Metro Atlanta ISSA: Defending Against Data Breaches, as part of a Custom Software Development Process

Metro Atlanta ISSA: Defending Against Data Breaches, as part of a Custom Software Development Process

http://gaissa.org/gaissa_conference_bios_abstracts.html#f_rietta

Understanding & Defending Against Data Breaches, as part of a Custom Software Development Process

Security incidents that lead to data breaches have been happening a lot, from the latest Anthem Blue Cross breach, to Target, to Home Depot, to breaches including the MongoHQ incident that lead to the BufferApp compromise. Waiting until a software project is complete and bolting security on through the use of security software or network security countermeasures is not effective enough. To have a chance to build a secure system, a team requires the active support of developers and for the organization to adopt a written information security policy that influences business model decisions and the requirements gathering process.

Frank Rietta, with over 16 years of career experience, he is specialized in working with startups, new Internet businesses, and in developing with the Ruby on Rails platform to build scalable businesses. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He regularly speaks about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.

Ab03678bbcfaa5425274e4d3905ae7b8?s=128

Frank Rietta

November 11, 2015
Tweet

Transcript

  1. Frank S. Rietta, 
 M.S. Information Security rietta.com/blog @frankrietta on

    Twitter November 11, 2015 Defending Against Data Breaches, as part of a Custom Software Development Process © 2015 Rietta Inc.
  2. Slides on Speaker Deck 
 And the Paper At http://bit.ly/1iPQm0S

  3. Security is not an On/Off switch

  4. How a Custom Software App Comes to Be

  5. How Apps Start Bob the Entrepreneur Wouldn’t in be great

    if…
  6. Hire a designer Bob the Entrepreneur Designer (Freelancer)

  7. Custom code needs a coder Bob the Entrepreneur Backend Developer

    Designer (Freelancer)
  8. Bigger team, means funding (or revenue is needed) Bob the

    Entrepreneur Backend Developer Front-end Dev Designer (Freelancer) Bob’s Funders… Wouldn’t in be great if…
  9. So now we have a small team, and if we’re

    really lucky an Agile Product Owner. Otherwise, the lead developer will have to fill that role him or herself. Oh, and a lot of people with ideas…
  10. Developers at work And by the way, there is no

    red team. That’s not in the budget. Photo Credit: Lisamarie Babik / Wikipedia
  11. TDD Cycle in a Startup 1. Read the user story

    2. Write a failing test 3. Implement the feature 4. See the tests pass 5. Deploy! Ship it to the cloud!
  12. Application Security is the subset of Information Security focused on

    protecting data and privacy from abuse by adversaries who have access to the software system as a whole. Its purpose is to make software resilient to attack, especially when network defenses alone are insufficient.
  13. Sensitive Data Means to 
 Read It + Unauthorized Person

    = Breach
  14. Source: 
 McCandless (2015)

  15. Photo Credit: johnjoh on Flicker, CC BY-SA 2.0.

  16. Variety of hacking actions within Web App Attacks patterns (n=205)

    Source: Verizon DBIR (2015), p 41
  17. Major Preventable Flaws • Compromised staff credentials, which would be

    preventable by two-factor authentication • Automated technical exploits, that are aggressively applied over a large number of sites, succeeded because basics are ignored • Poor security, including unencrypted backups, leading to an unauthorized person having access to both the data and the means to read it
  18. Hoglund, Greg , and Gary McGraw. (2004) Exploiting Software, p

    9. “Most outsourced software (software developed off-site by contractors) is full of backdoors…. Companies that commission this kind of software have not traditionally paid any attention to security at all” (2004).
  19. “Security is not a functional requirement” - A graduate school

    professor
  20. Security is not a functional requirement

  21. Security is a matter of developer ethics and code craftsmanship

  22. – Michael Horn, the CEO of Volkswagen of America, in

    testimony before Congress "This was a couple of software engineers who put this in for whatever reason"
  23. Security-based Development Baking security into the development process

