Trying to prepare your project or organisation to be able to receive vulnerability reports is a daunting task. And often far more complex and cross disciplinary than one first expects. This talk describes some of the most common challenges and how to counteract them.

1. @pati_gallardo

2. Make it Fixable
Living with Risk
Patricia Aas
NDC London 2018
@pati_gallardo

3. Who am I? @pati_gallardo

4. Patricia Aas
Programmer - mainly in C++ and Java
Currently : Vivaldi Technologies
Previously : Cisco Systems, Knowit, Opera Software
Master in Computer Science
Twitter : @pati_gallardo

5. Security is Hard @pati_gallardo

6. Just Remember :
- You live in the real world
- Take one step at a time
- Make a Plan @pati_gallardo

7. You Need A Security
“Hotline”
security@example.com
Symbiotic relationship
Be polite
Be grateful
Be professional
Be efficient and transparent
@pati_gallardo

8. Everybody's An Expert
@pati_gallardo

9. - They Are. Really. - @pati_gallardo

10. 1. Unable to Roll Out Fixes
2. No Control over Dependencies
3. The Team is Gone
4. It’s in Our Code
5. My Boss Made Me Do It
6. User Experience of Security
Outline
@pati_gallardo

11. - What is a System? - What is a vulnerability? -
@pati_gallardo

12. Unable to Roll Out Fixes @pati_gallardo
1

13. Unable to
Roll out Fixes
- Relying on User Updates
- Unable to Build
- Unable to Deploy
- Regression Fear
- No Issue Tracking
- No Release Tags
- No Source
- Issue in infrastructure
@pati_gallardo

14. Internet of Things
Toys: My Friend Cayla, i-Que Intelligent
Robots, Hello Barbie
Mirai: Botnets created with IOT
devices, users don’t update
“Shelfware”
No Maintenance contract
Abandonware
Closed source - no way to fix/fork
@pati_gallardo
Unable to Roll Out Fixes.

15. Fix : Ship It!
Holy Grail : Auto Update
Code
- Get the Code
- Use Version Control
- Keep Build Environment
- Write Integration Tests
Configuration Management
- Have Security Contact
- Track issues
- Make a Deployment Plan
- Control Infrastructure
@pati_gallardo
Unable to Roll Out Fixes.

16. Internet of Things
- Auto-update
- Different default passwords
- Unboxing security
“Shelfware”
- Get maintenance contract
- Change supplier
- Do in-house
- Use only Open Source Software
Fix : Ship It!
@pati_gallardoUnable to Roll Out Fixes.

17. No Control over Dependencies @pati_gallardo
2

18. No Control over
Dependencies
- Too Many Dependencies
- Frameworks are Abandoned
- Libraries Disappear
- Insecure Platform APIs
- Insecure Tooling
- End-of-Life OS (Windows)
- Licenses expire/change
- Known Issues not Fixed
- OS Not Updated (Android)
@pati_gallardo

19. Stagefright
Bugs in the multimedia library on
Android
Heartbleed
Bug in openssl
Left-Pad
Developer unpublished a mini-Js library
@pati_gallardo
No Control over Dependencies

20. Fix: Control It!
Goal : Dependency Control
Be conservative
- Is it needed?
- Do you understand it?
Be cautious
- Audit your upstream
- Avoid forking
- Have an upgrade plan
- Have someone responsible
@pati_gallardo
No Control over Dependencies

21. Stagefright
Workaround in apps calling into
stagefright
Heartbleed
Control over production environment
Left-Pad
Removing unnecessary dependency
Fix: Control It!
@pati_gallardoNo Control over Dependencies

22. The Team is Gone @pati_gallardo
3

23. The Team Is Gone
- Team were consultants
- They were downsized
- The job was outsourced
- “Bus factor”
- “Binary blob”
- Abandonware @pati_gallardo

24. “Public Sector”
- Leaves the code with subcontractor
- No build environment
- Third-party access to production
environment
Abandoned frameworks
- Framework interdependency
- Unable to upgrade
- Known bugs
The Team is Gone
@pati_gallardo

25. Fix : Own It!
Goal : Regain Control
Take it on yourselves
- Build competence in-house
- Fork, take control
- “Barely Sufficient” Docs
- Ship It and Control It
Outsource
- Maintenance Contract
- Add Security Clause
- Own deployment channel
@pati_gallardo
The Team Is Gone.

