securitybsides london - jedi mind tricks for building application security programs

David Rook

Jedi mind tricks for building applicationsecurity programs

SecurityBSides, London

if (slide == introduction)System.out.println( "I’m David Rook ");

• Security Analyst, Realex Payments, IrelandCISSP, CISA, GCIH and many other acronyms

• Security Ninja (www.securityninja.co.uk)

• Speaker at international security conferences

• Nominated for multiple blog awards

• A mentor in the InfoSecMentors project

• Developed and released Agnitio

• Using Jedi mind tricks on your developers

• s/Application Security Alien/Business Language/i;

Agenda

Using Jedi mind tricks on developers

• Most developers actually want to write secure code

• You need to take ownership of the app sec problems with them

• Developers generally like producing quality code, use this!

• They want security knowledge with good practices and tools


Jim Bird, blog comment:

“I’m a software guy. I don’t need a meme. I need practices and tools that work, that help me get software out the door, better software that is more reliable and more secure.”

http://securosis.com/blog/good-programming-practices-vs.-rugged-development


• How you can help developers?

• Help them understand how to write secure code

• Own application security problems with them

• Don’t dictate! Speak, listen, learn and improve things

Application Security Alien

• We speak an alien language

• We talk of injections, jackings and pwnings




• We present findings in weird formats with a side order of FUD


• I will use CVSS as an example

• Let’s pretend we are analysing a SQL Injection vulnerability


CVSS base score equation

BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))Exploitability = 20*AccessComplexity*Authentication*AccessVectorf(Impact) = 0 if Impact=0; 1.176 otherwise


CVSS Temporal Equation

TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfidence


CVSS Environmental Equation

EnvironmentalScore=(AdjustedTemporal+(10-AdjustedTemporal)*CollateralDamagePotential) * TargetDistributionAdjustedTemporal = TemporalScore recomputed with the Impact sub-equation replaced with the following AdjustedImpact equation.AdjustedImpact = Min(10, 10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1-AvailImpact*AvailReq)))




• We present findings in weird formats with a side order of FUD

• We feel security should just happen without having to justify it

The Business Language

• We need to speak the business language

• We need to talk about things the business cares about

• We need to present findings in a format that makes sense


• How does your business score risks?

• Let’s pretend we are analysing a SQL Injection vulnerability


A simple (common!) risk equation

Probability*Impact

Probability Impact Score

3 5 15

Appetite

12


• We need to speak the business language

• We need to talk about things the business cares about

• Present findings in a format that makes sense to the business

• Application security is no exception when it comes to resourcing

Jedi mind tricks and alien translations

• Apply the KISS principle to everything you do

• Keep everything as simple as possible, complexity doesn’t help

• Understand what developers want and need to write secure code

• Work with the business and use their language and formats

www.securityninja.co.uk

@securityninja

QUESTIONS?

/realexninja

/securityninja

/realexninja

Chris Wysopal

CTO & Co-founder

Jedi mind tricks for building application security programs

The formative years… Padawan?

It was all about attack.

Early web app testing: Lotus Domino, Cold FusionWindows Security: Netcat for Windows, L0phtCrackEarly disclosure policies: RFPolicy, L0pht Advisor ies

Now with professional PR team…

Time to help the defensive side

Led @stake research team@stake application security consultantPublished Art of Software Security TestingVeracode CTO and Co-Founder

Why do we need executive buy in?

�Application security programs will require developer training�Application security programs will require tools/services�Application security programs will impact delivery schedules�Application security cannot be “voluntary”

Authority

Speaking the language of executives

CEOsCFOsCIOs

If money is the language of execs what do they say?

How do I grow my top line?How do I lower costs?How do I mitigate risk?

Talk in terms of business risk and use monetary terms when possible.Then we can we can speak the same language.

Different types of risk

Legal risk – Legal costs, settlement costs, finesCompliance risk – fines, lost businessBrand risk – lost businessSecurity risk - ????

Translate technical risk to monetary risk

� What is the monetary risk from vulnerabilities in y our application portfolio?

� Monetary risk is your expected loss; derived from yourvulnerabilities, your breach cost, threat space data

32

YourVulnerabilities

YourBreachCost

Threat SpaceData

Your Breach Cost

33

� Use cost analysis from your earlier breaches� Use breach cost from public sources

– Example: April 2010 Ponemon Institute Report

(US Dollars) Detection & Escalation

Notification Ex-Post Response

Lost Business

Total

Average 264,208 500,321 1,514,819 4,472,030 6,751,451

Per-capita 8 15 46 135 204

Communication

Consumer

Education

Energy

Financial

Healthcare

Hotel & Leisure

Manufacturing

Media Pharma Research

Retail Services

Technology

Transportation

209 159 203 237 248 294 153 136 149 310 266 133 256 192 121

Ponemon per-capita data by US industry sector (US Dollars)

Ponemon average and per-capita US breach cost (US Dollars)

Threat Space Data

34

40% of data breaches are due to hackingSource: Verizon 2010 Data Breach Investigations Report

Top 7 application vulnerability categories

62% of organizations experienced breaches in critical applications in 12 month period

Source: Forrester 2009 Application Risk Management and Business Survey

How to Derive Your Expected Loss

35

Baseline expected loss for your organization due to SQL Injection*

*If your SQL Injection prevalence is similar to average SQL Injection prevalence, assumes 100,000 records

expected lossvulnerability category = f(

% of orgs breached Xbreach cost X

breach likelihood from vuln. category)

expected lossSql injection = f

62% X$248 X 100,00 X

25% )(

Monetary Risk Derived From Relative Prevalence

Vulnerability Category

Breach Likelihood

Baseline Expected loss

Average % of Apps Affected 1

Your % of Apps Affected 2

Your Monetary Risk

Backdoor/Control Channel

29% $4,459,040 8% 15% higher

SQL Injections 25% 3,844,000 24% 10% lower

Command Injection

14% 2,152,640 7% 6% same

XSS 9% 1,383,840 34% 5% lower

Insufficient Authentication

7% 1,076,320 5% 2% lower

Insufficient Authorization

7% 1,076,320 7% 7% same

Remote File Inclusion

2% 307,520 <1% <1% same

36

Assume 100,000 customer records. For SQLi the expected loss is: 62% * $248 * 100,000 * 25% = $3,844,000

1. Veracode 2010 State of Software Security Report, Vol. 22. De-identified financial service company data from Veracode industry data

Executives want…

�An organizational wide view. Am I lowering overall application risk?– Internal code– Outsourced– Vendor supplied– Open source

�A program that has achievable objectives. What am I getting for the money I am spending?

�A program that is measurable: metrics and reporting . Am I marching toward the objectives?– Which dev teams, outsourcers are performing well?– How is my organization doing relative to my peers?

Tips to make the program successful

�The right people have to understand what is going to happen before you start�Do a real world pen test or assessment of a project. Demonstrate relevant risk.�Integrate into existing processes

� SDLC� Procurement/legal� M&A

39

Q&ASpeaker Contact

Information:Chris Wysopal

([email protected])Twitter: @WeldPond

@securityninja

/realexninja

/securityninja

/realexninja

www.securityninja.co.uk

David Rook