Presentation at the 2016 Big Sky Developers' Conference. Overview of the dismal state of security on the Web, some suggestions for better app development processes to mitigate problems.

1. The Internet is a
dog-eat-dog world,
and your app is
clad in Milk Bone
underwear.
-Bob Wall
Yum

2. ‘Cause hackers aren’t going to
rush your foxhole. They’re going to
sneak in under cover of night.

3. “And I’ve got the scars to prove it.”
Bob Wall
@bithead_bob BobWall23 /in/bobwall23
Former Chief Architect at Oracle Current CTO at IronCore Labs
Four Degrees Crypto Nerd Music Junkie

4. 47%
43%
of U.S. adults hacked in one year (May 2014)
of U.S. corporations hacked in one year (Sep 2014)
Sources: CNN and USA Today

5. Source: Breach Level Index Annual Report 2014
1,023,108,267
Records Stolen in 2014
Billion!!

6. Source: National Vulnerability Database and IronCore Labs
40%
50%
60%
70%
80%
2010 2011 2012 2013 2014 2015
60%
66%
70%
68%
71%
75%
75%
OF HIGH SEVERITY VULNERABILITIES WERE
LOW COMPLEXITY (EASY TO EXPLOIT) IN 2015.
Up 25%
SINCE FROM 2010 LEVELS
Conclusion: Applications are
getting worse at basic security
measures.
High Severity
Low Complexity

7. More
Ransomware
in 2015
35%
84%
35%
23%
More bots in
China
More spear
phishing in
2015
More identities
stolen
Source: Symantec Internet Security Threat Report 2016
Malware in 2015

8. Global Malware Infection Rates
32%
desktop/laptop
0.03%
mobile
Sources: Verizon 2015 Data Breach Report and Panda Labs

9. 2015 Malware Breakdown
1%
1%
3%
95%
Windows
Android
Documents
MSIL
PHP (0)
MacOS (0)
Linux (0)
Perl (0)
UNIX (0)
iOS (0)
FreeBSD (0)
Breakdown of malware samples discovered in 2015
Source: HPE 2016 Cyber Risk Report
Excludes annoyance-ware

10. Privacy Is Dead (but hooray convenience!)
Your smartphone can know everything about you. Under the control of a hacker, it can relay your conversations, your
location, your communications and much more, which is why mobile malware is such a scary up and coming threat.
Sources: Consumer Reports, IDC and Symantec Internet Security Theft Report
$
1.4 billion
SOLD IN 2015
430 million
NEW MALWARE IN 2015
5.2 million
LOST OR STOLEN
IN THE U.S. IN 2014
Smartphones
Up 10%
Up 36%
Up 15% total,
but thefts
down 32%

11. 86%
of web applications tested had serious issues with
authentication, access control, and confidentiality.
Increased from 72% in 2014.
Source: HPE 2016 Cyber Risk Report

12. Breached Companies
Unencrypted Data

13. News Coverage of Breaches
Playstation Breach 1 Home Depot Hack Ashley Madison HackZappos Hack Target Hack
According to Google Trends
2010
←2011
←2012
←2013
←2014
Source: Google Trends
Evernote Hack
2015

14. 47 States with Breach Disclosure Laws
+ HIPAA

15. 47 States with Breach Disclosure Laws
+ HIPAA
Breach disclosure only required when
unencrypted PII* data is accessed.
*PII = Personally Identifiable Information

16. Data is Distributed
Cloud Services
Mobile Devices
Internet of Things
Partners
Employee Laptops
Uncontrolled and with minimal security

17. Perimeter Security Pierced
APP

18. Security Incidents
Network-layer
App-layer
90% due to defects at the
application layer. -DHS
Source: Department of Homeland Security

19. Web App Vulnerability Likelihood
Source: Whitehat Security Stats Report 2015
0%
25%
50%
75%
100%
InsufficientTransportLayer
InformationLeakage
CrossSiteScripting
BruteForce
ContentSpoofingCrossSiteRequestForgeryURLRedirectorAbuse
PredictableResourceLocation
SessionFixationInsufficientAuthorization
DirectoryIndexing
AbuseofFunctionality
SQLInjection
InsufficientPasswordRecovery
Fingerprinting
5%6%6%6%8%11%11%
15%16%
24%26%29%
47%
56%
70%

20. Web App Vulnerability Likelihood
Source: Whitehat Security Stats Report 2015
0%
25%
50%
75%
100%
InsufficientTransportLayer
InformationLeakage
CrossSiteScripting
BruteForce
ContentSpoofingCrossSiteRequestForgeryURLRedirectorAbuse
PredictableResourceLocation
SessionFixationInsufficientAuthorization
DirectoryIndexing
AbuseofFunctionality
SQLInjection
InsufficientPasswordRecovery
Fingerprinting
5%6%6%6%8%11%11%
15%16%
24%26%29%
47%
56%
70%
#1. Insufficient Transport = Poor SSL
#2. Info Leak = Dev Errors to User
#3. XSS = Poor Input Sanitization
#4. Brute Force = No rate limiting
#5. Content Spoofing = Poor Input Sanitization

