O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

0

Compartilhar

Human is an amateur; the monkey is an expert. How to stop trying to secure your software.

Talk at TestingStage 2020

  • Seja a primeira pessoa a gostar disto

Human is an amateur; the monkey is an expert. How to stop trying to secure your software.

  1. 1. Human is an amateur; the monkey is an expert. How to stop trying to secure your software. Vlad Styran OSCP CISSP CISA
  2. 2. # whoami 15 years in security 10 years in appsec 5 years cofounder Running cons for 10 years Podcasting for 9 years Marathons finisher Father of two
  3. 3. Today I will show you 1. that there is no way to fully secure our software 2. that there is no good reason to try to do that 3. what we should do instead 4. how we should do it* ____ * Spoiler: we should train the monkey
  4. 4. There is no way to fully secure our software
  5. 5. Bad news: it is literally economically impossible 0,00% 10,00% 20,00% 30,00% 40,00% 50,00% 60,00% 70,00% 80,00% 90,00% 100,00% 0 10 20 30 40 50 60 70 80 90 100 SecurityEfficiency Security Investment, 1000 USD
  6. 6. Good news: There is no reason to try to do it
  7. 7. Good news: There is no reason to try to do it 0,00% 10,00% 20,00% 30,00% 40,00% 50,00% 60,00% 70,00% 80,00% 90,00% 100,00% 0 10 20 30 40 50 60 70 80 90 100 Probability Security Loss, 1000 USD
  8. 8. This is what we should do instead: Find optimal investment options 0,00% 10,00% 20,00% 30,00% 40,00% 50,00% 60,00% 70,00% 80,00% 90,00% 100,00% 0 10 20 30 40 50 60 70 80 90 100
  9. 9. Gordon-Loeb model (just in case you are interested) Information security investment against a certain threat scenario should not exceed 37% of expected loss. Cyber Security Economics, © Delft University of Technology Wikipedia, the free encyclopedia
  10. 10. So, this is what we do Asset value: $1,000,000 Attack occurrence probability: 1,3% Attack success probability: 17% Our optimal investment = $1,000,000 * 0.013 * 0.17 * 0.37 = $817.70
  11. 11. How to invest in software security
  12. 12. How to invest into software security Buy a firewall and put all sensitive stuff behind it Buy a WAF (Web Application Firewall) Buy Static & Dynamic Application Security Testing tool Deploy to AWS/GCP/Azure Use military-grade encryption Pay lawyers to carefully design EULA Use a distributed ledger for transaction data storage
  13. 13. Wrong! It’s all about the root cause Put it all behind a firewall, it will be secure WAF will stop all attacks, it will be secure NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure Put it into “the cloud”, it will be secure Encrypt all the data, it will be secure Threaten to put all hackers to jail, it will be secure Use the Blockchain (which is secure), it will be secure Write code in a way that there are no bugs Find and fix all the bugs
  14. 14. But let’s be honest with ourselves Put it all behind a firewall, it will be secure WAF will stop all attacks, it will be secure NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure Put it into “the cloud”, it will be secure Encrypt all the data, it will be secure Threaten to put all hackers to jail, it will be secure Use the Blockchain (which is secure), it will be secure Write code in a way that there are no fewer bugs Find and fix all the as many bugs as you can
  15. 15. How to secure our software 1. WRITE CODE IN A WAY THAT THERE ARE FEWER BUGS 2. FIND AND FIX AS MANY BUGS AS YOU CAN
  16. 16. How to achieve software security
  17. 17. Compliance Apply one of the credible security standards: • ISO/IEC 27002 • PCI DSS • SOC2 • SOX • HIPAA • GDPR • NIST
  18. 18. Wrong! Compliance is security against liability.
  19. 19. Best practice Apply generally accepted methodologies: • MS SDL • BSIMM • NIST SP800-64 • OWASP: ASVS, xSTG, SAMM etc.
  20. 20. Wrong! Best practice is not for everyone.
  21. 21. Real security KNOW WHAT YOU PROTECT KNOW WHAT CAN GO WRONG KNOW WHAT YOU WILL DO ABOUT IT KNOW HOW TO TEST IF YOU DID IT
  22. 22. 1. Develop more securely • Threat Modeling • Developer Awareness Training • Security Requirements • Secure Architecture & Design • Supply Chain Security • Incident Response Lots of boring yet important stuff (another time)
  23. 23. 2. Find and kill fix bugs •Security Testing •Security Code Review •Application Penetration Testing •Security Bug Bounty
  24. 24. Human-Monkey dualism
  25. 25. Amos Tversky & Daniel Kahneman, late 1970’
  26. 26. Realistic Development Lifecycle
  27. 27. Agile security
  28. 28. What can we do about it?
  29. 29. Hard lessons from 40 years on earth 1. We move brain activities from System2 to System1 ASAP 2. True expertise = professional skill + deliberate practice 3. Expert intuition exists and it’s in your System1 Monkey knows the answer when human doesn’t know why.
  30. 30. Wicked vs Kind learning domains 1. Patterns repeat 2. Feedback accurate and rapid 3. Rules of game well-defined Classical music, aviation pilots, emergency room nurse, fire fighter… Security Testing 1. Patterns not obvious or repeating 2. Feedback delayed and inaccurate 3. Rules unclear and incomplete Improvisational jazz, surgeon, radiologist, financial & political analyst… Secure Development
  31. 31. Hard lessons from 10 years in appsec 1. We cannot slow down the DEVs 2. We cannot prevent all bugs 3. We cannot automate efficient security testing
  32. 32. Bright side of things 1. With enough skilled hackers, we can move as fast as DEVs 2. With enough practice, we can find and fix most severe bugs 3. With enough expertise, we can train to do it automatically
  33. 33. Hopes for the future One day we can automate bug hunting properly One day the DEVs’ monkey will learn to make fewer bugs
  34. 34. What we can do right now Web Application Hacker’s Handbook PortSwigger Web Security Academy
  35. 35. OWASP Kyiv
  36. 36. OWASP Ukraine
  37. 37. NoNameCon
  38. 38. Start hacking legally today: Bug Bounties
  39. 39. How you find me @arunninghacker fb.me/arunninghacker berezhasecurity.com

Talk at TestingStage 2020

Vistos

Vistos totais

296

No Slideshare

0

De incorporações

0

Número de incorporações

1

Ações

Baixados

0

Compartilhados

0

Comentários

0

Curtir

0

×