Secure Applications, by Design

Slide 1

Slide 1 text

S E C U R E A P P L I C A T I O N S , B Y D E S I G N Craig Stuntz ∈ Improving https://speakerdeck.com/craigstuntz

Slide 2

Slide 2 text

P R E V I E W • What does application security mean? • Some “f ixes” which don’t work • Security f rom f irst principles • Threat modeling • Application design guided by principles and threat model

Slide 3

Slide 3 text

– H i p p o c r a t i c O a t h ( 1 9 6 4 L o u i s L a s a g n a v e r s i o n ) “I will remember that I do not treat a fever chart, a cancerous growth, but a sick human being, whose illness may affect the person’s family and economic stability.”

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

1. ummm… blockchain? 2. ??? 3. prof it!

Slide 6

Slide 6 text

http://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review- a8130796.html

Slide 7

Slide 7 text

W O U L D Y O U D E S I G N S O F T W A R E D I F F E R E N T LY I F H U M A N S A F E T Y W A S A LW A Y S T H E F I R S T C O N S I D E R A T I O N ? H O W ? https://www.flickr.com/photos/wocintechchat/25900776992/

Slide 8

Slide 8 text

– A C M C o d e o f E t h i c s a n d P r o f e s s i o n a l C o n d u c t ( p r o p o s e d ) “A computing professional should contribute to society and to human well-being, acknowledging that all people are stakeholders in computing.”

Slide 9

Slide 9 text

– A l l i s o n M i l l e r “I don't think humans are the problem, the problem is that humans are the target.” https://www.scmagazineuk.com/news-feature-google-security-interview-human-solutions--the-way-to-go/article/701976/

Slide 10

Slide 10 text

W H A T I S S E C U R I T Y , R E A L LY ? https://commons.wikimedia.org/wiki/File:Airport_Frankfurt_-_Fraport_-_Flughafen_Frankfurt_-_barbed_wire_and_fence_-_Stacheldraht_und_Zaun_-_05.jpg https://www.flickr.com/photos/captkodak/37054929956/

Slide 11

Slide 11 text

D O M A I N S P E C I F I C Q A

Slide 12

Slide 12 text

Behavior Speciﬁcation

Slide 13

Slide 13 text

QA! Security!

Slide 14

Slide 14 text

Q A : D O E S T H E S O F T W A R E D O W H A T I T S H O U L D ?

Slide 15

Slide 15 text

S E C U R I T Y : D O E S I T A L S O D O A N Y T H I N G E L S E ?

Slide 16

Slide 16 text

D o We E v e n K n o w W h a t t h e S o f t w a r e I s S u p p o s e d t o D o ?

Slide 17

Slide 17 text

M y t h s

Slide 18

Slide 18 text

“Security is good guys vs. bad guys.” https://pixabay.com/en/quietscheenten-devil-contrast-2816024/

Slide 19

Slide 19 text

“You must always choose between security and convenience.”

Slide 20

Slide 20 text

– B r u c e S c h n e i e r “The attacker just has to f ind one vulnerability — one unsecured avenue for attack — and gets to choose how and when to attack. It’s simply not a fair battle.” http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html

Slide 21

Slide 21 text

“In order to write secure applications, developers must take OWASP Top 10 training.”

Slide 22

Slide 22 text

“Nobody cares about my application’s data. It’s public anyway.”

Slide 23

Slide 23 text

“In order to write secure applications, developers must • Take OWASP Top 10 training • Use Veracode • Have application pentested • Use two factor authentication on source control and hosts • Use off-the-shelf crypto libraries • Monitor production • Use memory-safe languages • Do code review • HTTPS everywhere!

Slide 24

Slide 24 text

T r u t h https://www.flickr.com/photos/library_of_congress/8470007173/

Slide 25

Slide 25 text

– L e s l e y C a r h a r t “Regularly rethink your threat model. Know your threat model and that of your family before making any security decision.” https://twitter.com/hacks4pancakes/status/917952052667604993

Slide 26

Slide 26 text

– M a t t Ta i t “The underlying problem is folks think in terms of ‘secure’ versus ‘insecure.’ But in reality, it's ‘in/secure vs. X threat in Y threat model.’” https://twitter.com/pwnallthethings/status/922009773352120320

Slide 27

Slide 27 text

– J e s s i c a P a y n e “Bugs and exploits are not the main issue in most breeches, operational issues and technical debt are.” "Your attacker thinks like my attacker: A common threat model to create better defense"

Slide 28

Slide 28 text

“ Yo u r i m a g i n a t i o n i s f a r m o r e w o n d e r f u l t h a n a n y c o m p u t e r c o u l d e v e r b e . ” - Fred Rogers http://www.neighborhoodarchive.com/mrn/episodes/1746/index.html

Slide 29

Slide 29 text

B U I L D A R E C I P E , N O T A G R O C E R Y S T O R E

Slide 30

Slide 30 text

B Y D E S I G N https://www.patternlanguage.com/gallery/houses.html

Slide 31

Slide 31 text

H U M A N C E N T E R E D https://www.flickr.com/photos/wocintechchat/25926671551/

