SlideShare a Scribd company logo

Jedi mind tricks for building application security programs

S
Security Ninja

Presentation by David Rook and Chris Wysopal

Technology
1 of 39
Download to read offline
David Rook Jedi mind tricks for building application security programs SecurityBSides, London
if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (www.securityninja.co.uk) • Speaker at international security conferences • Nominated for multiple blog awards • A mentor in the InfoSecMentors project • Developed and released Agnitio
Agenda • Using Jedi mind tricks on your developers • s/Application Security Alien/Business Language/i;
Using Jedi mind tricks on developers • Most developers actually want to write secure code • You need to take ownership of the app sec problems with them • Developers generally like producing quality code, use this! • They want security knowledge with good practices and tools
Using Jedi mind tricks on developers Jim Bird, blog comment: “I’m a software guy. I don’t need a meme. I need practices and tools that work, that help me get software out the door, better software that is more reliable and more secure.” http://securosis.com/blog/good-programming-practices-vs.-rugged-development
Using Jedi mind tricks on developers • How you can help developers? • Help them understand how to write secure code • Own application security problems with them • Don’t dictate! Speak, listen, learn and improve things
Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings
Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings • We present findings in weird formats with a side order of FUD
Application Security Alien • I will use CVSS as an example • Let’s pretend we are analysing a SQL Injection vulnerability
Application Security Alien CVSS base score equation BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))Exploitability = 20*AccessComplexity*Authentication*AccessVectorf(Impact) = 0 if Impact=0; 1.176 otherwise
Application Security Alien CVSS Temporal Equation TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfi dence
Application Security Alien CVSS Environmental Equation EnvironmentalScore=(AdjustedTemporal+(10- AdjustedTemporal)*CollateralDamagePotential) * TargetDistributionAdjustedTemporal = TemporalScore recomputed with the Impact sub-equation replaced with the following AdjustedImpact equation.AdjustedImpact = Min(10, 10.41*(1-(1- ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1- AvailImpact*AvailReq)))
Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings • We present findings in weird formats with a side order of FUD • We feel security should just happen without having to justify it
The Business Language • We need to speak the business language • We need to talk about things the business cares about • We need to present findings in a format that makes sense
The Business Language • How does your business score risks? • Let’s pretend we are analysing a SQL Injection vulnerability
The Business Language A simple (common!) risk equation Probability*Impact Probability Impact Score Appetite 3 5 15 12
The Business Language • We need to speak the business language • We need to talk about things the business cares about • Present findings in a format that makes sense to the business • Application security is no exception when it comes to resourcing
Jedi mind tricks and alien translations • Apply the KISS principle to everything you do • Keep everything as simple as possible, complexity doesn’t help • Understand what developers want and need to write secure code • Work with the business and use their language and formats
QUESTIONS? www.securityninja.co.uk @securityninja /realexninja /securityninja /realexninja
Jedi mind tricks for building application security programs Chris Wysopal CTO & Co-founder
The formative years… Padawan? It was all about attack. Early web app testing: Lotus Domino, Cold Fusion Windows Security: Netcat for Windows, L0phtCrack Early disclosure policies: RFPolicy, L0pht Advisories
Now with professional PR team… Time to help the defensive side Led @stake research team @stake application security consultant Published Art of Software Security Testing Veracode CTO and Co-Founder
Why do we need executive buy in? Application security programs will require developer training Application security programs will require tools/services Application security programs will impact delivery schedules Application security cannot be “voluntary” Authority
Speaking the language of executives CEOs CFOs CIOs
If money is the language of execs what do they say? How do I grow my top line? How do I lower costs? How do I mitigate risk? Talk in terms of business risk and use monetary terms when possible. Then we can we can speak the same language.
Different types of risk Legal risk – Legal costs, settlement costs, fines Compliance risk – fines, lost business Brand risk – lost business Security risk - ????
Translate technical risk to monetary risk What is the monetary risk from vulnerabilities in your application portfolio? Monetary risk is your expected loss; derived from your vulnerabilities, your breach cost, threat space data Your Threat Your Breach Space Vulnerabilities Cost Data 32
Your Breach Cost Use cost analysis from your earlier breaches Use breach cost from public sources – Example: April 2010 Ponemon Institute Report (US Dollars) Detection & Notification Ex-Post Lost Total Escalation Response Business Average 264,208 500,321 1,514,819 4,472,030 6,751,451 Per-capita 8 15 46 135 204 Ponemon average and per-capita US breach cost (US Dollars) Comm Consu Educat Energ Financi Health Hotel Manu Media Pharma Researc Retail Serv Tech Transp unicati mer ion y al care & facturin h ices nology ortatio on Leisur g n e 209 159 203 237 294 153 136 149 310 266 133 256 192 121 248 Ponemon per-capita data by US industry sector (US Dollars) 33
Threat Space Data 40% of data breaches are due to hacking Top 7 application vulnerability categories Source: Verizon 2010 Data Breach Investigations Report 62% of organizations experienced breaches in critical applications in 12 month period Source: Forrester 2009 Application Risk Management and Business Survey 34
How to Derive Your Expected Loss expected loss vulnerability category = f ( % of orgs breached X breach cost X breach likelihood from vuln. category ) Baseline expected loss for your organization due to SQL Injection* ( ) 62% X expected loss Sql injection = f $248 X 100,00 X 25% *If your SQL Injection prevalence is similar to average SQL Injection prevalence, assumes 100,000 records 35
Monetary Risk Derived From Relative Prevalence Vulnerability Breach Baseline Average % of Your % of Your Monetary Category Likelihoo Expected Apps Affected1 Apps Risk d loss Affected2 Backdoor/ 29% $4,459,040 8% 15% higher Control Channel SQL Injections 25% 3,844,000 24% 10% lower Command 14% 2,152,640 7% 6% same Injection XSS 9% 1,383,840 34% 5% lower Insufficient 7% 1,076,320 5% 2% lower Authentication Insufficient 7% 1,076,320 7% 7% same Authorization Remote File 2% 307,520 <1% <1% same Inclusion Assume 100,000 customer records. For SQLi the expected loss is: 36 62% * $248 * 100,000 * 25% = $3,844,000 1. Veracode 2010 State of Software Security Report, Vol. 2 2. De-identified financial service company data from Veracode industry data
Executives want… An organizational wide view. Am I lowering overall application risk? – Internal code – Outsourced – Vendor supplied – Open source A program that has achievable objectives. What am I getting for the money I am spending? A program that is measurable: metrics and reporting. Am I marching toward the objectives? – Which dev teams, outsourcers are performing well? – How is my organization doing relative to my peers?
Tips to make the program successful The right people have to understand what is going to happen before you start Do a real world pen test or assessment of a project. Demonstrate relevant risk. Integrate into existing processes SDLC Procurement/legal M&A
Q&A Speaker Contact Information: Chris Wysopal (cwysopal@veracode.com) Twitter: @WeldPond David Rook www.securityninja.co.uk @securityninja /realexninja /securityninja 39 /realexninja

