Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 72

The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear

2

Share

Download to read offline

A comprehensive review of privacy and security threats to software applications, and how to adopt secure coding practices to address these threats.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear

  1. 1. The Internet is a dog-eat-dog world, and your app is clad in Milk Bone underwear. -Bob Wall @ironcorelabs@ironcorelabs
  2. 2. The Internet is a dog-eat-dog world, and your app is clad in Milk Bone underwear. -Bob Wall Yum @ironcorelabs@ironcorelabs
  3. 3. @ironcorelabs ‘Cause hackers aren’t going to rush your foxhole. They’re going to sneak in under cover of night.
  4. 4. 3 “And I’ve got the scars to prove it.” Bob Wall @bithead_bob BobWall23 /in/bobwall23 Former Chief Architect at Oracle Current CTO at IronCore Labs Four Degrees Crypto Nerd Music Junkie
  5. 5. @ironcorelabs 47% 43% of U.S. adults hacked in one year (May 2014) of U.S. corporations hacked in one year (Sep 2014) Sources: CNN and USA Today
  6. 6. @ironcorelabs Source: Breach Level Index Annual Report 2014 1,023,108,267 Records Stolen in 2014 Billion!!
  7. 7. @ironcorelabs Exploitability of Vulnerabilities Source: National Vulnerability Database and IronCore Labs 40% 50% 60% 70% 80% 2010 2011 2012 2013 2014 2015 60% 66% 70% 68% 71% 75% 75% OF HIGH SEVERITY VULNERABILITIES WERE LOW COMPLEXITY (EASY TO EXPLOIT) IN 2015. Up 25% SINCE FROM 2010 LEVELS Conclusion: Applications are getting worse at basic security measures. High Severity Low Complexity
  8. 8. @ironcorelabs More Ransomware in 2015 35% 84% 35% 23% More bots in China More spear phishing in 2015 More identities stolen Source: Symantec Internet Security Threat Report 2016 Malware in 2015
  9. 9. @ironcorelabs Global Malware Infection Rates 32% desktop/laptop 0.03% mobile Sources: Verizon 2015 Data Breach Report and Panda Labs
  10. 10. @ironcorelabs 2015 Malware Breakdown 1% 1% 3% 95% Windows Android Documents MSIL PHP (0) MacOS (0) Linux (0) Perl (0) UNIX (0) iOS (0) FreeBSD (0) Breakdown of malware samples discovered in 2015 Source: HPE 2016 Cyber Risk Report Excludes annoyance-ware
  11. 11. @ironcorelabs Privacy Is Dead (but hooray convenience!) Your smartphone can know everything about you. Under the control of a hacker, it can relay your conversations, your location, your communications and much more, which is why mobile malware is such a scary up and coming threat. Sources: Consumer Reports, IDC and Symantec Internet Security Theft Report $ 1.4 billion SOLD IN 2015 430 million NEW MALWARE IN 2015 5.2 million LOST OR STOLEN IN THE U.S. IN 2014 Smartphones Up 10% Up 36% Up 15% total, but thefts down 32%
  12. 12. @ironcorelabs 86% of web applications tested had serious issues with authentication, access control, and confidentiality. Increased from 72% in 2014. Source: HPE 2016 Cyber Risk Report
  13. 13. Breached Companies Data Was Not Encrypted Breached Companies Unencrypted Data
  14. 14. Breached Companies Data Was Not Encrypted Breached Companies Unencrypted Data
  15. 15. @ironcorelabs News Coverage of Breaches According to Google Trends 2010 ←2011 ←2012 ←2013 ←2014 Source: Google Trends 2015
  16. 16. @ironcorelabs News Coverage of Breaches Playstation Breach 1 Home Depot Hack Ashley Madison HackZappos Hack Target Hack According to Google Trends 2010 ←2011 ←2012 ←2013 ←2014 Source: Google Trends Evernote Hack 2015
  17. 17. @ironcorelabs 47 States with Breach Disclosure Laws + HIPAA
  18. 18. @ironcorelabs 47 States with Breach Disclosure Laws + HIPAA Breach disclosure only required when unencrypted PII* data is accessed. *PII = Personally Identifiable Information
  19. 19. @ironcorelabs Data is Distributed Cloud Services Mobile Devices Internet of Things Partners Employee Laptops Uncontrolled and with minimal security
  20. 20. @ironcorelabs Perimeter Security Pierced APP
  21. 21. @ironcorelabs Security Incidents Network-layer App-layer 90% due to defects at the application layer. -DHS Source: Department of Homeland Security