21. % of Web
Using
OpenSSL
66%
Does not include
IMAP and the many
other apps that use
OpenSSL
OpenSSL Vulnerabilities
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
0 10 20 30 40
Low Moderate High
FREAK, Logjam
HeartBleed, Poodle, Goto Fail
DROWN
OCSP Stapling
ASN1 Bio
Plaintext Recovery
** Through March 2016

22. OpenSSL Unit Test Coverage
Not Covered
52%
Covered
48%
Code is poorly tested. Code is old, crusty, riddled with goto statements.
#1 crypto library ➫ #1 app problem ➫ Coincidence?

23. Encryption Pitfalls
Single Key
One key is shared between all apps and
users. Anyone who gains access to the
system can access all of the data in the
system unchecked by encryption.
Unlocked in Memory
In typical transparent disk and database
systems, as long as the system is running,
the data is not encrypted. These systems
protect against stolen hard drives, but not
hackers in the system.
Key on Server
If you lock a desk drawer and put the key
on top of the desk or in the unlocked
drawer beside it, your physical security
would be as bad as most electronic
security.
Reliance on HTTPS
A surprising number of apps and
infrastructures think they are encrypted and
secure because they use https. https by
itself does almost nothing to secure a
system and can even be actively negative.
Typical implementations suffer these issues
PLENTY OF COMPANIES brag that their communications app is encrypted. But that
marketing claim demands a followup question: Who has the key?“

24. A locked drawer is useless when the key is RIGHT THERE.

25. % of Organizations with Serious Vulnerabilities
Finance/Insurance
Healthcare
Info Tech
Retail
Public Admin
0% 25% 50% 75% 100%
21%
10%
14%
12%
11%
9%
11%
11%
14%
64%
60%
38%
52%
39%
Every Day More Than 271 Days More Than 151 Days
Source: Whitehat Security Stats Report 2015
Out of the 2015 calendar year
64%
75%
63%
79%
85%

26. Average Days To Fix by Industry
Source: Whitehat Security Stats Report 2015
0
62.5
125
187.5
250 Transportation
Arts&Entertainment
Accomodation
Professional&Scientific
PublicAdmin
OtherServices
Information
Education
Healthcare
Finance/Insurance
Manufacturing
Utilities
Retail
227
192191
160158
136132130
111108
9997
73

27. Hard Breach Costs
%
9
Lloyd’s of London estimate of the
cost to the global economy
$400b
2014 increase in per-record cost
$3.8m per breach
Average cost per record (US)
Average cost of a breach
including notifications,
investigations, legal issues
and credit monitoring.
$201 per breached record
Source: Ponemon Institute

28. Cyber-Insurance
Premiums up
32% in first half of 2015
83%
of claims paid out
78% Crisis Services
8% Legal Defense
9% Legal Settlements
5% Regulatory
Payout Breakdown
$15m
BIGGEST PAYOUT
$674k
AVERAGE PAYOUT
$77k
MEDIAN PAYOUT
32% of claims
due to third party breaches
Source: Netdiligence 2015 Cyber Claims Study
99% of exposed records
due to hackers and malware

29. General stats aren’t known, but smaller companies get badly hurt
Sources: All Things D and NYTimes
Soft Breach Costs
CASE STUDY
2013
50 million
Database hacked (SQL injection?)
Customers affected
15-20% Revenue drop in subsequent months
-82% Employee reduction now vs. pre-breach

30. Network security
App security
Almost triple the spending
goes to network security.
Security Spending
Source: Lumension 2015 State of the Endpoint

31. 31%
of all security
breaches at banks in
2015 involved web
app attacks
Source: Verizon 2015 Data Breach Report

32. Accomodation Point of Sale 91%
Education Crimeware 32%
Entertainment Point of Sale 73%
Financial
Services
Crimeware
Web App Attack
36%
31%
Healthcare
Misc. Errors
Insider Misuse
32%
26%
Information /
Tech
Cyber-Espionage
Web App Attack
36%
35%
Manufacturing Cyber-Espionage 60%
Public Crimeware 51%
Retail Point of Sale 70%
Top Threats
By Industry
Source: Verizon 2015 Data Breach Report

33. 66%
Two-thirds of cyber-espionage
attacks relied on targeted
phishing emails with malicious
links or attachments.
MarketingPhishing
27%
27% of victims were
Manufacturing corporations.
Public sector targets
accounted for 20%.
MarketingVictims
0.8%
Of all breaches resulting in data
loss, only 0.8% were due to
cyber-espionage.
MarketingSource
Cyber-Espionage
Spy vs. Computer
Source: Verizon 2015 Data Breach Report