Recommended

Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesSecunia
 
Web Application Security: Connecting the Dots
Web Application Security: Connecting the DotsWeb Application Security: Connecting the Dots
Web Application Security: Connecting the DotsInnoTech
 
Threat Report H2 2012
Threat Report H2 2012Threat Report H2 2012
Threat Report H2 2012F-Secure Corporation
 
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsAddressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsPrecisely
 
Risk management
Risk managementRisk management
Risk managementIben Engenharia
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revShanker Sareen
 

Recommended

Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesSecunia
 
Web Application Security: Connecting the Dots
Web Application Security: Connecting the DotsWeb Application Security: Connecting the Dots
Web Application Security: Connecting the DotsInnoTech
 
Threat Report H2 2012
Threat Report H2 2012Threat Report H2 2012
Threat Report H2 2012F-Secure Corporation
 
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsAddressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsPrecisely
 
Risk management
Risk managementRisk management
Risk managementIben Engenharia
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revShanker Sareen
 
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010Jorge Sebastiao
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Corporation
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security RisksEnterprise Security Risk Management
 
Rm
RmRm
Rmansulag19
 
The software-security-risk-report
The software-security-risk-reportThe software-security-risk-report
The software-security-risk-reportКомсс Файквэе
 
ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonUlf Mattsson
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012Ulf Mattsson
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security SoftwareSymantec Italia
 
Attackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumAttackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumRadware
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Kim Jensen
 
Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROISymosis Security (Previously C-Level Security)
 
How to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web ComponentsHow to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web ComponentsCompuware APM
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverviewDavid C. Petty
 
What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)Neil Thompson
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Blue Slate Solutions
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Ricardo Resnik
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17Security Ninja
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Security Ninja
 

More Related Content

What's hot

GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010Jorge Sebastiao
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Corporation
 
ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonUlf Mattsson
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012Ulf Mattsson
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security SoftwareSymantec Italia
 
Attackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumAttackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumRadware
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Kim Jensen
 
How to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web ComponentsHow to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web ComponentsCompuware APM
 
What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)Neil Thompson
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Blue Slate Solutions
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Ricardo Resnik
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 

What's hot (20)

GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
 
F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
Rm
RmRm
Rm
 
The software-security-risk-report
The software-security-risk-reportThe software-security-risk-report
The software-security-risk-report
 
ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf Mattsson
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security Software
 
Attackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumAttackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the Equilibrium
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014
 
Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROI
 
How to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web ComponentsHow to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web Components
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverview
 
What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not Enough
 

Viewers also liked

The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17Security Ninja
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Security Ninja
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7Security Ninja
 
Owasp talk-november-08
Owasp talk-november-08Owasp talk-november-08
Owasp talk-november-08Security Ninja
 
Dennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicDennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicMyRadioFashion
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurity Ninja
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Security Ninja
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurity Ninja
 

Viewers also liked (9)

The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7
 
Owasp talk-november-08
Owasp talk-november-08Owasp talk-november-08
Owasp talk-november-08
 
Dennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicDennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magic
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - Agnitio
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know it
 

Similar to Jedi mind tricks for building application security programs

Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloudInterop
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxjessiehampson
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceTieu Luu
 
Cognitive security
Cognitive securityCognitive security
Cognitive securityIqra khalil
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentationrfragola
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyananthakrishnansblit
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiamallblitz0
 

Similar to Jedi mind tricks for building application security programs (20)

Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docx
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber Intelligence
 
Cognitive security
Cognitive securityCognitive security
Cognitive security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochi
 

More from Security Ninja

The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application StorySecurity Ninja
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecuritySecurity Ninja
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecuritySecurity Ninja
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio WorkshopSecurity Ninja
 
Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - AgnitioSecurity Ninja
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinSecurity Ninja
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSSSecurity Ninja
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applicationsSecurity Ninja
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 

More from Security Ninja (10)

Hack in Paris 2013
Hack in Paris 2013Hack in Paris 2013
Hack in Paris 2013
 
The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application Story
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 Security
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application Security
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio Workshop
 
Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - Agnitio
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter Dublin
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSS
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applications
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Recently uploaded (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Jedi mind tricks for building application security programs

