S H I F T I N G A P P L I C A T I O N
S E C U R I T Y L E F T
Craig Stuntz ∈ Improving
https://speakerdeck.com/craigstuntz
Slide 2
Slide 2 text
2 0 1 2
Slide 3
Slide 3 text
2 0 1 7
Slide 4
Slide 4 text
2 0 1 7
Slide 5
Slide 5 text
2 0 1 8
Slide 6
Slide 6 text
P R E V I E W
• What does application security mean?
• Developer checklists don’t work
• Threat modeling & security f rom f irst principles
• Security as a f irst class part of the software design &
development lifecycle
Slide 7
Slide 7 text
– H i p p o c r a t i c O a t h ( 1 9 6 4 L o u i s L a s a g n a v e r s i o n )
“I will remember that I do not treat a fever chart, a
cancerous growth, but a sick human being, whose
illness may affect the person’s family and economic
stability.”
W H A T W O U L D S O F T W A R E D E V E L O P M E N T
L O O K L I K E I F H U M A N S A F E T Y W A S
A LW A Y S T H E F I R S T C O N S I D E R A T I O N ?
https://www.flickr.com/photos/wocintechchat/25900776992/
Slide 12
Slide 12 text
– A C M C o d e o f E t h i c s a n d P r o f e s s i o n a l C o n d u c t
“A computing professional should contribute to
society and to human well-being, acknowledging
that all people are stakeholders in computing.”
Slide 13
Slide 13 text
– A l l i s o n M i l l e r
“I don't think humans are the problem, the problem
is that humans are the target.”
https://www.scmagazineuk.com/news-feature-google-security-interview-human-solutions--the-way-to-go/article/701976/
Slide 14
Slide 14 text
W H A T I S S E C U R I T Y , R E A L LY ?
https://commons.wikimedia.org/wiki/File:Airport_Frankfurt_-_Fraport_-_Flughafen_Frankfurt_-_barbed_wire_and_fence_-_Stacheldraht_und_Zaun_-_05.jpg
https://www.flickr.com/photos/captkodak/37054929956/
Slide 15
Slide 15 text
D O M A I N S P E C I F I C Q A
Slide 16
Slide 16 text
Behavior
Specification
Slide 17
Slide 17 text
Q A : D O E S T H E S O F T W A R E D O W H A T I T
S H O U L D ?
Slide 18
Slide 18 text
S E C U R I T Y : D O E S I T A L S O D O A N Y T H I N G
E L S E ?
Slide 19
Slide 19 text
D o We E v e n
K n o w W h a t t h e
S o f t w a r e I s
S u p p o s e d t o D o ?
Slide 20
Slide 20 text
“In order to write secure applications, developers
must
• Take OWASP Top 10 training
• Use Veracode
• Have application pentested
• Use two factor authentication on source control
and hosts
• Use off-the-shelf crypto libraries
• Monitor production
• Use memory-safe languages
• Do code review
• HTTPS everywhere!
Slide 21
Slide 21 text
B U I L D A R E C I P E ,
N O T A G R O C E R Y S T O R E
Slide 22
Slide 22 text
L E A R N Y O U R D O M A I N
https://commons.wikimedia.org/wiki/File:Domain,_Atrium_(Hong_Kong).jpg
Slide 23
Slide 23 text
– M a t t Ta i t
“The underlying problem is folks think in terms of
‘secure’ versus ‘insecure.’ But in reality, it's ‘in/secure
vs. X threat in Y threat model.’”
https://twitter.com/pwnallthethings/status/922009773352120320
iT u n e s M o n e y
L a u n d e r i n g
https://www.thedailybeast.com/want-to-launder-bitcoins-how-crooks-are-hacking-itunes-and-getting-paid-by-apple
Slide 27
Slide 27 text
“ I ’ m j u s t a
t o a s t e r . N o b o d y
w i l l e v e r t r y t o
h a c k m e ! ”
Slide 28
Slide 28 text
– S e n . R i c h a r d B u r r
“You commented yesterday that
your company’s goal is bringing
people together. In this case,
people were brought together to
foment conflict, and Facebook
enabled that event to happen.”
https://www.texastribune.org/2017/11/01/russian-facebook-page-organized-protest-texas-different-russian-page-l/
Slide 29
Slide 29 text
QA!