  22. 22. @ironcorelabs Web App Vulnerability Likelihood Source: Whitehat Security Stats Report 2015 0% 25% 50% 75% 100% InsufficientTransportLayer InformationLeakage CrossSiteScripting BruteForce ContentSpoofingCrossSiteRequestForgeryURLRedirectorAbuse PredictableResourceLocation SessionFixationInsufficientAuthorization DirectoryIndexing AbuseofFunctionality SQLInjection InsufficientPasswordRecovery Fingerprinting 5%6%6%6%8%11%11% 15%16% 24%26%29% 47% 56% 70%
  23. 23. @ironcorelabs Web App Vulnerability Likelihood Source: Whitehat Security Stats Report 2015 0% 25% 50% 75% 100% InsufficientTransportLayer InformationLeakage CrossSiteScripting BruteForce ContentSpoofingCrossSiteRequestForgeryURLRedirectorAbuse PredictableResourceLocation SessionFixationInsufficientAuthorization DirectoryIndexing AbuseofFunctionality SQLInjection InsufficientPasswordRecovery Fingerprinting 5%6%6%6%8%11%11% 15%16% 24%26%29% 47% 56% 70% #1. Insufficient Transport = Poor SSL #2. Info Leak = Dev Errors to User #3. XSS = Poor Input Sanitization #4. Brute Force = No rate limiting #5. Content Spoofing = Poor Input Sanitization
  24. 24. @ironcorelabs % of Web Using OpenSSL 66% Does not include IMAP and the many other apps that use OpenSSL OpenSSL Vulnerabilities 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 0 10 20 30 40 Low Moderate High FREAK, Logjam HeartBleed, Poodle, Goto Fail DROWN OCSP Stapling ASN1 Bio Plaintext Recovery ** Through March 2016
  25. 25. @ironcorelabs OpenSSL Unit Test Coverage Not Covered 52% Covered 48% Code is poorly tested. Code is old, crusty, riddled with goto statements. #1 crypto library ➫ #1 app problem ➫ Coincidence?
  26. 26. 23 Encryption Pitfalls Single Key One key is shared between all apps and users. Anyone who gains access to the system can access all of the data in the system unchecked by encryption. Unlocked in Memory In typical transparent disk and database systems, as long as the system is running, the data is not encrypted. These systems protect against stolen hard drives, but not hackers in the system. Key on Server If you lock a desk drawer and put the key on top of the desk or in the unlocked drawer beside it, your physical security would be as bad as most electronic security. Reliance on HTTPS A surprising number of apps and infrastructures think they are encrypted and secure because they use https. https by itself does almost nothing to secure a system and can even be actively negative. Typical implementations suffer these issues “PLENTY OF COMPANIES brag that their communications app is encrypted. But that marketing claim demands a followup question: Who has the key?
  27. 27. @ironcorelabs A locked drawer is useless when the key is RIGHT THERE.
  28. 28. @ironcorelabs % of Organizations with Serious Vulnerabilities Finance/Insurance Healthcare Info Tech Retail Public Admin 0% 25% 50% 75% 100% 21% 10% 14% 12% 11% 9% 11% 11% 14% 64% 60% 38% 52% 39% Every Day More Than 271 Days More Than 151 Days Source: Whitehat Security Stats Report 2015 Out of the 2015 calendar year 64% 75% 63% 79% 85%
  29. 29. @ironcorelabs Average Days To Fix by Industry Source: Whitehat Security Stats Report 2015 0 62.5 125 187.5 250 Transportation Arts&Entertainment Accomodation Professional&Scientific PublicAdmin OtherServices Information Education Healthcare Finance/Insurance Manufacturing Utilities Retail 227 192191 160158 136132130 111108 9997 73
  30. 30. @ironcorelabs Hard Breach Costs % 9 Lloyd’s of London estimate of the cost to the global economy $400b 2014 increase in per-record cost $3.8m per breach Average cost per record (US) Average cost of a breach including notifications, investigations, legal issues and credit monitoring. $201 per breached record Source: Ponemon Institute
  31. 31. @ironcorelabs Cyber-Insurance Premiums up 32% in first half of 2015 83% of claims paid out 78% Crisis Services 8% Legal Defense 9% Legal Settlements 5% Regulatory Payout Breakdown $15m BIGGEST PAYOUT $674k AVERAGE PAYOUT $77k MEDIAN PAYOUT 32% of claims due to third party breaches Source: Netdiligence 2015 Cyber Claims Study 99% of exposed records due to hackers and malware
  32. 32. @ironcorelabs 29 General stats aren’t known, but smaller companies get badly hurt Sources: All Things D and NYTimes CASE STUDY 2013 50 million Database hacked (SQL injection?) Customers affected 15-20% Revenue drop in subsequent months -82% Employee reduction now vs. pre-breach
