Holistic InfoSec For Web Developers

Holistic InfoSec For Web Developers

Write the wiki URL on the board:
https://github.com/binarymist/HolisticInfoSec-For-WebDevelopers/
http://bit.ly/1BaOPF1

##############################################################
Keep Calm
##############################################################

A security solution can not be automated.
Some small pieces can be once you've understood the specific landscape you're dealing with.

##############################################################
Cat and Mouse
##############################################################

The reason why security can't be automated is because it's a game of cat and mouse.
The attackers vs the protectors.

Smart human minds often working together vs the developer mind
which most of the time isn't even thinking about how their system can be broken.

It's like thinking that software architecture (which is one of the most complex activities known to man) can be automated.
That we can take the human element out of it entirely.

Yes we can try and automate small sections that are repeatable.

Machines can not be trusted to think like humans, because they're not.

##############################################################
Mouse with Red Helmet
##############################################################

Machines are best at performing mundane & repeatable jobs.
This is not where security fits into the picture.

##############################################################
Mouse Dropping in on cheese
##############################################################

The attackers are always dreaming up new and creative ways to exploit your systems and don't just think your software,
as it goes way beyond that to…

physical infrastructure (Network),
building security,
people security (AKA social engineering).

The builders are always going to be on the back foot. Which means you need to be extra diligent.

##############################################################
Mouse Trap with Thank you note
##############################################################

We'll concentrate on software security,
but at the same time I'll attempt to raise awareness around the other areas that are just as important in order to beat the attacker at his/her game.

If you really want to establish your value, take security seriously at all levels.

##############################################################
Defence in Depth
##############################################################

Multiple layers may seem redundant.
Think of each layer as the only layer.
Attempt to stop the attack as soon as possible.

Buildings and their physical components being compromised
People being social engineered
User Interface (Mark-up, JavaScript, CSS)
Client Server Comms
Server side (internet facing)
Network components (routers, DNS servers, file servers, etc)
Back end code
Data store
OS patching
Firmware

##############################################################
Security Thinking Up-front
##############################################################

Get your security thinking up-front in the process

Security Philosophy == Quality Philosophy

Everyone on the Team needs to be thinking about security. Especially developers. There are no testers in a Scrum Team.

##############################################################
Time Detected
##############################################################

Average cost of fixing defects based on when they're introduced vs when they're detected.
Putting the practises in the right order can reduce costs by up to 100 times.

Now remember to get your head out of the code.
The most exploited vulnerabilities are in people.
The fixes can also be the cheapest.

##############################################################
Phase in Which a Defect is Introduced
##############################################################

Detect faults at the stage where they are least time consuming and costly to correct.

##############################################################
Cost of Change - Traditional Pentesting
##############################################################

Traditionally penetration testing is performed at the end of the project. Unbelievably often once the solution is delivered.

##############################################################
Cost of Change - STDD
##############################################################

By converting that effort to something that can be used in parallel with development,
we significantly reduce the costs and lift the quality.

##############################################################
BinaryMist Design->Build->Break iterations
##############################################################

In Scrum, all of these activities are performed within the Sprint in parallel with the development.

That includes STDD.

Every iteration is potentially releasable. That means the quality is baked in… Every Sprint.
There is no Design Sprint,
no Security Sprint,
no Performance Sprint,
no Maintenance Sprint.

##############################################################
Bag of Money
##############################################################

So bringing these quality activities up front to run in parallel with the development is expensive right?

##############################################################
Coins
##############################################################

Not at all, in fact quite the opposite.
Because we’re greatly reducing the feedback cycle.

##############################################################
Test Condition Workshop
##############################################################

So, when you usually run your test condition workshop, when the developer pulls a PBI into WIP…

##############################################################
Given When Thens
##############################################################

And developers create test conditions...

##############################################################
Evil Given When Thens
##############################################################

They also create evil test conditions.

Just as an aside: In the last then, sslstrip can still tamper with the very first connection.
Unless you add your domain to the hstspreload list which browser vendors (even IE soon) use to hard code into the browser.

##############################################################
Low Hanging Fruit
##############################################################

We focus on the lowest hanging fruit first.
How do we know what the lowest hanging fruit is?

This is where threat modelling comes in.
I’ll go through how to do this soon.

##############################################################
Q/A $
##############################################################

For tips on getting the most out of your quality budget, check my blog post on
“How to optimise your testing effort”

##############################################################
Smash that Computer
##############################################################

As developers, we need to embrace the mindset of breaking our own systems.

##############################################################
BinaryMist Iteration focus on Break
##############################################################

Break your system before someone else does... and they will... if you don't.

##############################################################
Landscape
##############################################################

When surveying the security landscape, the first thing you need to do (rather than diving into the code) is step right back.

Why step back?

##############################################################
Ladder to High Fruit
##############################################################

So we make sure we're attacking the lowest hanging fruit first.
There is little point in diving into memory corruption faults if we're sending our credentials over plain HTTP.

Or even easier, a disgruntled employee that already has a lot of information
that just needs to elicit that last crucial piece via a phone call to carry out a now trivial attack.

##############################################################
Binoculars at 30'000
##############################################################

Lets start with the 30,000' view.

For each level, you can take the same process.

##############################################################
Sign Posts
##############################################################

I use Bruce Schneier's Sensible Security Model as the starting point.
Then for each area you zoom into, iterate on the same model I’ve defined.

I use the Sensible Security Model as a guideline or abstraction that encompasses the threat modelling approaches from organisations such as...

OWASP, MS, Intel,
plus adds some vital other elements often not considered in the other offerings.

##############################################################
Link to Wiki
##############################################################

You can work through the github wiki at your own pace, or follow through with me.
I’ll walk through the model I use now.

