Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Holistic InfoSec For Web Developers

Holistic InfoSec For Web Developers

Write the wiki URL on the board:
https://github.com/binarymist/HolisticInfoSec-For-WebDevelopers/
http://bit.ly/1BaOPF1

##############################################################
Keep Calm
##############################################################

A security solution can not be automated.
Some small pieces can be once you've understood the specific landscape you're dealing with.

##############################################################
Cat and Mouse
##############################################################

The reason why security can't be automated is because it's a game of cat and mouse.
The attackers vs the protectors.

Smart human minds often working together vs the developer mind
which most of the time isn't even thinking about how their system can be broken.

It's like thinking that software architecture (which is one of the most complex activities known to man) can be automated.
That we can take the human element out of it entirely.

Yes we can try and automate small sections that are repeatable.

Machines can not be trusted to think like humans, because they're not.

##############################################################
Mouse with Red Helmet
##############################################################

Machines are best at performing mundane & repeatable jobs.
This is not where security fits into the picture.

##############################################################
Mouse Dropping in on cheese
##############################################################

The attackers are always dreaming up new and creative ways to exploit your systems and don't just think your software,
as it goes way beyond that to…

physical infrastructure (Network),
building security,
people security (AKA social engineering).

The builders are always going to be on the back foot. Which means you need to be extra diligent.

##############################################################
Mouse Trap with Thank you note
##############################################################

We'll concentrate on software security,
but at the same time I'll attempt to raise awareness around the other areas that are just as important in order to beat the attacker at his/her game.

If you really want to establish your value, take security seriously at all levels.

##############################################################
Defence in Depth
##############################################################

Multiple layers may seem redundant.
Think of each layer as the only layer.
Attempt to stop the attack as soon as possible.

Buildings and their physical components being compromised
People being social engineered
User Interface (Mark-up, JavaScript, CSS)
Client <–> Server Comms
Server side (internet facing)
Network components (routers, DNS servers, file servers, etc)
Back end code
Data store
OS patching
Firmware

##############################################################
Security Thinking Up-front
##############################################################

Get your security thinking up-front in the process

Security Philosophy == Quality Philosophy

Everyone on the Team needs to be thinking about security. Especially developers. There are no testers in a Scrum Team.

##############################################################
Time Detected
##############################################################

Average cost of fixing defects based on when they're introduced vs when they're detected.
Putting the practises in the right order can reduce costs by up to 100 times.

Now remember to get your head out of the code.
The most exploited vulnerabilities are in people.
The fixes can also be the cheapest.

##############################################################
Phase in Which a Defect is Introduced
##############################################################

Detect faults at the stage where they are least time consuming and costly to correct.

##############################################################
Cost of Change - Traditional Pentesting
##############################################################

Traditionally penetration testing is performed at the end of the project. Unbelievably often once the solution is delivered.

##############################################################
Cost of Change - STDD
##############################################################

By converting that effort to something that can be used in parallel with development,
we significantly reduce the costs and lift the quality.

##############################################################
BinaryMist Design->Build->Break iterations
##############################################################

In Scrum, all of these activities are performed within the Sprint in parallel with the development.

That includes STDD.

Every iteration is potentially releasable. That means the quality is baked in… Every Sprint.
There is no Design Sprint,
no Security Sprint,
no Performance Sprint,
no Maintenance Sprint.

##############################################################
Bag of Money
##############################################################

So bringing these quality activities up front to run in parallel with the development is expensive right?

##############################################################
Coins
##############################################################

Not at all, in fact quite the opposite.
Because we’re greatly reducing the feedback cycle.

##############################################################
Test Condition Workshop
##############################################################

So, when you usually run your test condition workshop, when the developer pulls a PBI into WIP…

##############################################################
Given When Thens
##############################################################

And developers create test conditions...

##############################################################
Evil Given When Thens
##############################################################

They also create evil test conditions.

