Secure Applications, by Design

S E C U R E A P P L I C A T I O N S ,
B Y D E S I G N
Craig Stuntz ∈ Improving
https://speakerdeck.com/craigstuntz

View Slide

P R E V I E W
• What does application security mean?
• Some “f ixes” which don’t work
• Security f rom f irst principles
• Threat modeling
• Application design guided by principles and threat
model

View Slide

– H i p p o c r a t i c O a t h ( 1 9 6 4 L o u i s L a s a g n a v e r s i o n )
“I will remember that I do not treat a fever chart, a
cancerous growth, but a sick human being, whose
illness may affect the person’s family and economic
stability.”

View Slide

View Slide

1. ummm… blockchain?
2. ???
3. prof it!

View Slide

http://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-
a8130796.html

View Slide

W O U L D Y O U D E S I G N S O F T W A R E D I F F E R E N T LY I F H U M A N
S A F E T Y W A S A LW A Y S T H E F I R S T C O N S I D E R A T I O N ?
H O W ?
https://www.flickr.com/photos/wocintechchat/25900776992/

View Slide

– A C M C o d e o f E t h i c s a n d P r o f e s s i o n a l C o n d u c t ( p r o p o s e d )
“A computing professional should contribute to
society and to human well-being, acknowledging
that all people are stakeholders in computing.”

View Slide

– A l l i s o n M i l l e r
“I don't think humans are the problem, the problem
is that humans are the target.”
https://www.scmagazineuk.com/news-feature-google-security-interview-human-solutions--the-way-to-go/article/701976/

View Slide

W H A T I S S E C U R I T Y , R E A L LY ?
https://commons.wikimedia.org/wiki/File:Airport_Frankfurt_-_Fraport_-_Flughafen_Frankfurt_-_barbed_wire_and_fence_-_Stacheldraht_und_Zaun_-_05.jpg
https://www.flickr.com/photos/captkodak/37054929956/

View Slide

D O M A I N S P E C I F I C Q A

View Slide

Behavior
Speciﬁcation

View Slide

QA!
Security!

View Slide

Q A : D O E S T H E S O F T W A R E D O W H A T I T
S H O U L D ?

View Slide

S E C U R I T Y : D O E S I T A L S O D O A N Y T H I N G
E L S E ?

View Slide

D o We E v e n
K n o w W h a t t h e
S o f t w a r e I s
S u p p o s e d t o D o ?

View Slide

M y t h s

View Slide

“Security is good guys vs. bad guys.”
https://pixabay.com/en/quietscheenten-devil-contrast-2816024/

View Slide

“You must always choose between security and
convenience.”

View Slide

– B r u c e S c h n e i e r
“The attacker just has to f ind one vulnerability — one
unsecured avenue for attack — and gets to choose
how and when to attack. It’s simply not a fair battle.”
http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html

View Slide

“In order to write secure applications, developers
must take OWASP Top 10 training.”

View Slide

“Nobody cares about my application’s data. It’s public
anyway.”

View Slide

“In order to write secure applications, developers
must
• Take OWASP Top 10 training
• Use Veracode
• Have application pentested
• Use two factor authentication on source control
and hosts
• Use off-the-shelf crypto libraries
• Monitor production
• Use memory-safe languages
• Do code review
• HTTPS everywhere!

View Slide

T r u t h
https://www.flickr.com/photos/library_of_congress/8470007173/

View Slide

– L e s l e y C a r h a r t
“Regularly rethink your threat model. Know your
threat model and that of your family before making
any security decision.”
https://twitter.com/hacks4pancakes/status/917952052667604993

View Slide

– M a t t Ta i t
“The underlying problem is folks think in terms of
‘secure’ versus ‘insecure.’ But in reality, it's ‘in/secure
vs. X threat in Y threat model.’”
https://twitter.com/pwnallthethings/status/922009773352120320

View Slide

– J e s s i c a P a y n e
“Bugs and exploits are not the main issue in most
breeches, operational issues and technical debt are.”
"Your attacker thinks like my attacker: A common threat model to create better defense"

View Slide

“ Yo u r i m a g i n a t i o n
i s f a r m o r e
w o n d e r f u l t h a n
a n y c o m p u t e r
c o u l d e v e r b e . ”
- Fred Rogers
http://www.neighborhoodarchive.com/mrn/episodes/1746/index.html

