Slide 1

Slide 1 text

S E C U R E A P P L I C A T I O N S , B Y D E S I G N Craig Stuntz ∈ Improving

Slide 2

Slide 2 text

S E C U R E A P P L I C A T I O N S , B Y D E S I G N Craig Stuntz ∈ Improving https://speakerdeck.com/craigstuntz

Slide 3

Slide 3 text

A S K Q U E S T I O N S O N S L A C K #2018—GREEN (DM: @craig.stuntz)

Slide 4

Slide 4 text

P R E V I E W • What does application security mean? • Some “f ixes” which don’t work • Security f rom f irst principles • Threat modeling • Application design guided by principles and threat model

Slide 5

Slide 5 text

– H i p p o c r a t i c O a t h ( 1 9 6 4 L o u i s L a s a g n a v e r s i o n ) “I will remember that I do not treat a fever chart, a cancerous growth, but a sick human being, whose illness may affect the person’s family and economic stability.”

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

1. ummm… blockchain? 2. ??? 3. prof it!

Slide 8

Slide 8 text

http://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review- a8130796.html

Slide 9

Slide 9 text

W O U L D Y O U D E S I G N S O F T W A R E D I F F E R E N T LY I F H U M A N S A F E T Y W A S A LW A Y S T H E F I R S T C O N S I D E R A T I O N ? H O W ? https://www.flickr.com/photos/wocintechchat/25900776992/

Slide 10

Slide 10 text

– A C M C o d e o f E t h i c s a n d P r o f e s s i o n a l C o n d u c t ( p r o p o s e d ) “A computing professional should contribute to society and to human well-being, acknowledging that all people are stakeholders in computing.”

Slide 11

Slide 11 text

– A l l i s o n M i l l e r “I don't think humans are the problem, the problem is that humans are the target.” https://www.scmagazineuk.com/news-feature-google-security-interview-human-solutions--the-way-to-go/article/701976/

Slide 12

Slide 12 text

W H A T I S S E C U R I T Y , R E A L LY ? https://commons.wikimedia.org/wiki/File:Airport_Frankfurt_-_Fraport_-_Flughafen_Frankfurt_-_barbed_wire_and_fence_-_Stacheldraht_und_Zaun_-_05.jpg https://www.flickr.com/photos/captkodak/37054929956/

Slide 13

Slide 13 text

D O M A I N S P E C I F I C Q A

Slide 14

Slide 14 text

Behavior

Slide 15

Slide 15 text

Behavior Specification

Slide 16

Slide 16 text

Behavior Specification

Slide 17

Slide 17 text

Behavior Specification

Slide 18

Slide 18 text

Behavior Specification

Slide 19

Slide 19 text

Behavior Specification

Slide 20

Slide 20 text

Q A : D O E S T H E S O F T W A R E D O W H A T I T S H O U L D ?

Slide 21

Slide 21 text

S E C U R I T Y : D O E S I T A L S O D O A N Y T H I N G E L S E ?

Slide 22

Slide 22 text

D o We E v e n K n o w W h a t t h e S o f t w a r e I s S u p p o s e d t o D o ?

Slide 23

Slide 23 text

QA! Security!

Slide 24

Slide 24 text

N I S T 8 0 0 - 6 4 Security Considerations in the System Development Life Cycle (2008) http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf

Slide 25

Slide 25 text

O W A S P S D L C DRAFT https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project

Slide 26

Slide 26 text

M I C R O S O F T S D L C http://www.microsoft.com/en-us/SDL

Slide 27

Slide 27 text

S E C U R I T Y I N A N A G I L E P R O C E S S https://www.scrum.org/resources/scrum-framework-poster

Slide 28

Slide 28 text

S E C U R I T Y I N A N A G I L E P R O C E S S https://www.scrum.org/resources/scrum-framework-poster Fundamental Principles Threat Model Automated Analysis Manual Review

Slide 29

Slide 29 text

M y t h s

Slide 30

Slide 30 text

“Security is good guys vs. bad guys.” https://pixabay.com/en/quietscheenten-devil-contrast-2816024/

Slide 31

Slide 31 text

“You must always choose between security and convenience.”