  33. 33. @ironcorelabs Network security App security Almost triple the spending goes to network security. Security Spending Source: Lumension 2015 State of the Endpoint
  34. 34. @ironcorelabs 31% of all security breaches at banks in 2015 involved web app attacks Source: Verizon 2015 Data Breach Report
  35. 35. @ironcorelabs Accomodation Point of Sale 91% Education Crimeware 32% Entertainment Point of Sale 73% Financial Services Crimeware Web App Attack 36% 31% Healthcare Misc. Errors Insider Misuse 32% 26% Information / Tech Cyber-Espionage Web App Attack 36% 35% Manufacturing Cyber-Espionage 60% Public Crimeware 51% Retail Point of Sale 70% Top Threats By Industry Source: Verizon 2015 Data Breach Report
  36. 36. @ironcorelabs 33 66% Two-thirds of cyber-espionage attacks relied on targeted phishing emails with malicious links or attachments. MarketingPhishing 27% 27% of victims were Manufacturing corporations. Public sector targets accounted for 20%. MarketingVictims 0.8% Of all breaches resulting in data loss, only 0.8% were due to cyber-espionage. MarketingSource Cyber-Espionage Spy vs. Computer Source: Verizon 2015 Data Breach Report
  37. 37. @ironcorelabs 23% of recipients open phishing emails 11% open the attachments Phishing Source: Verizon 2015 Data Breach Report
  38. 38. @ironcorelabs Scarier than a Presidential Election? It Gets Worse
  39. 39. @ironcorelabs Of cars networked by 2020.3 More connected devices than people globally.2 Connected devices by 2020.2 Vulnerable to attack.1 Collect personal information.1 Average vulnerabilities found per device.1 Internet of Crap 90%70% 25 SOURCES: 1. HP Internet of things research study 2015 2. Cisco 3. Gartner 20% 2008 50b
  40. 40. Wall of Shame Highlights • Aetna • Alliance Health • Anthem • Blue Cross • Cigna • CVS • Harvard Pilgrim • Humana • John Hopkins • Kaiser • Mayo Clinic • Rite Aid • University of Colorado Health • Walgreens 2772015 HEALTHCARE BREACHES $10 / record ON THE BLACK MARKET 112,832,082 RECORDS STOLEN Source: Identity Theft Research Center 67% OF STOLEN RECORDS ACROSS INDUSTRIES
  41. 41. @ironcorelabs Breach Detection Source: Mandiant M-Trends 2015 67%33%229 DAYS BEFORE DETECTION (MEDIAN) 32 DAYS TO RESPOND TO BREACH (AVERAGE) 67% LEARNED OF THEIR BREACH FROM AN EXTERNAL ENTITY
  42. 42. @ironcorelabs Summing Up So Far Breaches Through the roof. Firewalls Insufficient to secure data. Apps Are the problem. Trivial Most vulnerabilities are easy to exploit. IOT More insecure devices every day. Bad Security Very costly and kills companies.
  43. 43. @ironcorelabs Summing Up So Far Software Devs Need to Step Up Breaches Through the roof. Firewalls Insufficient to secure data. Apps Are the problem. Trivial Most vulnerabilities are easy to exploit. IOT More insecure devices every day. Bad Security Very costly and kills companies.
  44. 44. 40 We can fix this
  45. 45. 41Source: National Science Foundation WebCASPAR Database 0 15000 30000 45000 60000 1966 1970 1974 1978 1982 1986 1990 1994 1998 2002 2006 2010 2014 Associate's Degrees Bachelor's Degrees Advanced Degrees 56,130 Bachelors 37,643 Associates 26,618 Advanced 2004 1986 120,391 Grads 2014
  46. 46. 42 0% Source: IronCore Labs using US News Rankings 56,130 Bachelors TOP 20 COMP. SCI. UNDERGRAD PROGRAMS REQUIRING SECURE CODING University Shame List 1. Carnegie Mellon 1. MIT 1. Stanford 1. UC Berkeley 5. University of Illinois, Urbana-Champaigne 6. Cornell 6. University of Washington 8. Princeton 9. Georgia Institute of Technology 9. University of Texas, Austin 11. California Institute of Technology 11. University of Wisconsin, Madison 13. UCLA 13. University of Michigan, Ann-Arbor 15. Colombia 15. UC San Diego 15. University of Maryland, College Park 18. Harvard University 19. University of Pennsylvania 20. Brown University 20. Purdue University, West Lafayette 20. Rice University 20. University of Southern California 20. Yale University 20. Duke University
  47. 47. @ironcorelabs Em ployee Educ ation Require m ents Desig n Dev elop Veri fy Rel ease M o nitor,Respond Software Development Phases
  48. 48. 44 PHASE ONE: TRAINING Look at Coursera, SANS, ISC, CERT, securecoding.org, secureset.com and others for help.