26. Fix : Own It!
“Public Sector”
- Backsourcing - Bring back work
previously outsourced
Abandoned frameworks
- Replace with equivalent (OSS)
- Remove dependency
- Fork if you don’t have a choice
@pati_gallardoThe Team Is Gone.

27. Use It!
@pati_gallardo

28. It’s in Our Code @pati_gallardo
4

29. It’s in Our Code
- Injection
- Exploited crash etc
- Debug code in production
- Server compromised
- Outdated platform
- Intercepted traffic
- Mined local data
- Good old fashioned BUG @pati_gallardo

30. REMA 1000 Æ App
- Reporter: Hallvard Nygård (@hallny)
- All user data could be retrieved
- Badly handled report
- “Bug” (Lack of security) in App
BEST CASE SCENARIO
@pati_gallardo
It’s In Our Code

31. Fix : Live It!
Goal : Prevent & Cure
Prevent
- Sanitize your input
- Send crash reports
- Code review + tests
- Review server security
- Encrypt all traffic
- Review local storage
- Sign and check
Cure
- Ship it!
@pati_gallardo
It’s In Our Code

32. Browsers are very experienced
- And therefore boring ;)
gitlab.com
- “rm -rf”
- Sysadmin maintenance
- Cascading errors as backups
fail
- All logged Publicly in real
time
Transparency
Fix : Live It!
@pati_gallardo
It’s In Our Code

33. My Boss Made Me Do It @pati_gallardo
5

34. My Boss Made Me Do It
The Feature
is the Bug
How?
- Security Problem
- Privacy Problem
- Unethical
- Illegal
@pati_gallardo

35. Capcom's Street Fighter V
- Installed a driver
- “anti-crack solution”
“...disables supervisor-mode execution
protection and then runs the arbitrary
code passed in through the ioctl buffer
with kernel permissions..”
- Reddit user extrwi
My Boss Made Me Do It
@pati_gallardo

36. Fix : Protect It!
Goal : Protect your user
Prevent : Protect your team
- Workers rights
- Build trust
Cure : Protect your company
- Find a Powerful Ally
- Do Risk Analysis : Brand Reputation,
Trust
- Use the Law
LAST RESORT : Whistleblowing & Quitting
@pati_gallardo
My Boss Made Me Do It

37. Statoil
- Internal reports of security
incidents after outsourcing
- Only public after serious IRL
incidents
Nødnett
- Transitive outsourcing
- National Security
These are often the Unsung Heroes
(Last Resort : Edward Snowden)
Fix : Protect It!
@pati_gallardo
My Boss Made Me Do It

38. @pati_gallardo
Ship It, Control It, Own It, Live It & Protect It

39. - You need a Security Hotline
- You Have to Ship
- You Can’t do This Alone
Recap
@pati_gallardo

40. Designing the User Experience of Security @pati_gallardo
6

41. @pati_gallardo

42. The Users Won’t Read
Error blindness
- Most users will mentally erase
permanent error notifiers - they
won’t read
“Just click next”
- Most users will accept the defaults
- they won’t read
“Make it go away”
- The user will try to make the error
dialog go away - they won’t read
@pati_gallardo

43. Fix : Less is More
Don’t leave it to the user
- Just do the right thing, you don’t
have to ask
Have good defaults
- Make sure that clicking next will
leave the user in a good place
Be very explicit when needed
- If the user is in a “dangerous”
situation - design carefully and if
you have to explain : use language
the user can understand
@pati_gallardo

44. They Trust You
With Personal information
- They trust you to protect them from
both hackers and governments
With Data
- They trust you to protect their
pictures, documents, email …
With Money
- They trust you to protect their
payment information and
passwords
@pati_gallardo

45. Fix : Be Trustworthy
Only store what you have to
- Try to use end-to-end encryption,
so that even you don’t have access.
Encrypt as much as you can
Back up everything
- Your users can’t afford to lose their
baby pictures
Use third party payment
- Avoid having responsibility for their
money
@pati_gallardo

46. Everyone Is An Expert @pati_gallardo

47. 1. Unable to Roll Out Fixes
2. No Control over Dependencies
3. The Team is Gone
4. It’s in Our Code
5. My Boss Made Me Do It
6. User Experience of Security
Challenges
@pati_gallardo

48. @pati_gallardo
Ship It, Control It, Own It, Live It & Protect It
Design For It

49. Make it Fixable
Living with Risk
Patricia Aas, Vivaldi Technologies
@pati_gallardo
Photos from pixabay.com - CC0 Creative Commons License

50. Some
Vivaldi
Swag!
@pati_gallardo