Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Applications, by Design

Secure Applications, by Design

As presented at Stir Trek 2018

There is a lot of good security advice in the world, but checklists like the OWASP Top 10 do not tell you how to design security into your application. Where should a developer even begin? How do you design security into applications based on next week's JavaScript framework, for which no "best practices" exist? The Information Security Practice Principles, developed by Indiana University’s Center for Applied Cybersecurity Research, provide both a foundation for application security independent of specific technology decisions as well as a means for establishing a common language between designers and defenders. You'll leave this session with a process for building security in depth into your application architecture, using a human-centered user experience design, threat modeling, partitioning, defense in depth, and static analysis in continuous integration. Not yet another checklist, you'll learn how to make security the foundation on which the rest of your application is built.

Craig Stuntz

May 04, 2018
Tweet

More Decks by Craig Stuntz

Other Decks in Programming

Transcript

  1. S E C U R E A P P L I C A T I O N S ,
    B Y D E S I G N
    Craig Stuntz ∈ Improving

    View full-size slide

  2. S E C U R E A P P L I C A T I O N S ,
    B Y D E S I G N
    Craig Stuntz ∈ Improving
    https://speakerdeck.com/craigstuntz

    View full-size slide

  3. A S K Q U E S T I O N S O N S L A C K
    #2018—GREEN
    (DM: @craig.stuntz)

    View full-size slide

  4. P R E V I E W
    • What does application security mean?
    • Some “f ixes” which don’t work
    • Security f rom f irst principles
    • Threat modeling
    • Application design guided by principles and threat
    model

    View full-size slide

  5. – H i p p o c r a t i c O a t h ( 1 9 6 4 L o u i s L a s a g n a v e r s i o n )
    “I will remember that I do not treat a fever chart, a
    cancerous growth, but a sick human being, whose
    illness may affect the person’s family and economic
    stability.”

    View full-size slide

  6. 1. ummm… blockchain?
    2. ???
    3. prof it!

    View full-size slide

  7. http://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-
    a8130796.html

    View full-size slide

  8. W O U L D Y O U D E S I G N S O F T W A R E D I F F E R E N T LY I F H U M A N
    S A F E T Y W A S A LW A Y S T H E F I R S T C O N S I D E R A T I O N ?
    H O W ?
    https://www.flickr.com/photos/wocintechchat/25900776992/

    View full-size slide

  9. – A C M C o d e o f E t h i c s a n d P r o f e s s i o n a l C o n d u c t ( p r o p o s e d )
    “A computing professional should contribute to
    society and to human well-being, acknowledging
    that all people are stakeholders in computing.”

    View full-size slide

  10. – A l l i s o n M i l l e r
    “I don't think humans are the problem, the problem
    is that humans are the target.”
    https://www.scmagazineuk.com/news-feature-google-security-interview-human-solutions--the-way-to-go/article/701976/

    View full-size slide

  11. W H A T I S S E C U R I T Y , R E A L LY ?
    https://commons.wikimedia.org/wiki/File:Airport_Frankfurt_-_Fraport_-_Flughafen_Frankfurt_-_barbed_wire_and_fence_-_Stacheldraht_und_Zaun_-_05.jpg
    https://www.flickr.com/photos/captkodak/37054929956/

    View full-size slide

  12. D O M A I N S P E C I F I C Q A

    View full-size slide

  13. Behavior
    Specification

    View full-size slide

  14. Behavior
    Specification

    View full-size slide

  15. Behavior
    Specification

    View full-size slide

  16. Behavior
    Specification

    View full-size slide

  17. Behavior
    Specification

    View full-size slide

  18. Q A : D O E S T H E S O F T W A R E D O W H A T I T
    S H O U L D ?

    View full-size slide

  19. S E C U R I T Y : D O E S I T A L S O D O A N Y T H I N G
    E L S E ?

    View full-size slide

  20. D o We E v e n
    K n o w W h a t t h e
    S o f t w a r e I s
    S u p p o s e d t o D o ?

    View full-size slide

  21. QA!
    Security!

    View full-size slide

  22. N I S T 8 0 0 - 6 4
    Security Considerations in the System Development Life Cycle
    (2008)
    http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf

    View full-size slide

  23. O W A S P S D L C
    DRAFT
    https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project

    View full-size slide

  24. M I C R O S O F T S D L C
    http://www.microsoft.com/en-us/SDL

    View full-size slide

  25. S E C U R I T Y I N A N A G I L E P R O C E S S
    https://www.scrum.org/resources/scrum-framework-poster

    View full-size slide

  26. S E C U R I T Y I N A N A G I L E P R O C E S S
    https://www.scrum.org/resources/scrum-framework-poster
    Fundamental
    Principles
    Threat
    Model
    Automated
    Analysis
    Manual
    Review

    View full-size slide

  27. “Security is good guys vs. bad guys.”
    https://pixabay.com/en/quietscheenten-devil-contrast-2816024/

    View full-size slide

  28. “You must always choose between security and
    convenience.”

