milton smith 2013
TRANSCRIPT
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 1
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 2
Keeping the Future Secure with Java Milton Smith Email: [email protected]
Sr. Principal Security PM Blog: http://spoofzu.blogspot.com/
Twitter: @spoofzu
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 3
"THE FOLLOWING IS INTENDED TO OUTLINE OUR GENERAL PRODUCT DIRECTION. IT IS INTENDED FOR INFORMATION PURPOSES ONLY, AND MAY NOT BE INCORPORATED INTO ANY CONTRACT. IT IS NOT A COMMITMENT TO DELIVER ANY MATERIAL, CODE, OR FUNCTIONALITY, AND SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISION. THE DEVELOPMENT, RELEASE, AND TIMING OF ANY FEATURES OR FUNCTIONALITY DESCRIBED FOR ORACLE'S PRODUCTS REMAINS AT THE SOLE DISCRETION OF ORACLE."
Notice
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 4
Who Am I?
Milton Smith
§ Responsible for Java platform security: vision/features, internal/external communications – everything Java except EE.
§ 20+ years of programming and specializing in security. § Former employer was Yahoo! where I managed security for the User
Data Analytics property.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 5
Program Agenda
§ Security Industry Challenges
§ Risk Choices & Methodologies
§ Security at Oracle
§ Ongoing Security Improvements
§ Security in Development Communities
§ Call to Action
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 6
Security Industry & Challenges
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 7
Java Ecosystem
Facts
Desktops § Java deployed on 97 Percent desktops
Devices § Java deployed on 80 percent of mobile platforms
§ Java deployed on 125 million television sets
Community § 1 billion Java downloads per year
§ 9 million developers worldwide
Level of Security Challenge…
Ref: http://www.oracle.com/us/corporate/press/1843546
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 8
Security Threat Landscape A lot has changed since 1995 when Java started…
This is Now… That was Then…
• State or Terrorist Cyber Warfare
• Intellectual Property Theft
• Data Destruction
• Denial of Service
• Hacktivism
Individual pranksters Well funded and organized
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 9
Why is Java a Favored Target for Attack?
§ Java is deployed widely across homes and business computers.
§ Multi-platform features of Java allow attackers to indiscriminately target Windows, Mac, and even Linux versions.
§ Unlike data centers, physical and logical security controls for the home systems are less sophisticated.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 10
What Uses of Java are Highest Risk?
Highest Risk… § Java Applets and Web Start plugins running in the browser. Why… § Java users have valuable information (e.g., credit cards, licensee keys, etc)
§ Java desktops security controls are either missing or poorly configured
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 11
Strong Security is the Expectation…
§ Security concerns across industry are elevated
§ Strong vs. poor security is difficult for users to evaluate
Challenges across entire industry…
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 12
Risk Choices & Methodologies
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 13
Risk vs. Reward
WE MAKE CHOICES BASED UPON RISK EVERY DAY THIS IS HOW HUMANS FUNCTION
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 14
Everyday Risk Choices
Do animals drink at the water hole? Animals with big teeth may be present.
– Answer = Depends, how thirsty.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 15
Everyday Risk Choices
Everyone treated by a doctor – has or will die. Success rate is precisely zero. Do we continue to visit doctors?
– Answer = Yes!
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 16
Everyday Risk Choices
Life is risky. Do we visit the doctor every day for a check-up? – Answer = No!
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 17
Risk Based Security Methodology
§ Many of us today use informal risk based approaches.
§ Some don’t take the next steps – formalize thoughts about risk and how it governs our behavior.
§ Risk methodology helps drive security decisions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 18
Security Risk Applied to a Web Application Example
§ A few simple considerations… – How important is the application to the business? Dollar loss, compliance
requirements, inconvenience? – Internet facing application interfaces (web, web data services)? – Any unauthenticated application interfaces (no logon)? – and many more factors…
§ Platforms have different concerns but the approach is similar
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 19
Security at Oracle
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 20
Why is Security Important to Oracle? Java is at the center of our applications
Vendor Apps
Java Platform
Your Apps
ORA Apps
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 21
Overview – Larger Security Policy Areas
Remediation
Communications Development Lifecycle
Security
§ Architecture Review § Peer Review § Security Testing § Post Mortems
§ CPU § Security Alerts
§ SA/CPU RSS Feeds § Security Blog § eBlasts § Java.com Security
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 22
Security Policies - Communications
§ Security news & alerts are communicated via several channels – Security Alerts (RSS feed) – Critical Patch Update Advisories – eBlasts – Blogs (like blogs.oracle.com/security)
§ Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 23
Security Policies - Communications
§ Correcting and corroborating articles provides more information to attackers § Many reports don’t provide the required engineering details for proper
verification. Technical details like: pre-conditions, impacts, remediation/mitigation details are light or non-existent.
§ Responding to individual reports forces communities to track vulnerabilities in
social media sites – not good.
Why we don’t respond to published reports of alleged security vulnerabilities in Oracle products…
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 24
Security Policies - Communications
§ The information Oracle releases is: precise, actionable, and everyone receives it at the same time.