Just as an aside: In the last then, sslstrip can still tamper with the very first connection.
Unless you add your domain to the hstspreload list which browser vendors (even IE soon) use to hard code into the browser.

##############################################################
Low Hanging Fruit
##############################################################

We focus on the lowest hanging fruit first.
How do we know what the lowest hanging fruit is?

This is where threat modelling comes in.
I’ll go through how to do this soon.

##############################################################
Q/A $
##############################################################

For tips on getting the most out of your quality budget, check my blog post on
“How to optimise your testing effort”

##############################################################
Smash that Computer
##############################################################

As developers, we need to embrace the mindset of breaking our own systems.

##############################################################
BinaryMist Iteration focus on Break
##############################################################

Break your system before someone else does... and they will... if you don't.

##############################################################
Landscape
##############################################################

When surveying the security landscape, the first thing you need to do (rather than diving into the code) is step right back.

Why step back?

##############################################################
Ladder to High Fruit
##############################################################

So we make sure we're attacking the lowest hanging fruit first.
There is little point in diving into memory corruption faults if we're sending our credentials over plain HTTP.

Or even easier, a disgruntled employee that already has a lot of information
that just needs to elicit that last crucial piece via a phone call to carry out a now trivial attack.

##############################################################
Binoculars at 30'000
##############################################################

Lets start with the 30,000' view.

For each level, you can take the same process.

##############################################################
Sign Posts
##############################################################

I use Bruce Schneier's Sensible Security Model as the starting point.
Then for each area you zoom into, iterate on the same model I’ve defined.

I use the Sensible Security Model as a guideline or abstraction that encompasses the threat modelling approaches from organisations such as...

OWASP, MS, Intel,
plus adds some vital other elements often not considered in the other offerings.

##############################################################
Link to Wiki
##############################################################

You can work through the github wiki at your own pace, or follow through with me.
I’ll walk through the model I use now.

So you can iterate on this model at a 30,000' view.
This will enable you to...

##############################################################
Sign Posts (Asset Identification)
##############################################################

1. Identify what you need to protect
2. work out what the risks are to what you're trying to protect
3. how to protect them
4. risks that may be introduced as part of your protection strategy
5. costs and trade-offs.

Once we’ve done the 30,000’ iteration, we’ll iterate on the same model at 10,000' for each area that the first iteration identifies.

##############################################################
Cart before Horse
##############################################################

No point coming up with security solutions without understanding what your trying to protect.

What are your assets?
What's actually important to you and/or your business?
This will be different for every business.

Data in datastore or file-system.
System resources.

For the purpose of this workshop, I’m going to take a generic approach,
but you should be thinking about how you can apply the steps to your specific domain.

##############################################################
Sign Posts (Identify Risks)
##############################################################

##############################################################
Blue Cloud
##############################################################

As part of identifying your risks, you need to establish who your threat agents / opponents are.

Other businesses, insiders? Opportunists or targeted attacks.

Adopting the mindsets of your opponents and attackers will help you to work out what they're after
and thus what your assets are.

##############################################################
Threat Agent Relationships
##############################################################

How might your threat agents gain access?

There is a lot of common ground between yourself and your adversaries.

You've got: Competing organisations, (X)employees, contractors, operational/maintenance personnel.

##############################################################
Threat Agent Factors
##############################################################

The OWASP Risk Rating Methodology and the Intel Threat Agent Library (TAL)...
are excellent resources for working out your risks.

How likely are particular exploits to be carried out?

How technically skilled is each group of threat agents?

How motivated is this group of threat agents to find and exploit this vulnerability?

What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability?

What sort of access can they acquire?

How large is this group of threat agents?

##############################################################
Vulnerability Factors
##############################################################

What about factors related to the vulnerability involved like:

How easy is it for this group of threat agents to discover this vulnerability?

How easy is it for this group of threat agents to actually exploit this vulnerability?

How well known is this vulnerability to this group of threat agents?

How likely is an exploit to be detected?