    View full-size slide

  29. – B r u c e S c h n e i e r
    “The attacker just has to f ind one vulnerability — one
    unsecured avenue for attack — and gets to choose
    how and when to attack. It’s simply not a fair battle.”
    http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html

    View full-size slide

  30. “In order to write secure applications, developers
    must take OWASP Top 10 training.”

    View full-size slide

  31. “Nobody cares about my application’s data. It’s public
    anyway.”

    View full-size slide

  32. “In order to write secure applications, developers
    must
    • Take OWASP Top 10 training
    • Use Veracode
    • Have application pentested
    • Use two factor authentication on source control
    and hosts
    • Use off-the-shelf crypto libraries
    • Monitor production
    • Use memory-safe languages
    • Do code review
    • HTTPS everywhere!

    View full-size slide

  33. T r u t h
    https://www.flickr.com/photos/library_of_congress/8470007173/

    View full-size slide

  34. – L e s l e y C a r h a r t
    “Regularly rethink your threat model. Know your
    threat model and that of your family before making
    any security decision.”
    https://twitter.com/hacks4pancakes/status/917952052667604993

    View full-size slide

  35. – M a t t Ta i t
    “The underlying problem is folks think in terms of
    ‘secure’ versus ‘insecure.’ But in reality, it's ‘in/secure
    vs. X threat in Y threat model.’”
    https://twitter.com/pwnallthethings/status/922009773352120320

    View full-size slide

  36. – J e s s i c a P a y n e
    “Bugs and exploits are not the main issue in most
    breeches, operational issues and technical debt are.”
    "Your attacker thinks like my attacker: A common threat model to create better defense"

    View full-size slide

  37. “ Yo u r i m a g i n a t i o n
    i s f a r m o r e
    w o n d e r f u l t h a n
    a n y c o m p u t e r
    c o u l d e v e r b e . ”
    - Fred Rogers
    http://www.neighborhoodarchive.com/mrn/episodes/1746/index.html

    View full-size slide

  38. B U I L D A R E C I P E ,
    N O T A G R O C E R Y S T O R E

    View full-size slide

  39. B Y D E S I G N
    https://www.patternlanguage.com/gallery/houses.html

    View full-size slide

  40. H U M A N C E N T E R E D
    https://www.flickr.com/photos/wocintechchat/25926671551/

    View full-size slide

  41. L E A R N Y O U R D O M A I N
    https://commons.wikimedia.org/wiki/File:Domain,_Atrium_(Hong_Kong).jpg

    View full-size slide

  42. https://twitter.com/slatestarcodex/status/944739157988974592

    View full-size slide

  43. https://twitter.com/slatestarcodex/status/944739157988974592

    View full-size slide

  44. https://www.pbs.org/newshour/science/amazon-recalls-potentially-hazardous-solar-eclipse-glasses

    View full-size slide

  45. – S e n . R i c h a r d B u r r
    “You commented yesterday that
    your company’s goal is bringing
    people together. In this case,
    people were brought together to
    foment conflict, and Facebook
    enabled that event to happen.”
    https://www.texastribune.org/2017/11/01/russian-facebook-page-organized-protest-texas-different-russian-page-l/

    View full-size slide

  46. iT u n e s M o n e y
    L a u n d e r i n g
    https://www.thedailybeast.com/want-to-launder-bitcoins-how-crooks-are-hacking-itunes-and-getting-paid-by-apple

    View full-size slide

  47. “ I ’ m j u s t a
    t o a s t e r . N o b o d y
    w i l l e v e r t r y t o
    h a c k m e ! ”

    View full-size slide

  48. T H R E A T M O D E L I N G

    View full-size slide

  49. S I X D E G R E E S
    Who is affected by the software you create?
    https://www.flickr.com/photos/wocintechchat/25388897014/

    View full-size slide

  50. U s e r s
    https://www.flickr.com/photos/wocintechchat/25703122741/

    View full-size slide

  51. C u s t o m e r s
    https://www.flickr.com/photos/wocintechchat/25703122741/
    https://www.flickr.com/photos/wocintechchat/25926791491/