View Slide

B U I L D A R E C I P E ,
N O T A G R O C E R Y S T O R E

View Slide

B Y D E S I G N
https://www.patternlanguage.com/gallery/houses.html

View Slide

H U M A N C E N T E R E D

View Slide

L E A R N Y O U R D O M A I N
https://commons.wikimedia.org/wiki/File:Domain,_Atrium_(Hong_Kong).jpg

View Slide

https://twitter.com/slatestarcodex/status/944739157988974592

View Slide

https://www.pbs.org/newshour/science/amazon-recalls-potentially-hazardous-solar-eclipse-glasses

View Slide

– S e n . R i c h a r d B u r r
“You commented yesterday that
your company’s goal is bringing
people together. In this case,
people were brought together to
foment conflict, and Facebook
enabled that event to happen.”
https://www.texastribune.org/2017/11/01/russian-facebook-page-organized-protest-texas-different-russian-page-l/

View Slide

iT u n e s M o n e y
L a u n d e r i n g
https://www.thedailybeast.com/want-to-launder-bitcoins-how-crooks-are-hacking-itunes-and-getting-paid-by-apple

View Slide

“ I ’ m j u s t a
t o a s t e r . N o b o d y
w i l l e v e r t r y t o
h a c k m e ! ”

View Slide

T H R E A T M O D E L I N G

View Slide

S I X D E G R E E S
Who is affected by the software you create?

View Slide

U s e r s

View Slide

C u s t o m e r s

View Slide

Yo u r Te a m

View Slide

S t a k e h o l d e r s

View Slide

P a r t n e r s

View Slide

Yo u r
C o m m u n i t y

View Slide

W H A T D O Y O U H A V E ?

View Slide

I n f r a s t r u c t u r e
• Servers
• Software
• Clients
• Gateways
• Third Parties

View Slide

D a t a
• Databases
• Metadata
• Logs
• Credentials
• Files on client
machines

View Slide

T r u s t
B o u n d a r i e s
• Implicit
• Explicit

View Slide

W H A T C O U L D G O W R O N G ?

View Slide

D O M A I N - S P E C I F I C
R I S K S

View Slide

T a k e C a r e o f
P e o p l e F i r s t

View Slide

L e a r n f r o m
H i s t o r y
https://commons.wikimedia.org/wiki/File:Maginot_line_1.jpg

View Slide

E x i s t e n t i a l
T h r e a t s
http://money.cnn.com/2012/08/09/technology/knight-expensive-computer-bug/index.html

View Slide

R e g u l a t o r y

View Slide

B A C K T O
B A S I C S

View Slide

C O M P R E H E N S I V I T Y
Security f rom First Principles
Am I covering all of my bases?
Craig Jackson, Scott Russell, and Susan Sons
https://upload.wikimedia.org/wikipedia/commons/7/72/Agoncillo_-
_W%C3%BCrth_Rioja%2C_Museo_30_-_Christo.JPG

View Slide

O P P O R T U N I T Y
Am I taking advantage of my environment?
https://commons.wikimedia.org/wiki/File:Amazing_Bhutan_Monastery.jpg Craig Jackson, Scott Russell, and Susan Sons

View Slide

R I G O R
What is correct behavior, and how am I ensuring it?
https://commons.wikimedia.org/wiki/File:Turnstile_state_machine_colored.svg Craig Jackson, Scott Russell, and Susan Sons

View Slide

M I N I M I Z A T I O N
Can this be a smaller target?

View Slide

C O M P A R T M E N T A L I Z A T I O N
Is this made of distinct parts with limited
interactions?
https://en.wikipedia.org/wiki/Bulkhead_(partition)#/media/
File:Compartments_and_watertight_subdivision_of_a_ship%27s_hull_(Seaman%27s_Pocket-
Book,_1943).jpg

View Slide

F A U LT T O L E R A N C E
What happens if this fails?
https://commons.wikimedia.org/wiki/
File:A_U.S._Soldier,_right,_looks_on_as_a_U.S._Army_Garrison_Ansbach_Junior_ROTC_cadet_negotia
tes_a_high_rope_obstacle_6.jpg Craig Jackson, Scott Russell, and Susan Sons

View Slide

P R O P O R T I O N A L I T Y
Is this worth it?
https://twitter.com/jwgoerlich/status/939268098699550720?s=09 Craig Jackson, Scott Russell, and Susan Sons

View Slide

T H E B A S I C P R I N C I P L E S I N A C T I O N

View Slide

B U S I N E S S P R O B L E M
• A hotel chain needs to capture credit card numbers for
potential incidental charges when the cardholder will
not be present at check in
• Example: A parent wants to authorize incidental
charges for a traveling school sports team member
• Current process is a paper form. Company would like to
automate

View Slide

N A Ï V E S O L U T I O N
“Type a quote here.”