Slide 32

Slide 32 text

L E A R N Y O U R D O M A I N https://commons.wikimedia.org/wiki/File:Domain,_Atrium_(Hong_Kong).jpg

Slide 33

Slide 33 text

https://twitter.com/slatestarcodex/status/944739157988974592

Slide 34

Slide 34 text

https://www.pbs.org/newshour/science/amazon-recalls-potentially-hazardous-solar-eclipse-glasses

Slide 35

Slide 35 text

– S e n . R i c h a r d B u r r “You commented yesterday that your company’s goal is bringing people together. In this case, people were brought together to foment conflict, and Facebook enabled that event to happen.” https://www.texastribune.org/2017/11/01/russian-facebook-page-organized-protest-texas-different-russian-page-l/

Slide 36

Slide 36 text

iT u n e s M o n e y L a u n d e r i n g https://www.thedailybeast.com/want-to-launder-bitcoins-how-crooks-are-hacking-itunes-and-getting-paid-by-apple

Slide 37

Slide 37 text

“ I ’ m j u s t a t o a s t e r . N o b o d y w i l l e v e r t r y t o h a c k m e ! ”

Slide 38

Slide 38 text

T H R E A T M O D E L I N G

Slide 39

Slide 39 text

S I X D E G R E E S Who is affected by the software you create? https://www.flickr.com/photos/wocintechchat/25388897014/

Slide 40

Slide 40 text

U s e r s https://www.flickr.com/photos/wocintechchat/25703122741/

Slide 41

Slide 41 text

C u s t o m e r s https://www.flickr.com/photos/wocintechchat/25703122741/ https://www.flickr.com/photos/wocintechchat/25926791491/

Slide 42

Slide 42 text

Yo u r Te a m https://www.flickr.com/photos/wocintechchat/25167741264/

Slide 43

Slide 43 text

S t a k e h o l d e r s https://www.flickr.com/photos/wocintechchat/25388889234/

Slide 44

Slide 44 text

P a r t n e r s https://www.flickr.com/photos/wocintechchat/25388854424/

Slide 45

Slide 45 text

Yo u r C o m m u n i t y

Slide 46

Slide 46 text

W H A T D O Y O U H A V E ?

Slide 47

Slide 47 text

I n f r a s t r u c t u r e • Servers • Software • Clients • Gateways • Third Parties

Slide 48

Slide 48 text

D a t a • Databases • Metadata • Logs • Credentials • Files on client machines

Slide 49

Slide 49 text

T r u s t B o u n d a r i e s • Implicit • Explicit

Slide 50

Slide 50 text

W H A T C O U L D G O W R O N G ?

Slide 51

Slide 51 text

D O M A I N - S P E C I F I C R I S K S

Slide 52

Slide 52 text

T a k e C a r e o f P e o p l e F i r s t https://www.flickr.com/photos/wocintechchat/25926827581/

Slide 53

Slide 53 text

L e a r n f r o m H i s t o r y https://commons.wikimedia.org/wiki/File:Maginot_line_1.jpg

Slide 54

Slide 54 text

E x i s t e n t i a l T h r e a t s http://money.cnn.com/2012/08/09/technology/knight-expensive-computer-bug/index.html

Slide 55

Slide 55 text

R e g u l a t o r y

Slide 56

Slide 56 text

B A C K T O B A S I C S

Slide 57

Slide 57 text

C O M P R E H E N S I V I T Y Security f rom First Principles Am I covering all of my bases? Craig Jackson, Scott Russell, and Susan Sons https://upload.wikimedia.org/wikipedia/commons/7/72/Agoncillo_- _W%C3%BCrth_Rioja%2C_Museo_30_-_Christo.JPG

Slide 58

Slide 58 text

O P P O R T U N I T Y Security f rom First Principles Am I taking advantage of my environment? https://commons.wikimedia.org/wiki/File:Amazing_Bhutan_Monastery.jpg Craig Jackson, Scott Russell, and Susan Sons

Slide 59

Slide 59 text

R I G O R Security f rom First Principles What is correct behavior, and how am I ensuring it? https://commons.wikimedia.org/wiki/File:Turnstile_state_machine_colored.svg Craig Jackson, Scott Russell, and Susan Sons

Slide 60

Slide 60 text

M I N I M I Z A T I O N Security f rom First Principles Can this be a smaller target? Craig Jackson, Scott Russell, and Susan Sons

Slide 61

Slide 61 text

C O M P A R T M E N T A L I Z A T I O N Security f rom First Principles Is this made of distinct parts with limited interactions? https://en.wikipedia.org/wiki/Bulkhead_(partition)#/media/ File:Compartments_and_watertight_subdivision_of_a_ship%27s_hull_(Seaman%27s_Pocket- Book,_1943).jpg Craig Jackson, Scott Russell, and Susan Sons