    View full-size slide

  52. Yo u r Te a m
    https://www.flickr.com/photos/wocintechchat/25167741264/

    View full-size slide

  53. S t a k e h o l d e r s
    https://www.flickr.com/photos/wocintechchat/25388889234/

    View full-size slide

  54. P a r t n e r s
    https://www.flickr.com/photos/wocintechchat/25388854424/

    View full-size slide

  55. Yo u r
    C o m m u n i t y

    View full-size slide

  56. W H A T D O Y O U H A V E ?

    View full-size slide

  57. I n f r a s t r u c t u r e
    • Servers
    • Software
    • Clients
    • Gateways
    • Third Parties

    View full-size slide

  58. D a t a
    • Databases
    • Metadata
    • Logs
    • Credentials
    • Files on client
    machines

    View full-size slide

  59. T r u s t
    B o u n d a r i e s
    • Implicit
    • Explicit

    View full-size slide

  60. W H A T C O U L D G O W R O N G ?

    View full-size slide

  61. D O M A I N - S P E C I F I C
    R I S K S

    View full-size slide

  62. T a k e C a r e o f
    P e o p l e F i r s t
    https://www.flickr.com/photos/wocintechchat/25926827581/

    View full-size slide

  63. L e a r n f r o m
    H i s t o r y
    https://commons.wikimedia.org/wiki/File:Maginot_line_1.jpg

    View full-size slide

  64. E x i s t e n t i a l
    T h r e a t s
    http://money.cnn.com/2012/08/09/technology/knight-expensive-computer-bug/index.html

    View full-size slide

  65. R e g u l a t o r y

    View full-size slide

  66. B A C K T O
    B A S I C S

    View full-size slide

  67. C O M P R E H E N S I V I T Y
    Security f rom First Principles
    Am I covering all of my bases?
    Craig Jackson, Scott Russell, and Susan Sons
    https://upload.wikimedia.org/wikipedia/commons/7/72/Agoncillo_-
    _W%C3%BCrth_Rioja%2C_Museo_30_-_Christo.JPG

    View full-size slide

  68. O P P O R T U N I T Y
    Security f rom First Principles
    Am I taking advantage of my environment?
    https://commons.wikimedia.org/wiki/File:Amazing_Bhutan_Monastery.jpg Craig Jackson, Scott Russell, and Susan Sons

    View full-size slide

  69. R I G O R
    Security f rom First Principles
    What is correct behavior, and how am I ensuring it?
    https://commons.wikimedia.org/wiki/File:Turnstile_state_machine_colored.svg Craig Jackson, Scott Russell, and Susan Sons

    View full-size slide

  70. M I N I M I Z A T I O N
    Security f rom First Principles
    Can this be a smaller target?
    Craig Jackson, Scott Russell, and Susan Sons

    View full-size slide

  71. C O M P A R T M E N T A L I Z A T I O N
    Security f rom First Principles
    Is this made of distinct parts with limited
    interactions?
    https://en.wikipedia.org/wiki/Bulkhead_(partition)#/media/
    File:Compartments_and_watertight_subdivision_of_a_ship%27s_hull_(Seaman%27s_Pocket-
    Book,_1943).jpg
    Craig Jackson, Scott Russell, and Susan Sons

    View full-size slide

  72. F A U LT T O L E R A N C E
    Security f rom First Principles
    What happens if this fails?
    https://commons.wikimedia.org/wiki/
    File:A_U.S._Soldier,_right,_looks_on_as_a_U.S._Army_Garrison_Ansbach_Junior_ROTC_cadet_negotia
    tes_a_high_rope_obstacle_6.jpg Craig Jackson, Scott Russell, and Susan Sons

    View full-size slide

  73. P R O P O R T I O N A L I T Y
    Security f rom First Principles
    Is this worth it?
    https://twitter.com/jwgoerlich/status/939268098699550720?s=09 Craig Jackson, Scott Russell, and Susan Sons

    View full-size slide

  74. T H E B A S I C P R I N C I P L E S I N A C T I O N

    View full-size slide

  75. B U S I N E S S P R O B L E M
    • A hotel chain needs to capture credit card numbers for
    potential incidental charges when the cardholder will
    not be present at check in
    • Example: A parent wants to authorize incidental
    charges for a traveling school sports team member
    • Current process is a paper form. Company would like to
    automate

