comm
unicati
on
Consu
mer
Educat
ion
Energ
y
Financi
al
Health
care
Hotel
&
Leisur e
Manu
facturin
g
Media Pharma Researc
h
Retail Serv
ices
Tech
nology
Transp
ortatio
n
209 159 203 237 248 294 153 136 149 310 266 133 256 192 121
Ponemon per-capita data by US industry sector (US Dollars)
Ponemon average and per-capita US breach cost (US Dollars)
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 34/39
Threat Space Data
34
40% of data breaches are due to hacking
Source: Verizon 2010 Data Breach Investigations Report
0% 20% 40% 60%
Malware
Hacking
Social
Misuse
Physical
Error Attack Type
0% 10% 20% 30% 40%
Backdoor/Control ChannelSQL Injection
Command InjectionXSS
Insufficient AuthenticationInsufficient Authorization
Remote File Inclusion
Hacking Root Cause (VulnerabilityCategory)
Top 7 application vulnerability categories
62% of organizations experienced breaches incritical applications in 12 month period
Source: Forrester 2009 Application Risk Management and Business Survey
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 35/39
How to Derive Your Expected Loss
35
Baseline expected loss for your organization due to SQL Injection*
*If your SQL Injection prevalence is similar to average SQL Injection prevalence,assumes 100,000 records
expected lossvulnerability category
= f (% of orgs breached X
breach cost X
breach likelihood from vuln. category
)
expected loss Sql injection = f
62% X
$248 X 100,00 X
25% )(
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 36/39
Monetary Risk Derived From Relative Prevalence
Vulnerability
Category
Breach
Likelihoo
d
Baseline
Expected
loss
Average % of
Apps Affected1
Your % of
Apps
Affected2
Your Monetary
Risk
Backdoor/ControlChannel
29% $4,459,040 8% 15% higher
SQL Injections 25% 3,844,000 24% 10% lower
CommandInjection
14% 2,152,640 7% 6% same
XSS 9% 1,383,840 34% 5% lower
InsufficientAuthentication
7% 1,076,320 5% 2% lower
InsufficientAuthorization
7% 1,076,320 7% 7% same
Remote FileInclusion
2% 307,520 <1% <1% same
36
Assume 100,000 customer records.For SQLi the expected loss is:62% * $248 * 100,000 * 25% = $3,844,000
1. Veracode 2010 State of Software Security Report, Vol. 22. De-identified financial service company data from Veracode industry data
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 37/39
Executives want
An organizational wide view. Am I lowering overall
application risk?
– Internal code – Outsourced
– Vendor supplied
– Open source
A program that has achievable objectives. What am I
getting for the money I am spending?
A program that is measurable: metrics and reporting.
Am I marching toward the objectives? – Which dev teams, outsourcers are performing well?
– How is my organization doing relative to my peers?
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 38/39
Tips to make the program successful
The right people have to understand what is
going to happen before you start
Do a real world pen test or assessment of a
project. Demonstrate relevant risk.
Integrate into existing processes SDLC
Procurement/legal
M&A
8/6/2019 Bsides London Jedi Mind Tricks Combined
http://slidepdf.com/reader/full/bsides-london-jedi-mind-tricks-combined 39/39
39
Q&ASpeaker Contact
Information:
Chris Wysopal([email protected])Twitter: @WeldPond
@securityninja
/realexninja
/securityninja
/realexninja
www.securityninja.co.uk
David Rook