##############################################################
Technical Factors
##############################################################

What's the impact likely to be if a particular exploit is executed

How much data could be disclosed and how sensitive is it?

How much data could be corrupted and how damaged is it?

Which services could be lost, how vital are they and how long could they be down for?

Would you be able to trace the threat agents actions to an individual?

##############################################################
Business Factors
##############################################################

What would the financial damage be to any given exploit?

Would the exploit result in reputation damage that would harm the business?

How much exposure does non-compliance introduce?

How much personally identifiable information could be disclosed?

##############################################################
Risk = Likelihood * Impact
##############################################################

Now that we know what we want protected (our assets)

We need to identify the risks to the things that matter to you and your organisation

by applying a rating to every risk that you identify.

##############################################################
Bob the Builder
##############################################################

What you decide to fix first will be determined by the highest scoring risks.

##############################################################
Sign Posts (Countermeasures)
##############################################################

Countermeasures and how well they mitigate the risks?

##############################################################
Incident Response Guide
##############################################################

Make sure your organisation has an incident Response Team.

There are guides on how to do this and what you'll need.

This is one of them.

Also Bruce Schneier's talk on Incident Response (Youtube).

##############################################################
Smash that Computer some more
##############################################################

Create Penetration Test plan -> execute -> Don't forget gorilla testing as it's very effective.

Report on findings and provide directions of how to mitigate.

##############################################################
Sign Posts (Risks that Solution Causes)
##############################################################

There will be new risks that the mitigation techniques introduce.
What are they?

##############################################################
Crypto Machine
##############################################################

Often commercial encryption software or services have backdoors for the likes of the NSA.
Especially from large vendors.

Use public-domain open source encryption software that has to be compatible with other implementations…
rather than proprietary implementations whose backdoors are far less likely to be discovered.

##############################################################
Scales
##############################################################

Are the new risks of a lesser weight than the mitigated risks?
Only you can decide.

Often you’ll have to provide extra code for the security solutions.
This code is extra code that can go wrong
& has to be tested.

##############################################################
Sign Posts (Costs and Trade-offs)
##############################################################

How much are you prepared to give up to get the job done?

##############################################################
Clock -> Fruit
##############################################################

You need to establish the value of your assets &
weigh the loss of, against cost of security implementation.

There is often a loss of convenience incurred.
You need to be able to measure & be prepared for this.

If it's a product you're trying to get to market, it may take you longer to get it there.
Even though once it's there it's more likely to stay there.
This is why you must have experienced people responsible for carrying out the work.

##############################################################
Crypto Machine again
##############################################################

Crypto and many other security solutions incur performance penalties.

##############################################################
Sign Posts
##############################################################

Now that we’ve done a theoretical 30,000’ iteration using the threat modeling procedure,
we should have a pretty good idea of:

1. What we’re trying to protect
2. The low hanging fruit that we need to provide countermeasures for
3. What the countermeasures look like
4. the additional risks that they cause
5. Costs and Trade-offs.

##############################################################
Binoculars at Physical
##############################################################

We would now iterate on the same model at 10,000' for each area that the first iteration identified.

Now lets walk through some of the lower level concerns

Starting with Physical

#### Work through Wiki

##############################################################
Staying on Top
##############################################################

Keeping a system secure is a never ending job.

Get educated.
There are many excellent resources available.

Get along to your OWASP meetups also.

##############################################################
Last Slide
##############################################################

For more details check out the links to my blog.

Kim Carter

May 27, 2015
Tweet

More Decks by Kim Carter

Other Decks in Technology

Transcript

  1. Holistic InfoSec
    IoT
    Physical People
    Mobile Cloud VPS Network Web App
    Web App
    for Web Developers

    View Slide

  2. View Slide

  3. 5: Identify Risks?

    View Slide

  4. 5: Identify Risks?

    View Slide

  5. 5: Identify Risks?

    View Slide

  6. 5: Identify Risks?