Security!
Slide 30
Slide 30 text
F O U N D A T I O N S
Secure Design
Secure Lifecycle
Empowered Developers
Threat Model
Security Fundamentals
Human Safety Priority
Domain Knowledge
Safer
Applications
and Infrastructure
Slide 31
Slide 31 text
Define
Design
Develop
QA
Security
Deploy
Slide 32
Slide 32 text
N I S T 8 0 0 - 6 4
Security Considerations in the System Development Life Cycle
(2008)
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf
Slide 33
Slide 33 text
C I S C O S E C U R E D E V E L O P M E N T L I F E C Y C L E
https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/building-trustworthy-systems-with-CSDL.pdf
Slide 34
Slide 34 text
M I C R O S O F T S D L C
http://www.microsoft.com/en-us/SDL
Slide 35
Slide 35 text
O W A S P O P E N S A M M
https://www.opensamm.org/
G R E A T I D E A S … O N T H E R I G H T
Bug
Bounties
Canaries
Full
Packet
Capture
Fuzzing
Asset
Identification
Attack
Simulation
Slide 39
Slide 39 text
S L A C K G O S D L
https://www.youtube.com/watch?v=eBwluaTaenI
Slide 40
Slide 40 text
S L A C K G O S D L
https://github.com/slackhq/goSDL
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
S E C U R I T Y I N A N A G I L E P R O C E S S
https://www.scrum.org/resources/scrum-framework-poster
Fundamental
Principles
Threat
Model
Automated
Analysis
Manual
Review
Slide 43
Slide 43 text
T H R E A T M O D E L I N G
Slide 44
Slide 44 text
S I X D E G R E E S
Who is affected by the software you create?
https://www.flickr.com/photos/wocintechchat/25388897014/
Slide 45
Slide 45 text
U s e r s
https://www.flickr.com/photos/wocintechchat/25703122741/
Slide 46
Slide 46 text
C u s t o m e r s
https://www.flickr.com/photos/wocintechchat/25703122741/
https://www.flickr.com/photos/wocintechchat/25926791491/
Slide 47
Slide 47 text
Yo u r Te a m
https://www.flickr.com/photos/wocintechchat/25167741264/
Slide 48
Slide 48 text
S t a k e h o l d e r s
https://www.flickr.com/photos/wocintechchat/25388889234/
Slide 49
Slide 49 text
P a r t n e r s
https://www.flickr.com/photos/wocintechchat/25388854424/
Slide 50
Slide 50 text
Yo u r
C o m m u n i t y
Slide 51
Slide 51 text
W H A T D O Y O U H A V E ?
Slide 52
Slide 52 text
I n f r a s t r u c t u r e
• Servers
• Software
• Clients
• Gateways
• Third Parties
Slide 53
Slide 53 text
D a t a
• Databases
• Metadata
• Logs
• Credentials
• Files on client
machines
Slide 54
Slide 54 text
T r u s t
B o u n d a r i e s
• Implicit
• Explicit
Slide 55
Slide 55 text
W H A T C O U L D G O W R O N G ?
Slide 56
Slide 56 text
D O M A I N - S P E C I F I C
R I S K S
Slide 57
Slide 57 text
T a k e C a r e o f
P e o p l e F i r s t
https://www.flickr.com/photos/wocintechchat/25926827581/
Slide 58
Slide 58 text
L e a r n f r o m
H i s t o r y
https://commons.wikimedia.org/wiki/File:Maginot_line_1.jpg
Slide 59
Slide 59 text
E x i s t e n t i a l
T h r e a t s
http://money.cnn.com/2012/08/09/technology/knight-expensive-computer-bug/index.html
Slide 60
Slide 60 text
R e g u l a t o r y
Slide 61
Slide 61 text
B A C K T O
B A S I C S
Slide 62
Slide 62 text
C O M P R E H E N S I V I T Y
Security f rom First Principles
Am I covering all of my bases?
