Fail, Learn, Fix: Improving Security The Old-Fashioned Way

938bca9547ba1cac3e69d80efd67fe6b?s=47 Bryan Payne
January 24, 2019

Fail, Learn, Fix: Improving Security The Old-Fashioned Way

This talk was originally presented as a keynote at AppSec California 2019.

https://www.youtube.com/watch?v=bpA1l7nEIuA

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

January 24, 2019
Tweet

Transcript

  1. Fail, Learn, Fix: Improving Security The Old-Fashioned Way Bryan Payne

    @bdpsecurity
  2. None
  3. None
  4. None
  5. 0 37.5 75 112.5 150 2002 2003 2004 2005 2006

    2007 2008 2009 2010 2011 2012 2013 2014 2015 Electrocution Deaths in Construction (in US) Data from The Center for Construction Research and Training
  6. None
  7. Fail, Learn, Fix in Computing

  8. symbolics.com

  9. Therac-25

  10. Therac-25 software controlled radiotherapy machine

  11. ; V[0], V[1] is the 64 bit input vector mov

    V_0H Y_HIGH mov V_0L Y_LOW mov V_1H Z_HIGH mov V_1L Z_LOW ; encode V[0], V[1] jsr r7 ENCODE ; CTX is the cipher text mov Y_HIGH CTX_0H mov Y_LOW CTX_0L mov Z_HIGH CTX_1H mov Z_LOW CTX_1L ; reverse the encryption jsr r7 DECODE ; PTX is the recovered plain text ; should be the same as V[0], V[1] mov Y_HIGH PTX_0H mov Y_LOW PTX_0L mov Z_HIGH PTX_1H mov Z_LOW PTX_1L halt Image created by Stefan Kögl
  12. • Lack of documentation • Insufficient testing • Cryptic /

    frequent error messages • Complicated software programmed in assembly language • Custom real time operating system • No fault tolerance / redundancy • Systemic failures — no hardware safeguards for software faults Therac-25: Major Flaws
  13. • Test properly and thoroughly • Software quality and assurance

    must be a design priority from the beginning • Safety and quality are system attributes, not code attributes • Interface usability is important • Safety critical systems should be created by qualified personnel Therac-25: Learnings
  14. • Overconfidence in software • Confusing reliability with safety •

    Lack of defensive design • Unrealistic risk assessments • Inadequate investigation of incident • Inadequate software and system engineering practices • Software reuse • Safe vs “Friendly” User Interfaces • User and Government Oversight Standards Therac-25: 30 years later https://www.computer.org/csdl/mags/co/2017/11/mco2017110008.html
  15. What would have happened if the Therac-25 failure didn’t occur?

  16. Fail, Learn, Fix in Security

  17. None
  18. “…security is expensive to set up and a nuisance to

    run… While we await a catastrophe, simpler setup is the most important step toward better security.” Butler Lampson, USENIX Security Keynote Address, 2005
  19. Image created by Johanna Pung for Wikimedia Deutschland

  20. Top 5 Action Varieties in Incidents (2017) DoS Loss Phishing

    Misdelivery Ransomware 0 7500 15000 22500 30000 Data from Verizon Data Breach Investigations Report, 2018
  21. Gpbs 0 200 400 600 800 2002 2003 2004 2005

    2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Largest DDoS (Approx) Data from Worldwide Infrastructure Security Report, NETSCOUT Arbor
  22. Top 5 Action Varieties in Breaches (2017) Stolen Creds RAM

    Scraper Phishing Priv Abuse Misdelivery 0 100 200 300 400 Data from Verizon Data Breach Investigations Report, 2018
  23. 0 400 800 1200 1600 2005 2006 2007 2008 2009

    2010 2011 2012 2013 2014 2015 2016 2017 Records Exposed (in Millions) Data Breaches Data from statista.com
  24. Fail Learn Fix

  25. Fail Learn Fix A+

  26. Fail Learn Fix A+ C

  27. Fail Learn Fix A+ C F

  28. Paths to Success

  29. None
  30. Image from https://www.flickr.com/photos/stampinmom/

  31. Security Pattern Catalog http://www.munawarhafiz.com/securitypatterncatalog/

  32. Image fromhttps://www.flickr.com/photos/slgc/

  33. Alice (TLS Endpoint) Bob (TLS Client) Cert & Key Cert

    & Key
  34. Alice (TLS Endpoint) Bob (TLS Client) Cert & Key Cert

    & Key Certificate Authority HSM
  35. Alice (TLS Endpoint) Bob (TLS Client) Cert & Key Cert

    & Key Certificate Authority HSM • Cert lifetime? • Key size? • Key type (RSA, DSA, etc)? • Intermediate root certs? • DHparms? • Trust in ID verification? • Deploy root certs? • Protect keys? • Client-side cert/key? • SSL/TLS versions? • Cipher suites? • HSTS? • SSL/TLS library? • Cert validation? • Client compatibility? • Perfect forward secrecy?
  36. ENDPOINT_SECURITY=enabled

  37. None
  38. Failing Better

  39. • Align on how we talk about our systems and

    our failures • Share lessons across the industry • Identify trends • Connect trends to risk / impact Learning Better
  40. • Security experts agree on proper patterns for fixing problems

    • Create real world implementations of the patterns • Ensure that it is trivial to use implementations correctly • Integrate security into computing ecosystem Fixing Better
  41. Success Stories

  42. None
  43. Graphs from https://arstechnica.com/information-technology/2013/10/internet-explorer-6-usage-drops-below-5-percent-in-september/

  44. 0 25 50 75 100 Aug 2015 Feb 2016 Aug

    2016 Feb 2017 Aug 2017 Feb 2018 Aug 2018 Percentage of Alexa 1M Sites With HTTPS Data from https://scotthelme.co.uk/alexa-top-1-million-analysis-august-2018/
  45. Secure the system… for everyone! Fail Learn Fix

  46. Fail, Learn, Fix: Improving Security The Old-Fashioned Way Bryan Payne

    @bdpsecurity