§ Policy: http://www.oracle.com/us/support/assurance/disclosure-policies/index.html
Why we don’t respond to published reports of alleged security vulnerabilities in Oracle products…
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 25
Security Throughout the Development Lifecycle Non-specific lifecycle methodology
Delivery Coding Testing Concept Analysis
Risk Factors • Less Scrutiny • More Scrutiny
Project Review • Architecture • Compliance
Peer Review • Manual • Automated
Security Tests • Static Analysis • Fuzzing
Java.com
Policy: http://www.oracle.com/us/support/assurance/development/index.html
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 26
Outside the Development Lifecycle
Throughout Development Cycle • GPS • Ethical Hacking • Security Training • Tech Talks …and more.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 27
Security Policies - Remediation
§ Common Vulnerability Scoring System (CVSS)
§ Vulnerabilities reviewed and CVSS score assigned
§ Remediation strongly influenced by CVSS score
Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html#scoring
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 28
Security Policies - Remediation
§ Critical Patch Updates (CPU) - Security patches – October, February, June for Java Platform Group – Java Platform Group Different from Oracle CPU – Emergency releases are infrequent but do happen
§ Policy: http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 29
CPU Non CPU CPU Non CPU 7 GA 7u1 7u2 7u3 7u4 7u5
CPU 7u6
Non CPU 7u7 SecAlert*
Planned 7u9 CPU
Every 4 months
§ Main release for security vulnerabilities § Covers all families (7, 6, 5.0, 1.4.2) § CPU release triggers Auto-update § Dates published 12 months in advance § Security Alerts are released as necessary § Based off the previous (non-CPU) release § Released simultaneously on java.com and OTN
Rules for Java CPUs
Java CPU
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 30
Securing Platforms vs. Securing Applications
§ Different tools for securing platforms and applications – Platform development often precedes tool features
§ Platforms support a wider range of use cases
§ Different techniques for securing platforms and applications
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 31
Ongoing Security Improvements
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 32
Theme, Preventing Drive-By Exploitation
§ Defense against phishing attacks
§ “Best used before” date for JRE security – Largest number of exploits are against out-of-date software
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 33
Theme, Preventing Drive-By Exploitation
§ Easier to disable Java in Browser (Applet/JNLP)
§ Encourage users to uninstall older JREs – First step, as an applet – Next step, component of the installer
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 34
Theme, JRE Security Hardening
§ Configurable IT security policy
§ More frequent security feeds (blacklists, security baseline updates)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 35
Security in Development Communities
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 36
What is Impact of Security Incidents? Schedule § Security firefighting derails the release train
Moral § Security firefighting hits home when your staff burns nights and weekends Confidence § Too many incidents or too severe shakes confidence
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 37
Mitigating Security Impacts Before an Incident (otherwise known as Prevention) § Best incident is the one you can avoid § Ensure security investments are commensurate with risk § What should they be? Depends, based upon security maturity During an Incident § Have an emergency action plan. Relevant leadership? Responsibilities?
Process? Actions? Expected outcomes? After an Incident § Questions may linger for months after an incident § Have a communications policy and plan of execution
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 38
Open Source Projects § Millions of eyeballs does not mean they are trained on security § Communities focus on what is important to them - features § If you manage a developer community - set code quality standards § Ensure the quality standards include security (e.g., OWASP)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 39
Restoring Confidence Product Improvement § Understand your vulnerabilities and get them fixed § Make new security feature improvements as necessary § Make it happen Communication § Code cannot fix a confidence problem § Likewise communication without action is meaningless § Make improvements and then communicate your progress The currency of confidence is “hard work” and it’s slow won
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 40
Call to Action
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 41
Vulnerability Reporting & Security Feature Suggestions
§ Report Vulnerabilities – Support Customers: My Oracle Support – Others: [email protected] Policy: http://www.oracle.com/us/support/assurance/reporting/index.html
§ Suggest New Features
– http://bugreport.sun.com/bugreport/
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 42
Upcoming CPU’s
§ April 16, 2013 § June 18, 2013 § October 15, 2013 (transition to Oracle CPU schedule) § January 14, 2013
§ CPUs http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 43
Java Platform Support § I receive many questions on support programs and to answer a few… § 3 Options
– Premier, 5 years from GA – Extended, Premier + 3 years – Sustaining, “as long as you own your Oracle products”
Disclaimer: No, I don’t receive a commission. ;o)
Ref: http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 44
Java Root Certificate Program
§ Like browsers, Java ships with root certificates. § Our roots establish intrinsic “trust” for Java users. § Of course, users are always free to include their own certificates. § Program rules apply, see following link.
Ref: http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 45
Help Us Keep You Secure § To end users…
– Keep your JRE’s updated (auto-update on) – Practice defense-in-depth: virus scanner, firewall
§ To developers… – Support current JRE’s so end users can upgrade – Sign your applications (use timestamp) – Validate untrusted data (input/output validation) – Follow Open Web Application Security Project, https://www.owasp.org/
§ All – Attend new security track at JavaOne 2013 in San Francisco CA, USA
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 46
oracle.com/javajobs
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public 47