  • 1. David Rook Jedi mind tricks for building application security programs SecurityBSides, London
  • 2. if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (www.securityninja.co.uk) • Speaker at international security conferences • Nominated for multiple blog awards • A mentor in the InfoSecMentors project • Developed and released Agnitio
  • 3. Agenda • Using Jedi mind tricks on your developers • s/Application Security Alien/Business Language/i;
  • 4. Using Jedi mind tricks on developers • Most developers actually want to write secure code • You need to take ownership of the app sec problems with them • Developers generally like producing quality code, use this! • They want security knowledge with good practices and tools
  • 5. Using Jedi mind tricks on developers Jim Bird, blog comment: “I’m a software guy. I don’t need a meme. I need practices and tools that work, that help me get software out the door, better software that is more reliable and more secure.” http://securosis.com/blog/good-programming-practices-vs.-rugged-development
  • 6. Using Jedi mind tricks on developers • How you can help developers? • Help them understand how to write secure code • Own application security problems with them • Don’t dictate! Speak, listen, learn and improve things
  • 7. Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings
  • 8.
  • 9.
  • 10.
  • 11. Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings • We present findings in weird formats with a side order of FUD
  • 12. Application Security Alien • I will use CVSS as an example • Let’s pretend we are analysing a SQL Injection vulnerability
  • 13.
  • 14. Application Security Alien CVSS base score equation BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))Exploitability = 20*AccessComplexity*Authentication*AccessVectorf(Impact) = 0 if Impact=0; 1.176 otherwise
  • 15. Application Security Alien CVSS Temporal Equation TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfi dence
  • 16. Application Security Alien CVSS Environmental Equation EnvironmentalScore=(AdjustedTemporal+(10- AdjustedTemporal)*CollateralDamagePotential) * TargetDistributionAdjustedTemporal = TemporalScore recomputed with the Impact sub-equation replaced with the following AdjustedImpact equation.AdjustedImpact = Min(10, 10.41*(1-(1- ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1- AvailImpact*AvailReq)))
  • 17.
  • 18. Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings • We present findings in weird formats with a side order of FUD • We feel security should just happen without having to justify it
  • 19. The Business Language • We need to speak the business language • We need to talk about things the business cares about • We need to present findings in a format that makes sense
  • 20. The Business Language • How does your business score risks? • Let’s pretend we are analysing a SQL Injection vulnerability
  • 21. The Business Language A simple (common!) risk equation Probability*Impact Probability Impact Score Appetite 3 5 15 12
  • 22. The Business Language • We need to speak the business language • We need to talk about things the business cares about • Present findings in a format that makes sense to the business • Application security is no exception when it comes to resourcing
  • 23. Jedi mind tricks and alien translations • Apply the KISS principle to everything you do • Keep everything as simple as possible, complexity doesn’t help • Understand what developers want and need to write secure code • Work with the business and use their language and formats
  • 24. QUESTIONS? www.securityninja.co.uk @securityninja /realexninja /securityninja /realexninja
  • 25. Jedi mind tricks for building application security programs Chris Wysopal CTO & Co-founder
  • 26. The formative years… Padawan? It was all about attack. Early web app testing: Lotus Domino, Cold Fusion Windows Security: Netcat for Windows, L0phtCrack Early disclosure policies: RFPolicy, L0pht Advisories
  • 27. Now with professional PR team… Time to help the defensive side Led @stake research team @stake application security consultant Published Art of Software Security Testing Veracode CTO and Co-Founder
  • 28. Why do we need executive buy in? Application security programs will require developer training Application security programs will require tools/services Application security programs will impact delivery schedules Application security cannot be “voluntary” Authority
  • 29. Speaking the language of executives CEOs CFOs CIOs
  • 30. If money is the language of execs what do they say? How do I grow my top line? How do I lower costs? How do I mitigate risk? Talk in terms of business risk and use monetary terms when possible. Then we can we can speak the same language.
  • 31. Different types of risk Legal risk – Legal costs, settlement costs, fines Compliance risk – fines, lost business Brand risk – lost business Security risk - ????
  • 32. Translate technical risk to monetary risk What is the monetary risk from vulnerabilities in your application portfolio? Monetary risk is your expected loss; derived from your vulnerabilities, your breach cost, threat space data Your Threat Your Breach Space Vulnerabilities Cost Data 32
  • 33. Your Breach Cost Use cost analysis from your earlier breaches Use breach cost from public sources – Example: April 2010 Ponemon Institute Report (US Dollars) Detection & Notification Ex-Post Lost Total Escalation Response Business Average 264,208 500,321 1,514,819 4,472,030 6,751,451 Per-capita 8 15 46 135 204 Ponemon average and per-capita US breach cost (US Dollars) Comm Consu Educat Energ Financi Health Hotel Manu Media Pharma Researc Retail Serv Tech Transp unicati mer ion y al care & facturin h ices nology ortatio on Leisur g n e 209 159 203 237 294 153 136 149 310 266 133 256 192 121 248 Ponemon per-capita data by US industry sector (US Dollars) 33
  • 34. Threat Space Data 40% of data breaches are due to hacking Top 7 application vulnerability categories Source: Verizon 2010 Data Breach Investigations Report 62% of organizations experienced breaches in critical applications in 12 month period Source: Forrester 2009 Application Risk Management and Business Survey 34
  • 35. How to Derive Your Expected Loss expected loss vulnerability category = f ( % of orgs breached X breach cost X breach likelihood from vuln. category ) Baseline expected loss for your organization due to SQL Injection* ( ) 62% X expected loss Sql injection = f $248 X 100,00 X 25% *If your SQL Injection prevalence is similar to average SQL Injection prevalence, assumes 100,000 records 35
  • 36. Monetary Risk Derived From Relative Prevalence Vulnerability Breach Baseline Average % of Your % of Your Monetary Category Likelihoo Expected Apps Affected1 Apps Risk d loss Affected2 Backdoor/ 29% $4,459,040 8% 15% higher Control Channel SQL Injections 25% 3,844,000 24% 10% lower Command 14% 2,152,640 7% 6% same Injection XSS 9% 1,383,840 34% 5% lower Insufficient 7% 1,076,320 5% 2% lower Authentication Insufficient 7% 1,076,320 7% 7% same Authorization Remote File 2% 307,520 <1% <1% same Inclusion Assume 100,000 customer records. For SQLi the expected loss is: 36 62% * $248 * 100,000 * 25% = $3,844,000 1. Veracode 2010 State of Software Security Report, Vol. 2 2. De-identified financial service company data from Veracode industry data
  • 37. Executives want… An organizational wide view. Am I lowering overall application risk? – Internal code – Outsourced – Vendor supplied – Open source A program that has achievable objectives. What am I getting for the money I am spending? A program that is measurable: metrics and reporting. Am I marching toward the objectives? – Which dev teams, outsourcers are performing well? – How is my organization doing relative to my peers?
  • 38. Tips to make the program successful The right people have to understand what is going to happen before you start Do a real world pen test or assessment of a project. Demonstrate relevant risk. Integrate into existing processes SDLC Procurement/legal M&A
  • 39. Q&A Speaker Contact Information: Chris Wysopal (cwysopal@veracode.com) Twitter: @WeldPond David Rook www.securityninja.co.uk @securityninja /realexninja /securityninja 39 /realexninja