Slide 32

Slide 32 text

– B r u c e S c h n e i e r “The attacker just has to f ind one vulnerability — one unsecured avenue for attack — and gets to choose how and when to attack. It’s simply not a fair battle.” http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html

Slide 33

Slide 33 text

“In order to write secure applications, developers must take OWASP Top 10 training.”

Slide 34

Slide 34 text

“Nobody cares about my application’s data. It’s public anyway.”

Slide 35

Slide 35 text

“In order to write secure applications, developers must • Take OWASP Top 10 training • Use Veracode • Have application pentested • Use two factor authentication on source control and hosts • Use off-the-shelf crypto libraries • Monitor production • Use memory-safe languages • Do code review • HTTPS everywhere!

Slide 36

Slide 36 text

T r u t h https://www.flickr.com/photos/library_of_congress/8470007173/

Slide 37

Slide 37 text

– L e s l e y C a r h a r t “Regularly rethink your threat model. Know your threat model and that of your family before making any security decision.” https://twitter.com/hacks4pancakes/status/917952052667604993

Slide 38

Slide 38 text

– M a t t Ta i t “The underlying problem is folks think in terms of ‘secure’ versus ‘insecure.’ But in reality, it's ‘in/secure vs. X threat in Y threat model.’” https://twitter.com/pwnallthethings/status/922009773352120320

Slide 39

Slide 39 text

– J e s s i c a P a y n e “Bugs and exploits are not the main issue in most breeches, operational issues and technical debt are.” "Your attacker thinks like my attacker: A common threat model to create better defense"

Slide 40

Slide 40 text

“ Yo u r i m a g i n a t i o n i s f a r m o r e w o n d e r f u l t h a n a n y c o m p u t e r c o u l d e v e r b e . ” - Fred Rogers http://www.neighborhoodarchive.com/mrn/episodes/1746/index.html

Slide 41

Slide 41 text

B U I L D A R E C I P E , N O T A G R O C E R Y S T O R E

Slide 42

Slide 42 text

B Y D E S I G N https://www.patternlanguage.com/gallery/houses.html

Slide 43

Slide 43 text

H U M A N C E N T E R E D https://www.flickr.com/photos/wocintechchat/25926671551/

Slide 44

Slide 44 text

L E A R N Y O U R D O M A I N https://commons.wikimedia.org/wiki/File:Domain,_Atrium_(Hong_Kong).jpg

Slide 45

Slide 45 text

https://twitter.com/slatestarcodex/status/944739157988974592

Slide 46

Slide 46 text

https://twitter.com/slatestarcodex/status/944739157988974592

Slide 47

Slide 47 text

https://www.pbs.org/newshour/science/amazon-recalls-potentially-hazardous-solar-eclipse-glasses

Slide 48

Slide 48 text

– S e n . R i c h a r d B u r r “You commented yesterday that your company’s goal is bringing people together. In this case, people were brought together to foment conflict, and Facebook enabled that event to happen.” https://www.texastribune.org/2017/11/01/russian-facebook-page-organized-protest-texas-different-russian-page-l/

Slide 49

Slide 49 text

iT u n e s M o n e y L a u n d e r i n g https://www.thedailybeast.com/want-to-launder-bitcoins-how-crooks-are-hacking-itunes-and-getting-paid-by-apple

Slide 50

Slide 50 text

“ I ’ m j u s t a t o a s t e r . N o b o d y w i l l e v e r t r y t o h a c k m e ! ”

Slide 51

Slide 51 text

T H R E A T M O D E L I N G

Slide 52

Slide 52 text

S I X D E G R E E S Who is affected by the software you create? https://www.flickr.com/photos/wocintechchat/25388897014/

Slide 53

Slide 53 text

U s e r s https://www.flickr.com/photos/wocintechchat/25703122741/

Slide 54

Slide 54 text

C u s t o m e r s https://www.flickr.com/photos/wocintechchat/25703122741/ https://www.flickr.com/photos/wocintechchat/25926791491/

Slide 55

Slide 55 text

Yo u r Te a m https://www.flickr.com/photos/wocintechchat/25167741264/

Slide 56

Slide 56 text

S t a k e h o l d e r s https://www.flickr.com/photos/wocintechchat/25388889234/

Slide 57

Slide 57 text

P a r t n e r s https://www.flickr.com/photos/wocintechchat/25388854424/

Slide 58

Slide 58 text

Yo u r C o m m u n i t y

Slide 59

Slide 59 text

W H A T D O Y O U H A V E ?