34. 23%
of recipients open phishing emails
11%
open the attachments
Phishing
Source: Verizon 2015 Data Breach Report

35. Scarier than a
Presidential Election?
It Gets Worse

36. Of cars networked by
2020.3
More connected
devices than people
globally.2
Connected devices
by 2020.2
Vulnerable to attack.1 Collect personal
information.1
Average
vulnerabilities found
per device.1
Internet of Crap
90%70% 25
SOURCES:
1. HP Internet of things research study 2015
2. Cisco
3. Gartner
20% 2008 50b

37. Wall of Shame Highlights
• Aetna
• Alliance Health
• Anthem
• Blue Cross
• Cigna
• CVS
• Harvard Pilgrim
• Humana
• John Hopkins
• Kaiser
• Mayo Clinic
• Rite Aid
• University of
Colorado Health
• Walgreens
2772015 HEALTHCARE BREACHES
$10 / record
ON THE BLACK MARKET
112,832,082
RECORDS STOLEN
Source: Identity Theft Research Center
67%
OF STOLEN RECORDS
ACROSS INDUSTRIES

38. • Aetna
• Alliance Health
• Anthem
• Blue Cross
• Cigna
• CVS
• Harvard Pilgrim
• Humana
• John Hopkins
• Kaiser
• Mayo Clinic
• Rite Aid
• University of
Colorado Health
• Walgreens
2772015 HEALTHCARE BREACHES
$10 / record
ON THE BLACK MARKET
112,832,082
RECORDS STOLEN
Source: Identity Theft Research Center
67%
OF STOLEN RECORDS
ACROSS INDUSTRIES
Montana Jan-Mar 2016
Bozeman Health Deaconess Hospital: 1,124 records
New West Health Services of Montana: 28,209 records
Wall of Shame Highlights

39. Breach Detection
Source: Mandiant M-Trends 2015
67%33%229
DAYS BEFORE
DETECTION (MEDIAN)
32
DAYS TO RESPOND
TO BREACH (AVERAGE)
67%
LEARNED OF THEIR BREACH FROM AN
EXTERNAL ENTITY

40. Summing Up So Far
Software Devs Need to Step Up
Breaches
Through the roof.
Firewalls
Insufficient to
secure data.
Apps
Are the problem.
Trivial
Most vulnerabilities
are easy to exploit.
IOT
More insecure
devices every day.
Bad Security
Very costly and kills
companies.

41. We can fix this

42. Computer Science Degrees in the U.S.
Source: National Science Foundation WebCASPAR Database
0
15000
30000
45000
60000
1966 1970 1974 1978 1982 1986 1990 1994 1998 2002 2006 2010 2014
Associate's Degrees Bachelor's Degrees Advanced Degrees
56,130 Bachelors
37,643 Associates
26,618 Advanced
2004
1986
120,391 Grads 2014

43. 0%
Computer Science Degrees
Source: IronCore Labs using US News Rankings
56,130 Bachelors
TOP 20 COMP. SCI.
UNDERGRAD PROGRAMS
REQUIRING SECURE CODING
University Shame List
1. Carnegie Mellon
1. MIT
1. Stanford
1. UC Berkeley
5. University of Illinois, Urbana-Champaigne
6. Cornell
6. University of Washington
8. Princeton
9. Georgia Institute of Technology
9. University of Texas, Austin
11. California Institute of Technology
11. University of Wisconsin, Madison
13. UCLA
13. University of Michigan, Ann-Arbor
15. Colombia
15. UC San Diego
15. University of Maryland, College Park
18. Harvard University
19. University of Pennsylvania
20. Brown University
20. Purdue University, West Lafayette
20. Rice University
20. University of Southern California
20. Yale University
20. Duke University

44. Em
ployee Educ
ation
Require
m
ents Desig
n
Dev
elop Veri
fy
Rel
ease M
o
nitor,Respond
Software Development Phases

45. Internet Security First Aid
✓Teach all developers secure coding
✓Teach all QA basic security testing
✓Recurring - each new employee
and a refresh cycle (2 years)
PHASE ONE: TRAINING
Look at Coursera, SANS, ISC, CERT, securecoding.org, secureset.com and others for help.

46. Internet Security First Aid
✓Product Managers should include
malicious users in their personas list.
✓Require security features up front. Ex:
• Account lockouts
• Form submission rate limits
PHASE TWO-A: REQUIREMENTS

47. Did you know?
25
Number of accounts
for average web
user. 6.5
Number of passwords
for average web
user.
8.2b
Number of password
guesses per second
for a single desktop
computer.*
Source: Microsoft Research, Ars Technica
* Stat from 2012. Actual speed
depends on hardware and hashing
algorithm used.