Craig Jackson, Scott Russell, and Susan Sons
https://upload.wikimedia.org/wikipedia/commons/7/72/Agoncillo_-
_W%C3%BCrth_Rioja%2C_Museo_30_-_Christo.JPG
Slide 63
Slide 63 text
O P P O R T U N I T Y
Security f rom First Principles
Am I taking advantage of my environment?
https://commons.wikimedia.org/wiki/File:Amazing_Bhutan_Monastery.jpg Craig Jackson, Scott Russell, and Susan Sons
Slide 64
Slide 64 text
R I G O R
Security f rom First Principles
What is correct behavior, and how am I ensuring it?
https://commons.wikimedia.org/wiki/File:Turnstile_state_machine_colored.svg Craig Jackson, Scott Russell, and Susan Sons
Slide 65
Slide 65 text
M I N I M I Z A T I O N
Security f rom First Principles
Can this be a smaller target?
Craig Jackson, Scott Russell, and Susan Sons
Slide 66
Slide 66 text
C O M P A R T M E N T A L I Z A T I O N
Security f rom First Principles
Is this made of distinct parts with limited
interactions?
https://en.wikipedia.org/wiki/Bulkhead_(partition)#/media/
File:Compartments_and_watertight_subdivision_of_a_ship%27s_hull_(Seaman%27s_Pocket-
Book,_1943).jpg
Craig Jackson, Scott Russell, and Susan Sons
Slide 67
Slide 67 text
F A U LT T O L E R A N C E
Security f rom First Principles
What happens if this fails?
https://commons.wikimedia.org/wiki/
File:A_U.S._Soldier,_right,_looks_on_as_a_U.S._Army_Garrison_Ansbach_Junior_ROTC_cadet_negotia
tes_a_high_rope_obstacle_6.jpg Craig Jackson, Scott Russell, and Susan Sons
Slide 68
Slide 68 text
P R O P O R T I O N A L I T Y
Security f rom First Principles
Is this worth it?
https://twitter.com/jwgoerlich/status/939268098699550720?s=09 Craig Jackson, Scott Russell, and Susan Sons
Slide 69
Slide 69 text
T H E B A S I C P R I N C I P L E S I N A C T I O N
Slide 70
Slide 70 text
B U S I N E S S P R O B L E M
• A hotel chain needs to capture credit card numbers for
potential incidental charges when the cardholder will
not be present at check in
• Example: A parent wants to authorize incidental
charges for a traveling school sports team member
• Current process is a paper form. Company would like to
automate
Slide 71
Slide 71 text
N A Ï V E S O L U T I O N
“Type a quote here.”
Slide 72
Slide 72 text
N A Ï V E S O L U T I O N , R E V I S I T E D
Comprehensivity
“Type a quote here.”
Slide 73
Slide 73 text
N A Ï V E S O L U T I O N , R E - R E V I S I T E D
Comprehensivity
“Type a quote here.”
Slide 74
Slide 74 text
N A Ï V E S O L U T I O N , R E - R E - R E V I S I T E D
Comprehensivity
“Type a quote here.”
Slide 75
Slide 75 text
D E S I G N E D I N T O P R O C E S S
Comprehensivity
https://jeremylong.github.io/DependencyCheck/
Slide 76
Slide 76 text
T R A I N I N G
Comprehensivity
https://twitter.com/chrisrohlf/status/925846092184477698
Slide 77
Slide 77 text
O P P O R T U N I T Y
Slide 78
Slide 78 text
C E N T R A L I Z E S E C R E T S
Opportunity
https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/
Slide 79
Slide 79 text
P A T C H A L L O F T H E T H I N G S
Opportunity
“Type a quote here.”
Slide 80
Slide 80 text
R I G O R
Slide 81
Slide 81 text
S T A T I C A N A LY S I S
Rigor
“The most important thing I have done as a
programmer in recent years is to aggressively pursue
static code analysis. Even more valuable than the
hundreds of serious bugs I have prevented with it is
the change in mindset about the way I view software
reliability and code quality.”
