Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fail, Learn, Fix: Improving Security The Old-Fashioned Way

Bryan Payne
January 24, 2019

Fail, Learn, Fix: Improving Security The Old-Fashioned Way

This talk was originally presented as a keynote at AppSec California 2019.

https://www.youtube.com/watch?v=bpA1l7nEIuA

Bryan Payne

January 24, 2019
Tweet

More Decks by Bryan Payne

Other Decks in Technology

Transcript

  1. Fail, Learn, Fix:
    Improving Security The
    Old-Fashioned Way
    Bryan Payne
    @bdpsecurity

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. 0
    37.5
    75
    112.5
    150
    2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
    Electrocution Deaths in Construction (in US)
    Data from The Center for Construction Research and Training

    View Slide

  6. View Slide

  7. Fail, Learn, Fix in
    Computing

    View Slide

  8. symbolics.com

    View Slide

  9. Therac-25

    View Slide

  10. Therac-25
    software controlled radiotherapy machine

    View Slide

  11. ; V[0], V[1] is the 64 bit input vector
    mov V_0H Y_HIGH
    mov V_0L Y_LOW
    mov V_1H Z_HIGH
    mov V_1L Z_LOW
    ; encode V[0], V[1]
    jsr r7 ENCODE
    ; CTX is the cipher text
    mov Y_HIGH CTX_0H
    mov Y_LOW CTX_0L
    mov Z_HIGH CTX_1H
    mov Z_LOW CTX_1L
    ; reverse the encryption
    jsr r7 DECODE
    ; PTX is the recovered plain text
    ; should be the same as V[0], V[1]
    mov Y_HIGH PTX_0H
    mov Y_LOW PTX_0L
    mov Z_HIGH PTX_1H
    mov Z_LOW PTX_1L
    halt
    Image created by
    Stefan Kögl

    View Slide

  12. • Lack of documentation
    • Insufficient testing
    • Cryptic / frequent error messages
    • Complicated software programmed
    in assembly language
    • Custom real time operating system
    • No fault tolerance / redundancy
    • Systemic failures — no hardware
    safeguards for software faults
    Therac-25:
    Major Flaws

    View Slide

  13. • Test properly and thoroughly
    • Software quality and assurance
    must be a design priority from the
    beginning
    • Safety and quality are system
    attributes, not code attributes
    • Interface usability is important
    • Safety critical systems should be
    created by qualified personnel
    Therac-25:
    Learnings

    View Slide

  14. • Overconfidence in software
    • Confusing reliability with safety
    • Lack of defensive design
    • Unrealistic risk assessments
    • Inadequate investigation of incident
    • Inadequate software and system
    engineering practices
    • Software reuse
    • Safe vs “Friendly” User Interfaces
    • User and Government Oversight
    Standards
    Therac-25:
    30 years later
    https://www.computer.org/csdl/mags/co/2017/11/mco2017110008.html

    View Slide

  15. What would have happened if the
    Therac-25 failure didn’t occur?

    View Slide

  16. Fail, Learn, Fix in
    Security

    View Slide

  17. View Slide

  18. “…security is expensive to set up and a
    nuisance to run… While we await a
    catastrophe, simpler setup is the most
    important step toward better security.”
    Butler Lampson, USENIX Security Keynote Address, 2005

    View Slide

  19. Image created by Johanna Pung for Wikimedia Deutschland

    View Slide

  20. Top 5 Action Varieties in Incidents (2017)
    DoS
    Loss
    Phishing
    Misdelivery
    Ransomware
    0 7500 15000 22500 30000
    Data from Verizon Data Breach Investigations Report, 2018

    View Slide

  21. Gpbs
    0
    200
    400
    600
    800
    2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
    Largest DDoS (Approx)
    Data from Worldwide Infrastructure Security Report, NETSCOUT Arbor

    View Slide

  22. Top 5 Action Varieties in Breaches (2017)
    Stolen Creds
    RAM Scraper
    Phishing
    Priv Abuse
    Misdelivery
    0 100 200 300 400
    Data from Verizon Data Breach Investigations Report, 2018

    View Slide

  23. 0
    400
    800
    1200
    1600
    2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
    Records Exposed (in Millions)
    Data Breaches
    Data from statista.com

    View Slide

  24. Fail
    Learn
    Fix

    View Slide

  25. Fail
    Learn
    Fix
    A+

    View Slide

  26. Fail
    Learn
    Fix
    A+
    C

    View Slide

  27. Fail
    Learn
    Fix
    A+
    C
    F

    View Slide

  28. Paths to Success

    View Slide

  29. View Slide

  30. Image from https://www.flickr.com/photos/stampinmom/

    View Slide

  31. Security Pattern Catalog
    http://www.munawarhafiz.com/securitypatterncatalog/

    View Slide

  32. Image fromhttps://www.flickr.com/photos/slgc/

    View Slide

  33. Alice
    (TLS Endpoint)
    Bob
    (TLS Client)
    Cert
    &
    Key
    Cert
    &
    Key

    View Slide

  34. Alice
    (TLS Endpoint)
    Bob
    (TLS Client)
    Cert
    &
    Key
    Cert
    &
    Key
    Certificate
    Authority
    HSM

    View Slide

  35. Alice
    (TLS Endpoint)
    Bob
    (TLS Client)
    Cert
    &
    Key
    Cert
    &
    Key
    Certificate
    Authority
    HSM
    • Cert lifetime?
    • Key size?
    • Key type (RSA, DSA, etc)?
    • Intermediate root certs?
    • DHparms?
    • Trust in ID verification?
    • Deploy root certs?
    • Protect keys?
    • Client-side cert/key?
    • SSL/TLS versions?
    • Cipher suites?
    • HSTS?
    • SSL/TLS library?
    • Cert validation?
    • Client compatibility?
    • Perfect forward secrecy?

    View Slide

  36. ENDPOINT_SECURITY=enabled

    View Slide

  37. View Slide

  38. Failing
    Better

    View Slide

  39. • Align on how we talk about our
    systems and our failures
    • Share lessons across the industry
    • Identify trends
    • Connect trends to risk / impact
    Learning
    Better

    View Slide

  40. • Security experts agree on proper
    patterns for fixing problems
    • Create real world implementations
    of the patterns
    • Ensure that it is trivial to use
    implementations correctly
    • Integrate security into computing
    ecosystem
    Fixing
    Better

    View Slide

  41. Success Stories

    View Slide

  42. View Slide

  43. Graphs from https://arstechnica.com/information-technology/2013/10/internet-explorer-6-usage-drops-below-5-percent-in-september/

    View Slide

  44. 0
    25
    50
    75
    100
    Aug 2015 Feb 2016 Aug 2016 Feb 2017 Aug 2017 Feb 2018 Aug 2018
    Percentage of Alexa 1M Sites With HTTPS
    Data from https://scotthelme.co.uk/alexa-top-1-million-analysis-august-2018/

    View Slide

  45. Secure the system… for everyone!
    Fail
    Learn
    Fix

    View Slide

  46. Fail, Learn, Fix:
    Improving Security The
    Old-Fashioned Way
    Bryan Payne
    @bdpsecurity

    View Slide