So you can iterate on this model at a 30,000' view.
This will enable you to...

##############################################################
Sign Posts (Asset Identification)
##############################################################

1. Identify what you need to protect
2. work out what the risks are to what you're trying to protect
3. how to protect them
4. risks that may be introduced as part of your protection strategy
5. costs and trade-offs.

Once we’ve done the 30,000’ iteration, we’ll iterate on the same model at 10,000' for each area that the first iteration identifies.

##############################################################
Cart before Horse
##############################################################

No point coming up with security solutions without understanding what your trying to protect.

What are your assets?
What's actually important to you and/or your business?
This will be different for every business.

Data in datastore or file-system.
System resources.

For the purpose of this workshop, I’m going to take a generic approach,
but you should be thinking about how you can apply the steps to your specific domain.

##############################################################
Sign Posts (Identify Risks)
##############################################################

##############################################################
Blue Cloud
##############################################################

As part of identifying your risks, you need to establish who your threat agents / opponents are.

Other businesses, insiders? Opportunists or targeted attacks.

Adopting the mindsets of your opponents and attackers will help you to work out what they're after
and thus what your assets are.

##############################################################
Threat Agent Relationships
##############################################################

How might your threat agents gain access?

There is a lot of common ground between yourself and your adversaries.

You've got: Competing organisations, (X)employees, contractors, operational/maintenance personnel.

##############################################################
Threat Agent Factors
##############################################################

The OWASP Risk Rating Methodology and the Intel Threat Agent Library (TAL)...
are excellent resources for working out your risks.

How likely are particular exploits to be carried out?

How technically skilled is each group of threat agents?

How motivated is this group of threat agents to find and exploit this vulnerability?

What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability?

What sort of access can they acquire?

How large is this group of threat agents?

##############################################################
Vulnerability Factors
##############################################################

What about factors related to the vulnerability involved like:

How easy is it for this group of threat agents to discover this vulnerability?

How easy is it for this group of threat agents to actually exploit this vulnerability?

How well known is this vulnerability to this group of threat agents?

How likely is an exploit to be detected?

##############################################################
Technical Factors
##############################################################

What's the impact likely to be if a particular exploit is executed

How much data could be disclosed and how sensitive is it?

How much data could be corrupted and how damaged is it?

Which services could be lost, how vital are they and how long could they be down for?

Would you be able to trace the threat agents actions to an individual?

##############################################################
Business Factors
##############################################################

What would the financial damage be to any given exploit?

Would the exploit result in reputation damage that would harm the business?

How much exposure does non-compliance introduce?

How much personally identifiable information could be disclosed?

##############################################################
Risk = Likelihood * Impact
##############################################################

Now that we know what we want protected (our assets)

We need to identify the risks to the things that matter to you and your organisation

by applying a rating to every risk that you identify.

##############################################################
Bob the Builder
##############################################################

What you decide to fix first will be determined by the highest scoring risks.

##############################################################
Sign Posts (Countermeasures)
##############################################################

Countermeasures and how well they mitigate the risks?

##############################################################
Incident Response Guide
##############################################################

Make sure your organisation has an incident Response Team.

There are guides on how to do this and what you'll need.

This is one of them.

Also Bruce Schneier's talk on Incident Response (Youtube).

##############################################################
Smash that Computer some more
##############################################################

Create Penetration Test plan -> execute -> Don't forget gorilla testing as it's very effective.

Report on findings and provide directions of how to mitigate.

##############################################################
Sign Posts (Risks that Solution Causes)
##############################################################

There will be new risks that the mitigation techniques introduce.
What are they?

##############################################################
Crypto Machine
##############################################################

Often commercial encryption software or services have backdoors for the likes of the NSA.
Especially from large vendors.

Use public-domain open source encryption software that has to be compatible with other implementations…
rather than proprietary implementations whose backdoors are far less likely to be discovered.

##############################################################
Scales
##############################################################

Are the new risks of a lesser weight than the mitigated risks?
Only you can decide.

Often you’ll have to provide extra code for the security solutions.
This code is extra code that can go wrong
& has to be tested.

##############################################################
Sign Posts (Costs and Trade-offs)
##############################################################

How much are you prepared to give up to get the job done?

##############################################################
Clock -> Fruit
##############################################################

You need to establish the value of your assets &
weigh the loss of, against cost of security implementation.

There is often a loss of convenience incurred.
You need to be able to measure & be prepared for this.

If it's a product you're trying to get to market, it may take you longer to get it there.
Even though once it's there it's more likely to stay there.
This is why you must have experienced people responsible for carrying out the work.

##############################################################
Crypto Machine again
##############################################################

Crypto and many other security solutions incur performance penalties.

##############################################################
Sign Posts
##############################################################

Now that we’ve done a theoretical 30,000’ iteration using the threat modeling procedure,
we should have a pretty good idea of:

1. What we’re trying to protect
2. The low hanging fruit that we need to provide countermeasures for
3. What the countermeasures look like
4. the additional risks that they cause
5. Costs and Trade-offs.

##############################################################
Binoculars at Physical
##############################################################

We would now iterate on the same model at 10,000' for each area that the first iteration identified.

Now lets walk through some of the lower level concerns

Starting with Physical

#### Work through Wiki

##############################################################
Staying on Top
##############################################################

Keeping a system secure is a never ending job.

Get educated.
There are many excellent resources available.

Get along to your OWASP meetups also.

##############################################################
Last Slide
##############################################################

For more details check out the links to my blog.

A397cb38965ab9f310e7148b8c3d1105?s=128

Kim Carter

May 27, 2015
Tweet