Fail, Learn, Fix: Improving Security The Old-Fashioned Way

938bca9547ba1cac3e69d80efd67fe6b?s=47 Bryan Payne
January 24, 2019

Fail, Learn, Fix: Improving Security The Old-Fashioned Way

This talk was originally presented as a keynote at AppSec California 2019.

https://www.youtube.com/watch?v=bpA1l7nEIuA

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

January 24, 2019
Tweet

Transcript

  1. 2.
  2. 3.
  3. 4.
  4. 5.

    0 37.5 75 112.5 150 2002 2003 2004 2005 2006

    2007 2008 2009 2010 2011 2012 2013 2014 2015 Electrocution Deaths in Construction (in US) Data from The Center for Construction Research and Training
  5. 6.
  6. 11.

    ; V[0], V[1] is the 64 bit input vector mov

    V_0H Y_HIGH mov V_0L Y_LOW mov V_1H Z_HIGH mov V_1L Z_LOW ; encode V[0], V[1] jsr r7 ENCODE ; CTX is the cipher text mov Y_HIGH CTX_0H mov Y_LOW CTX_0L mov Z_HIGH CTX_1H mov Z_LOW CTX_1L ; reverse the encryption jsr r7 DECODE ; PTX is the recovered plain text ; should be the same as V[0], V[1] mov Y_HIGH PTX_0H mov Y_LOW PTX_0L mov Z_HIGH PTX_1H mov Z_LOW PTX_1L halt Image created by Stefan Kögl
  7. 12.

    • Lack of documentation • Insufficient testing • Cryptic /

    frequent error messages • Complicated software programmed in assembly language • Custom real time operating system • No fault tolerance / redundancy • Systemic failures — no hardware safeguards for software faults Therac-25: Major Flaws
  8. 13.

    • Test properly and thoroughly • Software quality and assurance

    must be a design priority from the beginning • Safety and quality are system attributes, not code attributes • Interface usability is important • Safety critical systems should be created by qualified personnel Therac-25: Learnings
  9. 14.

    • Overconfidence in software • Confusing reliability with safety •

    Lack of defensive design • Unrealistic risk assessments • Inadequate investigation of incident • Inadequate software and system engineering practices • Software reuse • Safe vs “Friendly” User Interfaces • User and Government Oversight Standards Therac-25: 30 years later https://www.computer.org/csdl/mags/co/2017/11/mco2017110008.html
  10. 17.
  11. 18.

    “…security is expensive to set up and a nuisance to

    run… While we await a catastrophe, simpler setup is the most important step toward better security.” Butler Lampson, USENIX Security Keynote Address, 2005
  12. 20.

    Top 5 Action Varieties in Incidents (2017) DoS Loss Phishing

    Misdelivery Ransomware 0 7500 15000 22500 30000 Data from Verizon Data Breach Investigations Report, 2018
  13. 21.

    Gpbs 0 200 400 600 800 2002 2003 2004 2005

    2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Largest DDoS (Approx) Data from Worldwide Infrastructure Security Report, NETSCOUT Arbor
  14. 22.

    Top 5 Action Varieties in Breaches (2017) Stolen Creds RAM

    Scraper Phishing Priv Abuse Misdelivery 0 100 200 300 400 Data from Verizon Data Breach Investigations Report, 2018
  15. 23.

    0 400 800 1200 1600 2005 2006 2007 2008 2009

    2010 2011 2012 2013 2014 2015 2016 2017 Records Exposed (in Millions) Data Breaches Data from statista.com
  16. 29.
  17. 34.
  18. 35.

    Alice (TLS Endpoint) Bob (TLS Client) Cert & Key Cert

    & Key Certificate Authority HSM • Cert lifetime? • Key size? • Key type (RSA, DSA, etc)? • Intermediate root certs? • DHparms? • Trust in ID verification? • Deploy root certs? • Protect keys? • Client-side cert/key? • SSL/TLS versions? • Cipher suites? • HSTS? • SSL/TLS library? • Cert validation? • Client compatibility? • Perfect forward secrecy?
  19. 37.
  20. 39.

    • Align on how we talk about our systems and

    our failures • Share lessons across the industry • Identify trends • Connect trends to risk / impact Learning Better
  21. 40.

    • Security experts agree on proper patterns for fixing problems

    • Create real world implementations of the patterns • Ensure that it is trivial to use implementations correctly • Integrate security into computing ecosystem Fixing Better
  22. 42.
  23. 44.

    0 25 50 75 100 Aug 2015 Feb 2016 Aug

    2016 Feb 2017 Aug 2017 Feb 2018 Aug 2018 Percentage of Alexa 1M Sites With HTTPS Data from https://scotthelme.co.uk/alexa-top-1-million-analysis-august-2018/