appsec is eating security
TRANSCRIPT
AppSec is Eating Security
P R E S E N T E D B Y A l e x S t a m o s| A p p S e c C a l i | J a n u a r y 2 7 , 2 0 1 5
2
Most enterprises are not safe
3
Most enterprises are not safe
3
• Big Banks + other FIs• Defense Industr ial Base• Oil and Gas• Crit ical Infrastructure• Big Tech• Some Retai l
“SECURE 100”
Most enterprises are not safe
3
• Big Banks + other FIs• Defense Industr ial Base• Oil and Gas• Crit ical Infrastructure• Big Tech• Some Retai l
Everybody Else
“SECURE 100”
“TOASTED 400”
Most enterprises are not safe
3
• Big Banks + other FIs• Defense Industr ial Base• Oil and Gas• Crit ical Infrastructure• Big Tech• Some Retai l
Everybody Else
“SECURE 100”
What are they missing? • Secure software engineering • Engineering focused IR • Ability to create, not buy, solutions
“TOASTED 400”
Almost no users are safe
4
5
Arista 7508E 1152 x 10GbE
30Tbps backplane 5kW
Security hardware is becoming un-buyable
5
Arista 7508E 1152 x 10GbE
30Tbps backplane 5kW
Palo Alto 7050 120Gbps throughput
2.4kW
Security hardware is becoming un-buyable
6
6
6
5kW
600kW
Containerization collapses the security perimeter
7
No: • Virtual soundcard • Guest OS patching • VT-x enforcement • Network controls • Stable naming • 1:1 service relationshipsDiagrams from docker.com
Containerization collapses the security perimeter
7
In the long run, this is a good thing! In the short term, it’s a mess to deal with!
No: • Virtual soundcard • Guest OS patching • VT-x enforcement • Network controls • Stable naming • 1:1 service relationshipsDiagrams from docker.com
What AppSec Needs to Accomplish
Apps have to be secure by default
10
https://code.google.com/p/mustache-security/ by cure53.de
Apps have to be secure by default
10
How many developersunderstand the securityrisk they imported?
https://code.google.com/p/mustache-security/ by cure53.de
App Sec doesn’t have to be realtime or inline
11
▪ 10Gb Ethernet = 67ns between frames
App Sec doesn’t have to be realtime or inline
11
▪ 10Gb Ethernet = 67ns between frames
▪ 100Gb Ethernet = 6.7ns between frames
App Sec doesn’t have to be realtime or inline
11
▪ 10Gb Ethernet = 67ns between frames
▪ 100Gb Ethernet = 6.7ns between frames
App Sec doesn’t have to be realtime or inline
11
▪ 10Gb Ethernet = 67ns between frames
▪ 100Gb Ethernet = 6.7ns between frames
Is this actually necessary? No.Is it a good idea? Probably not.
12
by Flickr user Keith Allison CC-BY-SA
12
by Flickr user Keith Allison CC-BY-SAby Warren Sharp
www.sharpfootballanalysis.com
Bug bounty communities need to reform to grow
13
Accept that the browser is the new OS
14
I hate it when good points get twisted to prevent progress
Network security must be transparent to applications
15
▪ DNSSEC is dead. Several reasons why….
Network security must be transparent to applications
15
▪ DNSSEC is dead. Several reasons why….› Complexity:
dnsviz.net via @jpmens
Network security must be transparent to applications
15
▪ DNSSEC is dead. Several reasons why….› Complexity:
› Not end-to-end. How much do you trust your DNS provider?
dnsviz.net via @jpmens
Network security must be transparent to applications
15
▪ DNSSEC is dead. Several reasons why….› Complexity:
› Not end-to-end. How much do you trust your DNS provider?› Invisible to user applications!
dnsviz.net via @jpmens
Build apps that are safe, not just secure
16
▪ Way too little focus on user experience ▪ Classic difficult example is cert info (see APF tonight)
What is a safe app?
17
▪ Safest mode is the default
What is a safe app?
17
▪ Safest mode is the default▪ Automatically fixes itself
What is a safe app?
17
▪ Safest mode is the default▪ Automatically fixes itself▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures
What is a safe app?
17
▪ Safest mode is the default▪ Automatically fixes itself▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures
▪ Recognizes the difficulties it’s users face
What is a safe app?
17
▪ Safest mode is the default▪ Automatically fixes itself▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures
▪ Recognizes the difficulties it’s users face▪ Takes into account the entire lifecycle of the user
What is a safe app?
17
▪ Safest mode is the default▪ Automatically fixes itself▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures
▪ Recognizes the difficulties it’s users face▪ Takes into account the entire lifecycle of the user
Yes, I’m a security paternalist
Passwords are dead
18
Every big password dump has 10-20% matches
Passwords are dead
18
Every big password dump has 10-20% matches
▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries
Passwords are dead
18
Every big password dump has 10-20% matches
▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries
▪ TOTP › Bad user experience › Many apps means no control over seeds
Passwords are dead
18
Every big password dump has 10-20% matches
▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries
▪ Push notifications › Much more secure › Require more user interaction
▪ TOTP › Bad user experience › Many apps means no control over seeds
Passwords are dead
18
Every big password dump has 10-20% matches
▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries
▪ Push notifications › Much more secure › Require more user interaction
▪ TOTP › Bad user experience › Many apps means no control over seeds
None solve the account lifecycle management problem This is the #1 issue for user safety
So…
19
Looks like we all have a lot of work to do to:
So…
19
Looks like we all have a lot of work to do to:• Build apps with no L3 protections
So…
19
Looks like we all have a lot of work to do to:• Build apps with no L3 protections• Patch in our CI/CD pipelines
So…
19
Looks like we all have a lot of work to do to:• Build apps with no L3 protections• Patch in our CI/CD pipelines• Provide end-to-end and transformable encryption
So…
19
Looks like we all have a lot of work to do to:• Build apps with no L3 protections• Patch in our CI/CD pipelines• Provide end-to-end and transformable encryption• Make browsers more trustworthy than the OS
So…
19
Looks like we all have a lot of work to do to:• Build apps with no L3 protections• Patch in our CI/CD pipelines• Provide end-to-end and transformable encryption• Make browsers more trustworthy than the OS
• More work for AppSec, less for the rest of security • Can we solve some of these problems without selling product
Shameless Pitch
20
At Yahoo, our security goal is for all users to be safe using any of our products from any country on any platform.
I’m currently looking for a Director of Product Security to reinvent how we build safe products and meet this goal for 1.3B users