Slide 62

Slide 62 text

F A U LT T O L E R A N C E Security f rom First Principles What happens if this fails? https://commons.wikimedia.org/wiki/ File:A_U.S._Soldier,_right,_looks_on_as_a_U.S._Army_Garrison_Ansbach_Junior_ROTC_cadet_negotia tes_a_high_rope_obstacle_6.jpg Craig Jackson, Scott Russell, and Susan Sons

Slide 63

Slide 63 text

P R O P O R T I O N A L I T Y Security f rom First Principles Is this worth it? https://twitter.com/jwgoerlich/status/939268098699550720?s=09 Craig Jackson, Scott Russell, and Susan Sons

Slide 64

Slide 64 text

T H E B A S I C P R I N C I P L E S I N A C T I O N

Slide 65

Slide 65 text

B U S I N E S S P R O B L E M • A hotel chain needs to capture credit card numbers for potential incidental charges when the cardholder will not be present at check in • Example: A parent wants to authorize incidental charges for a traveling school sports team member • Current process is a paper form. Company would like to automate

Slide 66

Slide 66 text

N A Ï V E S O L U T I O N “Type a quote here.”

Slide 67

Slide 67 text

N A Ï V E S O L U T I O N , R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 68

Slide 68 text

N A Ï V E S O L U T I O N , R E - R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 69

Slide 69 text

N A Ï V E S O L U T I O N , R E - R E - R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 70

Slide 70 text

D E S I G N E D I N T O P R O C E S S Comprehensivity https://jeremylong.github.io/DependencyCheck/

Slide 71

Slide 71 text

T R A I N I N G Comprehensivity https://twitter.com/chrisrohlf/status/925846092184477698

Slide 72

Slide 72 text

O P P O R T U N I T Y

Slide 73

Slide 73 text

P A T C H A L L O F T H E T H I N G S Opportunity “Type a quote here.”

Slide 74

Slide 74 text

R I G O R

Slide 75

Slide 75 text

S T A T I C A N A LY S I S Rigor “The most important thing I have done as a programmer in recent years is to aggressively pursue static code analysis. Even more valuable than the hundreds of serious bugs I have prevented with it is the change in mindset about the way I view software reliability and code quality.” - J o h n C a r m a c k https://www.gamasutra.com/view/news/128836/InDepth_Static_Code_Analysis.php

Slide 76

Slide 76 text

No content

Slide 77

Slide 77 text

M I N I M I Z E A T T A C K S U R F A C E ( a n d e v e r y t h i n g e l s e ) https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet

Slide 78

Slide 78 text

S T O R E L E S S Minimization “Limit cardholder data storage and retention time to that which is required for business, legal, and/ or regulatory purposes, as documented in your data retention policy. Purge unnecessary stored data at least quarterly.” P C I - D S S § 3 . 1 https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf

Slide 79

Slide 79 text

C O M P A R T M E N T A L I Z E I T !

Slide 80

Slide 80 text

D O U B L E E D G E D S W O R D Compartmentalization ““Your perimeter is not the boundary of your network it’s the boundary of your telemetry.” http://grugq.github.io/presentations/comae-blackhat-year-of-the-worm.pdf - T h e G r u g q

Slide 81

Slide 81 text

L E A S T P R I V I L E G E Compartmentalization EncryptionServiceIAMRole: Type: "AWS::IAM::Role" Properties: Path: "/" ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowLambdaServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "lambda.amazonaws.com"

Slide 82

Slide 82 text

C O M P A R T M E N T A L I Z E I T ! • Networks • Public ingress (CloudFront), WAF rules • Private ingress (Jump server) • Roles for public, hotel staff, site admin, developer, ops • Restrict data by property • Archive old data to encrypted cold storage • Use key management (KMS, HSM, etc.) for secrets

Slide 83

Slide 83 text

F A U LT T O L E R A N C E https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys

Slide 84

Slide 84 text

F A U LT T O L E R A N C E • User safety • Stop the exf iltration • Assess the scope • Proactively prevent further damage to users • Listen • Technical • Engage DF/IR professionals to assess how it happened and how to prevent • Design system for secure storage and rotation of secrets

Slide 85

Slide 85 text

P R O P O R T I O N A L I T Y

Slide 86

Slide 86 text

L A T H E R , R I N S E , R E P E A T • Plan on enumerating the f irst principles at least twice in initial app design • Following f irst principles does not mean “big design upf ront”

Slide 87

Slide 87 text

F U R T H E R R E A D I N G • The Information Security Practice Principles, Center for Applied Cybersecurity Research, Indiana University • Threat Modeling, Designing for Security, by Adam Shostack

Slide 88

Slide 88 text

C R E D I T S • Some stock photography f rom wocintechchat.com, CC- BY 2.0 • Creative Commons photography credited on each slide

Slide 89

Slide 89 text

No content

Slide 90

Slide 90 text

C O N T A C T [email protected] @craigstuntz http://paperswelove.org/chapter/columbus/ https://speakerdeck.com/craigstuntz