hacker vs tools: which to choose?
TRANSCRIPT
Hacker vs. ToolsGeoffrey Vaughan
Security Engineer
@mrvaughan
Why this talk?
• Our goal is to build secure software
• What does an SDLC that considers security throughout look like?
• Where can you automate security controls in your SDLC?
• What are the implications of building 1 application vs. managing hundreds?
• Learn to think more like a hacker
Whoami
• Geoffrey Vaughan @MrVaughan
• Security Engineer @SecurityInnovation
• Appsec pentesting/advisory at all areas of SDLC
• Former High School/Prison/University Teacher
• Occasionally I’m let out of my basement
• Travelled from Toronto to be here with you today
Disclaimer
• Vendor/tool agnostic
• I provide services in all areas of SDLC
• Hacker Biased (I am one)
Qualities
Qualities of a Hacker
• Develops creative solutions to complex problems
• Researches and deeply understands the problem
• May leverage tools in the pursuit of a solution
Qualities of a (Security) Tool
• Helps solve problems fast
• Automates the mundane
• Can use signatures, behaviors, or analytics
• Great for high volume testing (large problems and large number of test cases)
Securing your SDLC
• At various points in your SDLC, you may want to use a hacker and/or a tool to help secure your product
• Hackers are great at thinking about problems from a different perspective
• Great for finding design flaws
• Tools can be very thorough at finding/preventing defined known issues
• Great for doing tedious things
Security RequirementsHave you thought of everything?
• How do you confidently know from an early stage that you have thought of every possible thing that could go wrong with your application?
• It is a lot cheaper && easier && faster to fix security issues in the Requirements phase than in Production
• Like 30 to 100X less expensive!• (Depends who you ask)
Security RequirementsHave you thought of everything?
Hacker
• Probably will find things the tools miss
• Will think of some really interesting edge cases
• Might not think of everything
Tool
• Checklists
• Threat Modeling
• Processes
Design/Architecture
Most architecture designs consist of:
• Use cases
• User stories
• Data Flow Diagrams
• Server/Stack layouts
Design/Architecture
Hacker
• Hacker + Developer in a room with a flow diagram can often find many issues in a very short amount of time
• This approach doesn’t scale well when the application becomes infinitely large or when there is a huge list of applications to test
Tool
• Threat modeling
• There are not a lot of tools out there that provide meaningful value in this space
Development
Hacker
• Training
• Manual Code Review
• Can find more complex vulnerabilities
• Doesn’t scale well
• Peer Code reviews
Tool
• In IDE plugins (code assisted development)
• Static analysis tools
• Limited vulnerability classes detectable
• Lots of false positives (thousands)
• Good coverage for large applications
• Secure Coding Guidelines
What can you find with static analysis?Good at finding
• Source Sink issues, tracking where malicious input is executed (XSS, SQLi, and URL Redirects)
• Security misconfigurations
• Insecure randomness
• Some session management issues
• False Positives!!!!
Not good at finding
• Authorization issues
• Some authentication issues (password resets, password brute force)
• Abuse of business rules
• Memory corruption issues (some)
• Design flaws
QA/Testing
• Ideally, it’s best to try to find issues as early in the SDLC as possible
• In QA, finding and fixing issues is more difficult• More costly, could introduce delays, sometimes under strict time constraints
• Some issues could require redesign or architecture changes
• First chance to do runtime analysis
QA/Testing
Hacker
• Can consider the whole picture of the application
• Limited by time/best effort
• If combined with source code, can give best perspective into finding vulnerabilities
• Hard to cover all pages/parameters
Tool
• Fuzzing high volume of test cases
• Crawl/test large applications with good coverage
• Can do Authenticated vs. Unauthenticated testing
• Crash analysis, runtime debugging
• Still has trouble with business rules
Production
Hacker
• Can leverage external resources (Social Engineering, Social media, Google)
• Can leverage weak/vulnerable users
• May invest significant time/energy
Tool
• Signature based detection
• Heuristic threat intelligence
• Abnormality detection
• Continuous runtime scanning
So What About Agile?
Security Tasks:
1. Every Feature/Story Requirements
2. Every Sprint/Release Requirements
3. Regular Maintenance
With Every New Feature / User Story:
• Do the feature requirements consider the security implications of this feature?
• How will this feature affect the overall threat model
Every Sprint / New Release
• Ensure overall security requirements continue to apply across every new sprint (checklist?)
• Impact on application architecture
• Threat modelling for all new features
• Automated code review
• Manual/Peer code review
• Security Testing of new features
Regular Maintenance
• Periodic security testing and scanning to ensure no new issues arise. The result is a snapshot of current your security posture
• Regular security training for all members of the team
• Takes a big picture look at results from all security testing and look for areas where issues could have been prevented sooner.
Secrets to Doing Agile Security Well
• It takes the whole team thinking about security all the time
• Perform regular checks to identify, address issues, and improve processes
• Systems and processes are necessary to implement security controls throughout.
Hacker vs. Tool?
• An informed hacker will know to use each tool and when to rely on their hacker mindset/instincts
• Learn to think more like a hacker to…• Make better tools
• Attack your application as a hacker might
• Learn the trade, not the tool
More Talks today:
I’m also presenting 2 other talks today on completely unrelated subjects:
Catching IMSI Catchers: Hunting the hunter, can you tell if your phone’s being captured by a rogue cell phone tower/ IMSI catcher/ Stingray?
Security Best Practices for Regular Users - What's in your personal threat model? What assets are you trying to protect? Learn how to improve your personal security and privacy online through best practices and security tips.
Thank you
Geoffrey Vaughan
@mrvaughan
@SecurityInnovation