View Slide

N A Ï V E S O L U T I O N , R E V I S I T E D
Comprehensivity

View Slide

N A Ï V E S O L U T I O N , R E - R E V I S I T E D
Comprehensivity

View Slide

N A Ï V E S O L U T I O N , R E - R E - R E V I S I T E D
Comprehensivity

View Slide

D E S I G N E D I N T O P R O C E S S
Comprehensivity
https://jeremylong.github.io/DependencyCheck/

View Slide

T R A I N I N G
Comprehensivity
https://twitter.com/chrisrohlf/status/925846092184477698

View Slide

O P P O R T U N I T Y

View Slide

P A T C H A L L O F T H E T H I N G S
Opportunity

View Slide

R I G O R

View Slide

S T A T I C A N A LY S I S
Rigor
“The most important thing I have done as a
programmer in recent years is to aggressively pursue
static code analysis. Even more valuable than the
hundreds of serious bugs I have prevented with it is
the change in mindset about the way I view software
reliability and code quality.”
- J o h n C a r m a c k
https://www.gamasutra.com/view/news/128836/InDepth_Static_Code_Analysis.php

View Slide

View Slide

M I N I M I Z E A T T A C K S U R F A C E
( a n d e v e r y t h i n g e l s e )
https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet

View Slide

S T O R E L E S S
Minimization
“Limit cardholder data storage and retention time to that
which is required for business, legal, and/ or regulatory
purposes, as documented in your data retention policy.
Purge unnecessary stored data at least quarterly.”
P C I - D S S § 3 . 1
https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf

View Slide

C O M P A R T M E N T A L I Z E I T !

View Slide

D O U B L E E D G E D S W O R D
Compartmentalization
““Your perimeter is not the boundary of your network
it’s the boundary of your telemetry.”
http://grugq.github.io/presentations/comae-blackhat-year-of-the-worm.pdf
- T h e G r u g q

View Slide

L E A S T P R I V I L E G E
Compartmentalization
EncryptionServiceIAMRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Sid: "AllowLambdaServiceToAssumeRole"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Principal:
Service:
- "lambda.amazonaws.com"

View Slide

C O M P A R T M E N T A L I Z E I T !
• Networks
• Public ingress (CloudFront), WAF rules
• Private ingress (Jump server)
• Roles for public, hotel staff, site admin, developer, ops
• Restrict data by property
• Archive old data to encrypted cold storage
• Use key management (KMS, HSM, etc.) for secrets

View Slide

https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys

View Slide

• User safety
• Stop the exf iltration
• Assess the scope
• Proactively prevent further damage to users
• Listen
• Technical
• Engage DF/IR professionals to assess how it happened and how to
prevent
• Design system for secure storage and rotation of secrets

View Slide

P R O P O R T I O N A L I T Y

View Slide

L A T H E R , R I N S E , R E P E A T
• Plan on enumerating the f irst principles at least twice
in initial app design
• Following f irst principles does not mean “big design
upf ront”

View Slide

F U R T H E R R E A D I N G
• The Information Security Practice Principles, Center for
Applied Cybersecurity Research, Indiana University
• Threat Modeling, Designing for Security, by Adam
Shostack

View Slide

C R E D I T S
• Some stock photography f rom wocintechchat.com, CC-
BY 2.0
• Creative Commons photography credited on each slide

View Slide

View Slide

C O N T A C T
[email protected]
@craigstuntz
http://paperswelove.org/chapter/columbus/
https://speakerdeck.com/craigstuntz

View Slide

Secure Applications, by Design

Secure Applications, by Design

Craig Stuntz

More Decks by Craig Stuntz

Other Decks in Programming

Featured

Transcript