48. Internet Security First Aid
✓Find and leverage applicable security
checklists such as OWASP App Security
Cheat Sheet and Other Cheat Sheets
✓Specify input sanitization and user
content handling strategy.
✓Specify operational expectations and
configurations.
PHASE TWO-B: DESIGN

49. Work Item
(Feature/Defect)
Release
(Deliver to Ops)
UNIT TESTSCODE CI
MANUAL QA3RD PARTY AUDIT
Internet Security First Aid
PHASE THREE: IMPLEMENTATION

50. Work Item
(Feature/Defect) Developer grabs a work item as usual.

51. Work Item
(Feature/Defect)
Normal
Developer codes a solution.
Secure
Developer uses secure code training to
write bullet-proof code (we hope).
CODE

52. Work Item
(Feature/Defect)
Normal
Developer writes automated tests.
Secure
Developer adds randomized inputs to
each function or functional test.
UNIT TESTSCODE

53. Work Item
(Feature/Defect)
Normal
Runs unit tests.
Secure
Also runs static code analysis looking for
security errors and common code errors.
UNIT TESTSCODE CI

54. Work Item
(Feature/Defect)
Normal
Verify work item is correctly working.
Secure
Also try to break it using hacking techniques
and tools like manual cookie and parameter
changes.
UNIT TESTSCODE CI
MANUAL QA

55. Work Item
(Feature/Defect)
Normal
N/A
Secure
External 3rd party pen-test or audit. Automated
(such as Whitehat Sec.) is okay.
UNIT TESTSCODE CI
3RD PARTY AUDIT MANUAL QA

56. Work Item
(Feature/Defect)
Release
(Deliver to Ops)
Release
(Deliver to Ops)
Work Item
(Feature/Defect)
UNIT TESTSCODE CI
3RD PARTY AUDIT MANUAL QA
Add Security at Every Step
Fix problems before release

57. We aren’t done yet

58. App Security First Aid
PHASE FOUR: PRODUCTION AND MAINTENANCE
Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor

59. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Harden
Least permissions,
separation of
concerns...
segmentation, uninstall
anything you don’t
need, …

60. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Encrypt
Encrypt all the things.
Use HTTPS, DB
encryption, disk
encryption, and add
extra crypto to your
most sensitive data.
Use password-less SSH
(key-based identity) and
two-factor authentication
everywhere.

61. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Update libs
Watch 3rd party
libraries and APIs
closely for security
updates (and
deprecations) and
adopt those
immediately.
This is going to
require some good
regression test suites
to maintain
confidence in system
functionality after
library upgrades.

62. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
And automate your
update process!
Make sure all your
systems are running
the same software,
and that they can be
kept that way with
minimal effort.
Update servers
Religiously update
operating systems,
server software
(Apache/whatever),
etc. across all
systems.

63. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Again, you are going
to need some
automation. Relying
on humans to
monitor logs and
notice problems is a
recipe for failure.
Monitor
Log everything,
have intrusion
detection systems,
monitor logs and
alerts and act on
them.

64. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Threat intelligence
Keep up on current
threats, major
vulnerabilities,
hacking techniques,
worms, etc. in order
to better counter
them.

65. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Scan / audit
Audit the production
environment in
addition to the app,
use port scanners
to find out what’s
running that you
didn’t know about.

66. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Respond
A process for
managing, escalating,
and responding to
events is critical. Agree
on risk thresholds for
emergency releases,
update software, don’t
lose track of work
items.

67. Respond Harden
Scan / audit
Encrypt
Update libs
Update servers
Threat intelligence
Monitor
Maintenance
Is
Forever

68. Em
ployee Educ
ation
Training
All developers must be trained in the
writing of secure code. All QA must be
trained in basic security testing and fuzzing.
Architecture
Use secure coding checklists, verify
the security of 3rd party libraries,
model threats and design with
adversaries and best practices in mind.
Require
m
ents Desig
n
Dev
elop Veri
fy
Implementation
Develop and test, adding QA fuzzing
and security checks, automated static
code analysis, and before release,
an audit or pen-test (even automated).
Rel
ease M
o
nitor,Respond
Production and Maintenance
Release is not the end. Software has
bugs and security issues inevitably.
Ongoing security testing, monitoring
of logs, and most importantly,
responding to any issues and pushing
back to development.
Summary

69. Simply secure data
@ironcorelabs
bob.wall@ironcorelabs.com

70. Simply secure data
@ironcorelabs
bob.wall@ironcorelabs.com
We build encryption solutions for
developers including end-to-end
PKI and drop-in key management.
Talk to us if you need better data
security for your app.