    View full-size slide

  76. N A Ï V E S O L U T I O N
    “Type a quote here.”

    View full-size slide

  77. N A Ï V E S O L U T I O N , R E V I S I T E D
    Comprehensivity
    “Type a quote here.”

    View full-size slide

  78. N A Ï V E S O L U T I O N , R E - R E V I S I T E D
    Comprehensivity
    “Type a quote here.”

    View full-size slide

  79. N A Ï V E S O L U T I O N , R E - R E V I S I T E D
    Comprehensivity
    “Type a quote here.”

    View full-size slide

  80. N A Ï V E S O L U T I O N , R E - R E V I S I T E D
    Comprehensivity
    “Type a quote here.”

    View full-size slide

  81. N A Ï V E S O L U T I O N , R E - R E - R E V I S I T E D
    Comprehensivity
    “Type a quote here.”

    View full-size slide

  82. T R A I N I N G
    Comprehensivity
    https://twitter.com/chrisrohlf/status/925846092184477698

    View full-size slide

  83. O P P O R T U N I T Y

    View full-size slide

  84. O P P O R T U N I T Y

    View full-size slide

  85. O P P O R T U N I T Y

    View full-size slide

  86. O P P O R T U N I T Y

    View full-size slide

  87. O P P O R T U N I T Y

    View full-size slide

  88. P A T C H A L L O F T H E T H I N G S
    Opportunity
    “Type a quote here.”

    View full-size slide

  89. S T A T I C A N A LY S I S
    Rigor
    “The most important thing I have done as a
    programmer in recent years is to aggressively pursue
    static code analysis. Even more valuable than the
    hundreds of serious bugs I have prevented with it is
    the change in mindset about the way I view software
    reliability and code quality.”
    - J o h n C a r m a c k
    https://www.gamasutra.com/view/news/128836/InDepth_Static_Code_Analysis.php

    View full-size slide

  90. M I N I M I Z E A T T A C K S U R F A C E
    ( a n d e v e r y t h i n g e l s e )
    https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet

    View full-size slide

  91. S T O R E L E S S
    Minimization
    “Limit cardholder data storage and retention time to that
    which is required for business, legal, and/ or regulatory
    purposes, as documented in your data retention policy.
    Purge unnecessary stored data at least quarterly.”
    P C I - D S S § 3 . 1
    https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf

    View full-size slide

  92. C O M P A R T M E N T A L I Z E I T !

    View full-size slide

  93. D O U B L E E D G E D S W O R D
    Compartmentalization
    ““Your perimeter is not the boundary of your network
    it’s the boundary of your telemetry.”
    http://grugq.github.io/presentations/comae-blackhat-year-of-the-worm.pdf
    - T h e G r u g q

    View full-size slide

  94. L E A S T P R I V I L E G E
    Compartmentalization
    EncryptionServiceIAMRole:
    Type: "AWS::IAM::Role"
    Properties:
    Path: "/"
    ManagedPolicyArns:
    - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
    AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
    -
    Sid: "AllowLambdaServiceToAssumeRole"
    Effect: "Allow"
    Action:
    - "sts:AssumeRole"
    Principal:
    Service:
    - "lambda.amazonaws.com"

    View full-size slide

  95. C O M P A R T M E N T A L I Z E I T !
    • Networks
    • Public ingress (CloudFront), WAF rules
    • Private ingress (Jump server)
    • Roles for public, hotel staff, site admin, developer, ops
    • Restrict data by property
    • Archive old data to encrypted cold storage
    • Use key management (KMS, HSM, etc.) for secrets

    View full-size slide

  96. F A U LT T O L E R A N C E
    https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys

    View full-size slide

  97. F A U LT T O L E R A N C E
    • User safety
    • Stop the exf iltration
    • Assess the scope
    • Proactively prevent further damage to users
    • Listen
    • Technical
    • Engage DF/IR professionals to assess how it happened and how to
    prevent
    • Design system for secure storage and rotation of secrets

    View full-size slide

  98. P R O P O R T I O N A L I T Y

    View full-size slide

  99. L A T H E R , R I N S E , R E P E A T
    • Plan on enumerating the f irst principles at least twice
    in initial app design
    • Following f irst principles does not mean “big design
    upf ront”

    View full-size slide

  100. F U R T H E R R E A D I N G
    • The Information Security Practice Principles, Center for
    Applied Cybersecurity Research, Indiana University
    • Threat Modeling, Designing for Security, by Adam
    Shostack

    View full-size slide

  101. C R E D I T S
    • Some stock photography f rom wocintechchat.com, CC-
    BY 2.0
    • Creative Commons photography credited on each slide

    View full-size slide

  102. C O N T A C T
    [email protected]
    @craigstuntz
    http://paperswelove.org/chapter/columbus/
    https://speakerdeck.com/craigstuntz

    View full-size slide