  24. Security is a Requirement

  25. Commercial Information Classifications 1. Public: Public information 2. Internal Use:

    Confidential business information 3. Confidential: Information that customers consider confidential 4. Sensitive: Personal and Private Information (PII), information that THE LAW considers confidential 5. Highly Sensitive: Encryption keys, server secrets, staff/admin passwords
  26. Users can feel a privacy breach even if the terms

    and conditions spell out in mouse print that they agree to such sharing. This is a yellow line violation.
  27. Written Information 
 Security Policy • Having a written information

    security policy is very beneficial and in some cases required by regulation • It should state how the organization deals with sensitive information, such as formally adopting an information classification system • It should include value statements that empower internal stakeholders to demand security be addressed as part of a custom software process
  28. User Stories 
 & Abuser Stories I want an easy

    login experience I want to obtain credentials and steal things
  29. User Stories Are composed of three aspects: 1. a written

    description of the story used for planning and as a reminder 2. conversations about the story that serve to flesh out the details of the story 3. tests that convey and document details and that can be used to determine when a story is complete
  30. The New Customer As a Visitor, I can create a

    new account by filling in my e-mail address and desired password Security Notes: • Can we verify that the user really has the email address on signup? • The password should be at least 12 characters long and should definitely allow for spaces and punctuation
  31. The Customer Service Rep As a Staff member, I can

    choose the “Assist Customer” button to login as that customer to provide him or her with excellent service. Security Notes: • We need to have a ton of logging around this feature • Staff members should be required to have authenticated with two- factor so that we do not have an unauthorized person accessing this with just a staff credential • Let’s identify certain private fields that customer service does not need access to while helping the customer. Those should be restricted; can we use the database SQL permissions to raise an exception if any of those fields is accessed while using this feature?
  32. The Lawyer As general counsel, when I have received a

    subpoena for all material records for a particular account and have exhausted my options to reject it, I work with a system administrator to produce the data while not pulling unnecessary records. Security Notes: • As a matter of policy, we push back on all Law enforcement requests. • Even when the government compels access, we have to protect privacy.
  33. Abuser Stories

  34. URL Tweaker As an Authenticated Customer, I see what looks

    like my account number in the URL, so I change it to another number to see what will happen
  35. Curious Editor As an Authenticated Customer, I paste HTML that

    includes JavaScript into every field possible to see what happens.
  36. Infrastructure Takeover As a Malicious Hacker, I want to gain

    access to this web application’s Cloud Hosting account so that I can lock out the legitimate owners and delete the servers and their backups, to destroy their entire business
  37. It Happened to Code Spaces in 2014 http://arstechnica.com/security/2014/06/aws- console-breach-leads-to-demise-of-service-with- proven-backup-plan/

  38. Disgruntled Employee As a disgruntled employee who will soon be

    fired, I want to permanently delete as much data as possible, so that I can cause chaos. Source: Fitzer, James R. Agile Information Security, p 37
  39. Scam Artist / ID Thief As a scam artist, I

    want to obtain employee names, addresses, and social security numbers, so that I can steal their identity and finance a Corvette under their name. Source: Fitzer, James R. Agile Information Security, p 37
  40. Hater As as Person with ill will towards a person

    I hate, I will seek to compromise any details about that person possible so that I can harm their reputation or endanger their life.
  41. Clear Communication About Threats to Inform Development Decisions

  42. Additional Practical Countermeasures for Your Developers • Read the OWASP

    Top 10, the STRIDE Threat Model • Use Secure HTTP Headers and enable SSL-only with Strict-Transport Security on all production sites • Run automated audit tools, such as Brakeman, Bundler-audit, Code Climate, and Linters • Use GnuPG (or PGP) as part of your workflow • Practice on the OWASP WebGoat, Railsgoat, or Pygoat!
  43. Recap 1. Data breaches are a major concern that cannot

    be mitigated by wishful thinking alone 2. Application Security is about preventing abuse by adversaries who have access to the system, focusing on the app itself rather than just its environment 3. Have an Information Classification system 4. Treat security as a requirement by writing Abuser Stories along with your User Stories. 5. Apply practical technical countermeasures, such as including OWASP Top 10 and your abuse stories in your automated test suite
  44. Thanks!

  45. Frank S. Rietta, M.S. Information Security • My blog, where

    I write on security and other topics • https://rietta.com/blog • On Twitter • https://twitter.com/frankrietta • Learn more about Rietta’s community sponsorship, including the Atlanta Ruby Users’ Group videos • https://rietta.com/community
  46. Rietta builds custom, secure code to automate business processes and

    web APIs. Unlike other contract development shops, application security is actually our primary concern when we write code and build products. A Security-based Development Firm