    View Slide

  7. 5: Identify Risks?
    Defence in Depth

    View Slide

  8. 5: Identify Risks?
    Security Thinking Up-front

    View Slide

  9. 5: Identify Risks?

    View Slide

  10. 5: Identify Risks?

    View Slide

  11. Requirements or design defect found via
    Product Backlog Item (PBI) collaboration
    Length of Feedback Cycle
    Cost
    Requirements or design defect
    found in Test Conditions Workshop
    Programming or design defect
    found via Pair Programming
    Programming defect found
    via Continuous Integration
    Programming or design defect found via
    Test Driven Development (T(B)DD)
    Requirements or design defect
    found via Stakeholder Participation
    Defect found via pair
    Developer Testing
    Defect found via
    Independent Review
    Requirements defect found via
    traditional Acceptance Testing
    Programming or design defect
    found via Pair Review
    Design defect found via
    traditional System Testing
    Programming defect found via
    traditional System Testing
    Security defect found via
    traditional external Penetration Testing

    View Slide

  12. Requirements or design defect found via
    Product Backlog Item (PBI) collaboration
    Length of Feedback Cycle
    Cost
    Requirements or design defect
    found in Test Conditions Workshop
    Programming or design defect
    found via Pair Programming
    Programming defect found
    via Continuous Integration
    Programming or design defect found via
    Test Driven Development (T(B)DD)
    Requirements or design defect
    found via Stakeholder Participation
    Defect found via pair
    Developer Testing
    Defect found via
    Independent Review
    Requirements defect found via
    traditional Acceptance Testing
    Programming or design defect
    found via Pair Review
    Design defect found via
    traditional System Testing
    Programming defect found via
    traditional System Testing
    Security defect found via Security
    Test Driven Development (STDD)

    View Slide

  13. 5: Identify Risks?

    View Slide

  14. 5: Identify Risks?
    But increasing quality has
    to be expensive right?

    View Slide

  15. 5: Identify Risks?
    Nope!

    View Slide

  16. 5: Identify Risks?
    Test condition workshop...

    View Slide

  17. 5: Identify Risks?
    Test condition workshop...
    Given When Then
    There are no items in
    the shopping cart
    Customer clicks
    “Purchase” button for a
    book which is in stock
    1 x book is added to
    shopping cart. Book is
    held - preventing
    selling it twice.
    “ Customer clicks
    “Purchase” button for a
    book which is not in
    stock
    Dialog with “Out of
    stock” message is
    displayed and offering
    customer option of
    putting book on back
    order.

    View Slide

  18. 5: Identify Risks?
    Given When Then
    There are no items in
    the shopping cart
    User tries to
    downgrade TLS and the
    HSTS header is not sent
    by the server
    User should be
    redirected (response
    301 status code) to the
    HTTPS site from the
    server
    “ User tries to
    downgrade TLS and the
    HSTS header is sent by
    the server
    User should be
    redirected to the HTTPS
    site from the browser
    (no HTTP traffic for
    sslstrip to tamper with)
    Test condition workshop...

    View Slide

  19. 5: Identify Risks?
    Injection
    TLS
    Downgrade
    D-DOS?
    Easy to execute.
    Tricky to mitigate
    People in
    need of
    education

    View Slide

  20. 5: Identify Risks?
    Q/A $

    View Slide

  21. 5: Identify Risks?

    View Slide

  22. 5: Identify Risks?