- J o h n C a r m a c k
https://www.gamasutra.com/view/news/128836/InDepth_Static_Code_Analysis.php
Slide 82
Slide 82 text
No content
Slide 83
Slide 83 text
M I N I M I Z E A T T A C K S U R F A C E
( a n d e v e r y t h i n g e l s e )
https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet
Slide 84
Slide 84 text
S T O R E L E S S
Minimization
“Limit cardholder data storage and retention time to that
which is required for business, legal, and/ or regulatory
purposes, as documented in your data retention policy.
Purge unnecessary stored data at least quarterly.”
P C I - D S S § 3 . 1
https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf
Slide 85
Slide 85 text
C O M P A R T M E N T A L I Z E I T !
Slide 86
Slide 86 text
D O U B L E E D G E D S W O R D
Compartmentalization
“Your perimeter is not the boundary of your network
it’s the boundary of your telemetry.”
http://grugq.github.io/presentations/comae-blackhat-year-of-the-worm.pdf
- T h e G r u g q
Slide 87
Slide 87 text
L E A S T P R I V I L E G E
Compartmentalization
EncryptionServiceIAMRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Sid: "AllowLambdaServiceToAssumeRole"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Principal:
Service:
- "lambda.amazonaws.com"
Slide 88
Slide 88 text
C O M P A R T M E N T A L I Z E I T !
• Networks
• Public ingress (CloudFront), WAF rules
• Private ingress (Jump server)
• Roles for public, hotel staff, site admin, developer, ops
• Restrict data by property
• Archive old data to encrypted cold storage
• Use key management (KMS, HSM, etc.) for secrets
Slide 89
Slide 89 text
F A U LT T O L E R A N C E
https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys
Slide 90
Slide 90 text
F A U LT T O L E R A N C E
• User safety
• Stop the exf iltration
• Assess the scope
• Proactively prevent further damage to users
• Listen
• Technical
• Engage DF/IR professionals to assess how it happened and how to
prevent
• Design system for secure storage and rotation of secrets
Slide 91
Slide 91 text
P R O P O R T I O N A L I T Y
Slide 92
Slide 92 text
L A T H E R , R I N S E , R E P E A T
• Plan on enumerating the f irst principles at least twice
in initial app design
• Enumerate again in sprint planning for each sprint
• Following f irst principles does not mean “big design
upf ront”
Slide 93
Slide 93 text
C O N T I N U O U S S E C U R I T Y
Initially
•Human safety review
•Review principles at least
twice
•Begin threat modeling
•Security controls in CI
Periodically
•Pentest
•Regulatory review
•Incident response plan
Continuously
•Use principles in backlog
grooming
•Update threat model
•Usability testing
•Static/dynamic analysis
•Training
•Patch All of the Things
Slide 94
Slide 94 text
W H A T ’ S O M I T T E D ?
• Testing — does it work?
• Incompetence / fat f ingering vs. malicious insiders
• Decrease reaction times
• Automation and zero touch
• Have human supervision over automated processes
• Breakglass escapes for emergencies
Slide 95
Slide 95 text
F U R T H E R R E A D I N G
Slide 96
Slide 96 text
F U R T H E R R E A D I N G
• The Information Security Practice Principles, Center for
Applied Cybersecurity Research, Indiana University
• Threat Modeling, Designing for Security, by Adam
Shostack
Slide 97
Slide 97 text
C R E D I T S
• Some stock photography f rom wocintechchat.com, CC-
BY 2.0
• Creative Commons photography credited on each slide
Slide 98
Slide 98 text
N E X T U P
22 April
“Team Leadership for Beginners”
- Tim Rayburn
24 April
“Remote Scrum Mastery - How?”
- Ty Crockett
Slide 99
Slide 99 text
C O N T A C T
[email protected]
@craigstuntz
http://paperswelove.org/chapter/columbus/
https://speakerdeck.com/craigstuntz