Slide 60

Slide 60 text

I n f r a s t r u c t u r e • Servers • Software • Clients • Gateways • Third Parties

Slide 61

Slide 61 text

D a t a • Databases • Metadata • Logs • Credentials • Files on client machines

Slide 62

Slide 62 text

T r u s t B o u n d a r i e s • Implicit • Explicit

Slide 63

Slide 63 text

W H A T C O U L D G O W R O N G ?

Slide 64

Slide 64 text

D O M A I N - S P E C I F I C R I S K S

Slide 65

Slide 65 text

T a k e C a r e o f P e o p l e F i r s t https://www.flickr.com/photos/wocintechchat/25926827581/

Slide 66

Slide 66 text

L e a r n f r o m H i s t o r y https://commons.wikimedia.org/wiki/File:Maginot_line_1.jpg

Slide 67

Slide 67 text

E x i s t e n t i a l T h r e a t s http://money.cnn.com/2012/08/09/technology/knight-expensive-computer-bug/index.html

Slide 68

Slide 68 text

R e g u l a t o r y

Slide 69

Slide 69 text

B A C K T O B A S I C S

Slide 70

Slide 70 text

C O M P R E H E N S I V I T Y Security f rom First Principles Am I covering all of my bases? Craig Jackson, Scott Russell, and Susan Sons https://upload.wikimedia.org/wikipedia/commons/7/72/Agoncillo_- _W%C3%BCrth_Rioja%2C_Museo_30_-_Christo.JPG

Slide 71

Slide 71 text

O P P O R T U N I T Y Security f rom First Principles Am I taking advantage of my environment? https://commons.wikimedia.org/wiki/File:Amazing_Bhutan_Monastery.jpg Craig Jackson, Scott Russell, and Susan Sons

Slide 72

Slide 72 text

R I G O R Security f rom First Principles What is correct behavior, and how am I ensuring it? https://commons.wikimedia.org/wiki/File:Turnstile_state_machine_colored.svg Craig Jackson, Scott Russell, and Susan Sons

Slide 73

Slide 73 text

M I N I M I Z A T I O N Security f rom First Principles Can this be a smaller target? Craig Jackson, Scott Russell, and Susan Sons

Slide 74

Slide 74 text

C O M P A R T M E N T A L I Z A T I O N Security f rom First Principles Is this made of distinct parts with limited interactions? https://en.wikipedia.org/wiki/Bulkhead_(partition)#/media/ File:Compartments_and_watertight_subdivision_of_a_ship%27s_hull_(Seaman%27s_Pocket- Book,_1943).jpg Craig Jackson, Scott Russell, and Susan Sons

Slide 75

Slide 75 text

F A U LT T O L E R A N C E Security f rom First Principles What happens if this fails? https://commons.wikimedia.org/wiki/ File:A_U.S._Soldier,_right,_looks_on_as_a_U.S._Army_Garrison_Ansbach_Junior_ROTC_cadet_negotia tes_a_high_rope_obstacle_6.jpg Craig Jackson, Scott Russell, and Susan Sons

Slide 76

Slide 76 text

P R O P O R T I O N A L I T Y Security f rom First Principles Is this worth it? https://twitter.com/jwgoerlich/status/939268098699550720?s=09 Craig Jackson, Scott Russell, and Susan Sons

Slide 77

Slide 77 text

T H E B A S I C P R I N C I P L E S I N A C T I O N

Slide 78

Slide 78 text

B U S I N E S S P R O B L E M • A hotel chain needs to capture credit card numbers for potential incidental charges when the cardholder will not be present at check in • Example: A parent wants to authorize incidental charges for a traveling school sports team member • Current process is a paper form. Company would like to automate

Slide 79

Slide 79 text

N A Ï V E S O L U T I O N “Type a quote here.”