    View Slide

  23. 5: Identify Risks?
    People
    App
    IoT
    Mobile
    VPS
    Network
    Cloud
    Physical

    View Slide

  24. 5: Identify Risks?
    Injection
    TLS
    Downgrade
    D-DOS?
    Easy to execute.
    Tricky to mitigate
    People in
    need of
    education
    Buffer
    Overflows

    View Slide

  25. 5: Identify Risks?
    IoT
    Physical People
    Mobile Cloud VPS Network Web App

    View Slide

  26. 1: Asset Identification
    2: Identify Risks
    3: Countermeasures
    4: What risks does solution cause?
    5: Costs and Trade-offs

    View Slide

  27. 5: Identify Risks?
    https://github.com/binarymist/
    HolisticInfoSec-For-WebDevelopers/
    wiki

    View Slide

  28. 1: Asset Identification
    2: Identify Risks
    3: Countermeasures
    4: What risks does solution cause?
    5: Costs and Trade-offs

    View Slide

  29. 5: Identify Risks?
    1: Asset Identification

    View Slide

  30. 1: Asset Identification
    2: Identify Risks
    3: Countermeasures
    4: What risks does solution cause?
    5: Costs and Trade-offs

    View Slide

  31. 5: Identify Risks?
    2: Identify Risks

    View Slide

  32. 5: Identify Risks?
    2: Identify Risks
    Dependency

    View Slide

  33. 5: Identify Risks?
    2: Identify Risks
    Likelihood
    Threat Agent Factors

    Skill level

    Motive

    Opportunity

    Size

    View Slide

  34. 5: Identify Risks?
    2: Identify Risks
    Likelihood
    Vulnerability Factors

    Ease of discovery

    Ease of exploit

    Awareness

    Intrusion detection

    View Slide

  35. 5: Identify Risks?
    2: Identify Risks
    Impact
    Technical Factors

    Loss of confidentiality

    Loss of integrity

    Loss of availability

    Loss of accountability

    View Slide

  36. 5: Identify Risks?
    2: Identify Risks
    Impact
    Business Factors

    Financial damage

    Reputation damage

    Non-compliance

    Privacy violation

    View Slide

  37. 5: Identify Risks?
    2: Identify Risks
    Risk = Likelihood * Impact

    View Slide

  38. 2: Identify Risks

    View Slide

  39. 1: Asset Identification
    2: Identify Risks
    3: Countermeasures
    4: What risks does solution cause?
    5: Costs and Trade-offs

    View Slide

  40. View Slide

  41. 3: Countermeasures
    Break Your System

    View Slide

  42. 1: Asset Identification
    2: Identify Risks
    3: Countermeasures
    4: What risks does solution cause?
    5: Costs and Trade-offs

    View Slide


  43. Avoid Commercial

    Use Public-Domain
    4: Risks that solution causes

    View Slide

  44. 4: Risks that solution causes
    New Mitigated

    View Slide

  45. 1: Asset Identification
    2: Identify Risks
    3: Countermeasures
    4: What risks does solution cause?
    5: Costs and Trade-offs

    View Slide

  46. 5: Costs and Trade-offs
    Establish Value
    Loss of Convenience

    View Slide

  47. 5: Costs and Trade-offs

    View Slide

  48. 1: Asset Identification
    2: Identify Risks
    3: Countermeasures
    4: What risks does solution cause?
    5: Costs and Trade-offs

    View Slide

  49. 5: Identify Risks?
    IoT
    Physical People
    Mobile Cloud VPS Network Web App

    View Slide

  50. 5: Identify Risks?
    IoT
    Physical People
    Mobile Cloud VPS Network Web App

    View Slide

  51. 5: Identify Risks?
    IoT
    Physical People
    Mobile Cloud VPS Network Web App

    View Slide

  52. 5: Identify Risks?
    IoT
    Physical People
    Mobile Cloud VPS Network Web App

    View Slide

  53. 5: Identify Risks?
    IoT
    Physical People
    Mobile Cloud VPS Network Web App

    View Slide

  54. 5: Identify Risks?
    IoT
    Physical People
    Mobile Cloud VPS Network Web App

    View Slide

  55. 5: Identify Risks?
    IoT
    Physical People
    Mobile Cloud VPS Network Web App

    View Slide

  56. 5: Identify Risks?
    IoT
    Physical People
    Mobile Cloud VPS Network Web App

    View Slide

  57. Staying on Top
    5: Costs and Trade-offs

    View Slide

  58. View Slide