securitybsides london - jedi mind tricks for building application security programs
DESCRIPTION
Presentation by David Rook and Chris WysopalTRANSCRIPT
David Rook
Jedi mind tricks for building applicationsecurity programs
SecurityBSides, London
if (slide == introduction)System.out.println( "I’m David Rook ");
• Security Analyst, Realex Payments, IrelandCISSP, CISA, GCIH and many other acronyms
• Security Ninja (www.securityninja.co.uk)
• Speaker at international security conferences
• Nominated for multiple blog awards
• A mentor in the InfoSecMentors project
• Developed and released Agnitio
• Using Jedi mind tricks on your developers
• s/Application Security Alien/Business Language/i;
Agenda
Using Jedi mind tricks on developers
• Most developers actually want to write secure code
• You need to take ownership of the app sec problems with them
• Developers generally like producing quality code, use this!
• They want security knowledge with good practices and tools
Using Jedi mind tricks on developers
Jim Bird, blog comment:
“I’m a software guy. I don’t need a meme. I need practices and tools that work, that help me get software out the door, better software that is more reliable and more secure.”
http://securosis.com/blog/good-programming-practices-vs.-rugged-development
Using Jedi mind tricks on developers
• How you can help developers?
• Help them understand how to write secure code
• Own application security problems with them
• Don’t dictate! Speak, listen, learn and improve things
Application Security Alien
• We speak an alien language
• We talk of injections, jackings and pwnings
Application Security Alien
• We speak an alien language
• We talk of injections, jackings and pwnings
• We present findings in weird formats with a side order of FUD
Application Security Alien
• I will use CVSS as an example
• Let’s pretend we are analysing a SQL Injection vulnerability
Application Security Alien
CVSS base score equation
BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))Exploitability = 20*AccessComplexity*Authentication*AccessVectorf(Impact) = 0 if Impact=0; 1.176 otherwise
Application Security Alien
CVSS Temporal Equation
TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfidence
Application Security Alien
CVSS Environmental Equation
EnvironmentalScore=(AdjustedTemporal+(10-AdjustedTemporal)*CollateralDamagePotential) * TargetDistributionAdjustedTemporal = TemporalScore recomputed with the Impact sub-equation replaced with the following AdjustedImpact equation.AdjustedImpact = Min(10, 10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1-AvailImpact*AvailReq)))
Application Security Alien
• We speak an alien language
• We talk of injections, jackings and pwnings
• We present findings in weird formats with a side order of FUD
• We feel security should just happen without having to justify it
The Business Language
• We need to speak the business language
• We need to talk about things the business cares about
• We need to present findings in a format that makes sense
The Business Language
• How does your business score risks?
• Let’s pretend we are analysing a SQL Injection vulnerability
The Business Language
A simple (common!) risk equation
Probability*Impact
Probability Impact Score
3 5 15
Appetite
12
The Business Language
• We need to speak the business language
• We need to talk about things the business cares about
• Present findings in a format that makes sense to the business
• Application security is no exception when it comes to resourcing
Jedi mind tricks and alien translations
• Apply the KISS principle to everything you do
• Keep everything as simple as possible, complexity doesn’t help
• Understand what developers want and need to write secure code
• Work with the business and use their language and formats
www.securityninja.co.uk
@securityninja
QUESTIONS?
/realexninja
/securityninja
/realexninja
Chris Wysopal
CTO & Co-founder
Jedi mind tricks for building application security programs
The formative years… Padawan?
It was all about attack.
Early web app testing: Lotus Domino, Cold FusionWindows Security: Netcat for Windows, L0phtCrackEarly disclosure policies: RFPolicy, L0pht Advisor ies
Now with professional PR team…
Time to help the defensive side
Led @stake research team@stake application security consultantPublished Art of Software Security TestingVeracode CTO and Co-Founder
Why do we need executive buy in?
�Application security programs will require developer training�Application security programs will require tools/services�Application security programs will impact delivery schedules�Application security cannot be “voluntary”
Authority
Speaking the language of executives
CEOsCFOsCIOs
If money is the language of execs what do they say?
How do I grow my top line?How do I lower costs?How do I mitigate risk?
Talk in terms of business risk and use monetary terms when possible.Then we can we can speak the same language.
Different types of risk
Legal risk – Legal costs, settlement costs, finesCompliance risk – fines, lost businessBrand risk – lost businessSecurity risk - ????
Translate technical risk to monetary risk
� What is the monetary risk from vulnerabilities in y our application portfolio?
� Monetary risk is your expected loss; derived from yourvulnerabilities, your breach cost, threat space data
32
YourVulnerabilities
YourBreachCost
Threat SpaceData
Your Breach Cost
33
� Use cost analysis from your earlier breaches� Use breach cost from public sources
– Example: April 2010 Ponemon Institute Report
(US Dollars) Detection & Escalation
Notification Ex-Post Response
Lost Business
Total
Average 264,208 500,321 1,514,819 4,472,030 6,751,451
Per-capita 8 15 46 135 204
Communication
Consumer
Education
Energy
Financial
Healthcare
Hotel & Leisure
Manufacturing
Media Pharma Research
Retail Services
Technology
Transportation
209 159 203 237 248 294 153 136 149 310 266 133 256 192 121
Ponemon per-capita data by US industry sector (US Dollars)
Ponemon average and per-capita US breach cost (US Dollars)
Threat Space Data
34
40% of data breaches are due to hackingSource: Verizon 2010 Data Breach Investigations Report
Top 7 application vulnerability categories
62% of organizations experienced breaches in critical applications in 12 month period
Source: Forrester 2009 Application Risk Management and Business Survey
How to Derive Your Expected Loss
35
Baseline expected loss for your organization due to SQL Injection*
*If your SQL Injection prevalence is similar to average SQL Injection prevalence, assumes 100,000 records
expected lossvulnerability category = f(
% of orgs breached Xbreach cost X
breach likelihood from vuln. category)
expected lossSql injection = f
62% X$248 X 100,00 X
25% )(
Monetary Risk Derived From Relative Prevalence
Vulnerability Category
Breach Likelihood
Baseline Expected loss
Average % of Apps Affected 1
Your % of Apps Affected 2
Your Monetary Risk
Backdoor/Control Channel
29% $4,459,040 8% 15% higher
SQL Injections 25% 3,844,000 24% 10% lower
Command Injection
14% 2,152,640 7% 6% same
XSS 9% 1,383,840 34% 5% lower
Insufficient Authentication
7% 1,076,320 5% 2% lower
Insufficient Authorization
7% 1,076,320 7% 7% same
Remote File Inclusion
2% 307,520 <1% <1% same
36
Assume 100,000 customer records. For SQLi the expected loss is: 62% * $248 * 100,000 * 25% = $3,844,000
1. Veracode 2010 State of Software Security Report, Vol. 22. De-identified financial service company data from Veracode industry data
Executives want…
�An organizational wide view. Am I lowering overall application risk?– Internal code– Outsourced– Vendor supplied– Open source
�A program that has achievable objectives. What am I getting for the money I am spending?
�A program that is measurable: metrics and reporting . Am I marching toward the objectives?– Which dev teams, outsourcers are performing well?– How is my organization doing relative to my peers?
Tips to make the program successful
�The right people have to understand what is going to happen before you start�Do a real world pen test or assessment of a project. Demonstrate relevant risk.�Integrate into existing processes
� SDLC� Procurement/legal� M&A
39
Q&ASpeaker Contact
Information:Chris Wysopal
([email protected])Twitter: @WeldPond
@securityninja
/realexninja
/securityninja
/realexninja
www.securityninja.co.uk
David Rook