Slide 80

Slide 80 text

N A Ï V E S O L U T I O N , R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 81

Slide 81 text

N A Ï V E S O L U T I O N , R E - R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 82

Slide 82 text

N A Ï V E S O L U T I O N , R E - R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 83

Slide 83 text

N A Ï V E S O L U T I O N , R E - R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 84

Slide 84 text

N A Ï V E S O L U T I O N , R E - R E - R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 85

Slide 85 text

T R A I N I N G Comprehensivity https://twitter.com/chrisrohlf/status/925846092184477698

Slide 86

Slide 86 text

O P P O R T U N I T Y

Slide 87

Slide 87 text

O P P O R T U N I T Y

Slide 88

Slide 88 text

O P P O R T U N I T Y

Slide 89

Slide 89 text

O P P O R T U N I T Y

Slide 90

Slide 90 text

O P P O R T U N I T Y

Slide 91

Slide 91 text

P A T C H A L L O F T H E T H I N G S Opportunity “Type a quote here.”

Slide 92

Slide 92 text

R I G O R

Slide 93

Slide 93 text

S T A T I C A N A LY S I S Rigor “The most important thing I have done as a programmer in recent years is to aggressively pursue static code analysis. Even more valuable than the hundreds of serious bugs I have prevented with it is the change in mindset about the way I view software reliability and code quality.” - J o h n C a r m a c k https://www.gamasutra.com/view/news/128836/InDepth_Static_Code_Analysis.php

Slide 94

Slide 94 text

No content

Slide 95

Slide 95 text

M I N I M I Z E A T T A C K S U R F A C E ( a n d e v e r y t h i n g e l s e ) https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet

Slide 96

Slide 96 text

S T O R E L E S S Minimization “Limit cardholder data storage and retention time to that which is required for business, legal, and/ or regulatory purposes, as documented in your data retention policy. Purge unnecessary stored data at least quarterly.” P C I - D S S § 3 . 1 https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf

Slide 97

Slide 97 text

C O M P A R T M E N T A L I Z E I T !

Slide 98

Slide 98 text

D O U B L E E D G E D S W O R D Compartmentalization ““Your perimeter is not the boundary of your network it’s the boundary of your telemetry.” http://grugq.github.io/presentations/comae-blackhat-year-of-the-worm.pdf - T h e G r u g q

Slide 99

Slide 99 text

L E A S T P R I V I L E G E Compartmentalization EncryptionServiceIAMRole: Type: "AWS::IAM::Role" Properties: Path: "/" ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowLambdaServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "lambda.amazonaws.com"

Slide 100

Slide 100 text

C O M P A R T M E N T A L I Z E I T ! • Networks • Public ingress (CloudFront), WAF rules • Private ingress (Jump server) • Roles for public, hotel staff, site admin, developer, ops • Restrict data by property • Archive old data to encrypted cold storage • Use key management (KMS, HSM, etc.) for secrets

Slide 101

Slide 101 text

F A U LT T O L E R A N C E https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys

Slide 102

Slide 102 text

F A U LT T O L E R A N C E • User safety • Stop the exf iltration • Assess the scope • Proactively prevent further damage to users • Listen • Technical • Engage DF/IR professionals to assess how it happened and how to prevent • Design system for secure storage and rotation of secrets

Slide 103

Slide 103 text

P R O P O R T I O N A L I T Y

Slide 104

Slide 104 text

L A T H E R , R I N S E , R E P E A T • Plan on enumerating the f irst principles at least twice in initial app design • Following f irst principles does not mean “big design upf ront”

Slide 105

Slide 105 text

F U R T H E R R E A D I N G • The Information Security Practice Principles, Center for Applied Cybersecurity Research, Indiana University • Threat Modeling, Designing for Security, by Adam Shostack

Slide 106

Slide 106 text

C R E D I T S • Some stock photography f rom wocintechchat.com, CC- BY 2.0 • Creative Commons photography credited on each slide

Slide 107

Slide 107 text

C O N T A C T [email protected] @craigstuntz http://paperswelove.org/chapter/columbus/ https://speakerdeck.com/craigstuntz