application security debt & application interest rates
DESCRIPTION
Application Security Debt & Application Interest Rates. Chris Wysopal CTO & Co-counder Veracode. AppSecUSA. My Background. Veracode’s CTO and Co-Founder @stake, VP Research & Development BBN, Sr. IT Security Analyst L0pht Heavy Industries, L0phtCrack, Netcat for Windows - PowerPoint PPT PresentationTRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Application Security Debt & Application Interest Rates
Chris WysopalCTO & Co-counderVeracode
AppSecUSA
OWASP
My Background
Veracode’s CTO and Co-Founder
@stake, VP Research & Development
BBN, Sr. IT Security Analyst
L0pht Heavy Industries, L0phtCrack, Netcat for Windows
Lead author of “The Art of Software Security Testing” published by Addison- Wesley.
OWASP
Intro
This is a thought experiment to find new ways of thinking about the cost of application risk
We need much better data on breach cost and root causes
Developers and managers understand technical debt
OWASP
Technical Debt
“Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt.” -Ward Cunningham, the programmer who developed the first wiki program
OWASP
Technical debt sounds a lot like security weaknesses. Invisible from users but has negative value.
This diagram was part of a presentation on technical debt by Philippe Kruchten
OWASP
Application Security Debt
The latent vulnerabilities in a piece of software is the application security debt.
Security debt accumulates over time as more code is written without performing security processes during the development life cycle.
Design Phase A project takes on a lot of debt during the design phase if there is no
threat modeling or architecture risk analysis performed. This will translate into costly redesign work at a later date.
Coding Phase If code is written without using static analysis or following secure coding
guidelines then security bugs are going to get into the final application that will eventually need to be eliminated at a higher cost.
OWASP
Debt is Good!
There are obviously good business reasons for accumulating security debt because we see it everywhere in successful companies.
However, there is a point in the lifetime of a lot of software projects where the debt gets too high and needs to be paid off by redesigning and rewriting a lot of code.
If it isn’t paid off the security debt risks impacting the bottom line.
OWASP
Application Interest Rates
Application interest rates has breach cost and breach likelihood as factors.
These factors are out of your control just like an adjustable interest rate is on financial debt.
Breach cost can change over time due to changing compliance requirements and fines or increased brand damage.
Breach likelihood changes as the threat space changes. If cost and likelihood go up, your debt goes up.
OWASP
Likelihood
When your application was first written, your application’s adjustable interest rate, might be low Attackers just aren’t interested in your
applicationNo good tools to find vulnerabilities on the OS or
platform you developed on Can’t monetize attacks Your application may not be popularYour brand damage is low because you have no
users
OWASP
Example Dept Repayments
In January 2002, Bill Gates sent out the famous Trustworthy Computing memo.
Microsoft had accumulated too much security debt in all their products & their application interest rate was at an all time high.
How this debt was paid down differed by product.
IIS 6.0 was a complete rewrite (cost ??) From 2000-2002, OSVDB recorded 85 vulnerabilities
in IIS alone In 2003, IIS 6.0 was only impacted by one disclosed
vulnerability
OWASP
Successful Startup Scenario
Build cool new app as fast and cheap as possible and iterate, iterate, iterate.
Nothing done to make sure their application is secure and start building up security debt.
The company hits it big and starts attracting millions of users. A vulnerability is found. It hits the news. They fix it but then another is found. More press. Their interest rate keeps rising.
Decision is made to hire some application security people, add security processes, do some major security re-architecting and coding
Paying down the security debt now is more expensive than doing it securely the first time but security debt gave the company the flexibility to launch quicker and iterate faster.
OWASP
We can think of security debt as principle + interest
Principal is the cost to remediate. Interest is the variable cost out of your
control
OWASP
Denim Group Remediation Cost Data
Source: http://www.slideshare.net/denimgroup/real-cost-of-software-remediation
OWASPSource: http://www.slideshare.net/denimgroup/real-cost-of-software-remediation
OWASP
Calculate Remediation Cost
Remediation Cost = Overhead Cost + Sum per flaw category (Flaws * Remediation Time * Developer Cost)
OWASP
Interest rates are tricky
We will use example of a company writing their own custom app AND operating that app
They bear the breach burden of the code they write
Not sure what to do with vendors as they shift the burden of their debt principle to their customers.
OWASP
Monetary risk due to variable interest rate Question: What is the monetary risk from vulnerabilities in
your application portfolio? Useless Answer: Monetary risk is expected loss; average
breach cost multiplied by average probability of breach Useful Answer: Monetary risk is your expected loss;
derived from your vulnerabilities, your breach cost, threat space data
17
Your Vulnerabilities
Your BreachCost
Threat SpaceData
OWASP
Vulnerabilities in Your Application Portfolio
18
OWASP
Your Breach Cost
Use cost analysis from your earlier breaches
Use breach cost from public sourcesExample: April 2010 Ponemon Institute Report
19
(US Dollars) Detection & Escalation
Notification Ex-Post Response
Lost Business
Total
Average 264,208 500,321 1,514,819 4,472,030 6,751,451
Per-capita 8 15 46 135 204
Communication
Consumer
Education
Energy
Financial
Healthcare
Hotel & Leisure
Manufacturing
Media
Pharma
Research
Retail
Services
Technology
Transportation
209 159 203 237 248 294 153 136 149 310 266 133 256 192 121
Ponemon per-capita data by US industry sector (US Dollars)
Ponemon average and per-capita US breach cost (US Dollars)
OWASP
Threat Space Data
20
40% of data breaches are due to hackingSource: Verizon 2010 Data Breach Investigations Report
Top 7 application vulnerability categories
62% of organizations experienced breaches in critical applications in 12 month period
Source: Forrester 2009 Application Risk Management and Business Survey
OWASP
How to Derive Your Expected Loss
21
Baseline expected loss for your organization due to SQL Injection*
*If your SQL Injection prevalence is similar to average SQL Injection prevalence, assumes 100,000 records
expected lossvulnerability category
=
f (% of orgs breached X
breach cost Xbreach likelihood from vuln. category)
expected lossSql injection
=
f
62% X$248 X 100,000 X
25% )(
OWASP
Monetary Risk Derived From Relative Prevalence
Vulnerability Category
Breach Likelihood
Baseline Expected loss
Average % of Apps Affected1
Your % of Apps Affected2
Your Monetary Risk
Backdoor/Control Channel
29% $4,459,040 8% 15% higher
SQL Injections
25% 3,844,000 24% 10% lower
Command Injection
14% 2,152,640 7% 6% same
XSS 9% 1,383,840 34% 5% lower
Insufficient Authentication
7% 1,076,320 5% 2% lower
Insufficient Authorization
7% 1,076,320 7% 7% same
Remote File Inclusion
2% 307,520 <1% <1% same
22
Assume 100,000 customer records. For SQLi the expected loss is: 62% * $248 * 100,000 * 25% = $3,844,000
1. Veracode 2010 State of Software Security Report, Vol. 22. De-identified financial service company data from Veracode industry data
OWASP
Summary
With good breach cost & likelihood data we can calculate expected loss from latent vulnerabilities
We can calculate remediation cost
Can model when it makes sense to remediate