  49. 49. @ironcorelabs Internet Security First Aid ✓Product Managers should include malicious users in their personas list. ✓Require security features up front. Ex:
 • Account lockouts
 • Form submission rate limits PHASE TWO-A: REQUIREMENTS
  50. 50. @ironcorelabs Did you know? 25 Number of accounts for average web user. 6.5 Number of passwords for average web user. 8.2b Number of password guesses per second for a single desktop computer.* Source: Microsoft Research, Ars Technica * Stat from 2012. Actual speed depends on hardware and hashing algorithm used.
  51. 51. 47 PHASE TWO-B: DESIGN
  52. 52. @ironcorelabs Work Item (Feature/Defect) Release (Deliver to Ops) UNIT TESTSCODE CI MANUAL QA3RD PARTY AUDIT Internet Security First Aid PHASE THREE: IMPLEMENTATION
  53. 53. @ironcorelabs Work Item (Feature/Defect) Developer grabs a work item as usual.
  54. 54. @ironcorelabs Work Item (Feature/Defect) Normal Developer codes a solution. Secure Developer uses secure code training to
 write bullet-proof code (we hope). CODE
  55. 55. @ironcorelabs Work Item (Feature/Defect) Normal Developer writes automated tests. Secure Developer adds randomized inputs to each function or functional test. UNIT TESTSCODE
  56. 56. @ironcorelabs Work Item (Feature/Defect) Normal Runs unit tests. Secure Also runs static code analysis looking for security errors and common code errors. UNIT TESTSCODE CI
  57. 57. @ironcorelabs Work Item (Feature/Defect) Normal Verify work item is correctly working. Secure Also try to break it using hacking techniques and tools like manual cookie and parameter changes. UNIT TESTSCODE CI MANUAL QA
  58. 58. 54 Work Item (Feature/Defect) Normal N/A Secure External 3rd party pen-test or audit. Automated (such as Whitehat Sec.) is okay. UNIT TESTSCODE CI 3RD PARTY AUDIT MANUAL QA
  59. 59. @ironcorelabs Work Item (Feature/Defect) Release (Deliver to Ops) Release (Deliver to Ops) Work Item (Feature/Defect) UNIT TESTSCODE CI 3RD PARTY AUDIT MANUAL QA Add Security at Every Step Fix problems before release
  60. 60. @ironcorelabs 56 We aren’t done yet
  61. 61. @ironcorelabs 57 PHASE FOUR: PRODUCTION AND MAINTENANCE Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor
  62. 62. @ironcorelabs 58 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Harden Least permissions, separation of concerns... segmentation, uninstall anything you don’t need, …
  63. 63. @ironcorelabs 59 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Encrypt Encrypt all the things. Use HTTPS, DB encryption, disk encryption, and add extra crypto to your most sensitive data. Use password-less SSH (key-based identity) and two-factor authentication everywhere.
  64. 64. @ironcorelabs 60 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Update libs Watch 3rd party libraries and APIs closely for security updates (and deprecations) and adopt those immediately. This is going to require some good regression test suites to maintain confidence in system functionality after library upgrades.
  65. 65. @ironcorelabs 61 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor And automate your update process! Make sure all your systems are running the same software, and that they can be kept that way with minimal effort. Update servers Religiously update operating systems, server software (Apache/whatever), etc. across all systems.
  66. 66. 62 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Again, you are going to need some automation. Relying on humans to monitor logs and notice problems is a recipe for failure. Monitor Log everything, have intrusion detection systems, monitor logs and alerts and act on them.
  67. 67. @ironcorelabs 63 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Threat intelligence Keep up on current threats, major vulnerabilities, hacking techniques, worms, etc. in order to better counter them.
  68. 68. @ironcorelabs 64 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Scan / audit Audit the production environment in addition to the app, use port scanners to find out what’s running that you didn’t know about.
  69. 69. @ironcorelabs 65 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor Respond A process for managing, escalating, and responding to events is critical. Agree on risk thresholds for emergency releases, update software, don’t lose track of work items.
  70. 70. @ironcorelabs 66 Respond Harden Scan / audit Encrypt Update libs Update servers Threat intelligence Monitor
  71. 71. @ironcorelabs Em ployee Educ ation Training All developers must be trained in the writing of secure code. All QA must be trained in basic security testing and fuzzing. Architecture Use secure coding checklists, verify the security of 3rd party libraries, model threats and design with adversaries and best practices in mind. Require m ents Desig n Dev elop Veri fy Implementation Develop and test, adding QA fuzzing and security checks, automated static code analysis, and before release, an audit or pen-test (even automated). Rel ease M o nitor,Respond Production and Maintenance Release is not the end. Software has bugs and security issues inevitably. Ongoing security testing, monitoring of logs, and most importantly, responding to any issues and pushing back to development. Summary
  72. 72. Simply secure data @ironcorelabs bob.wall@ironcorelabs.com We build encryption solutions for developers including end-to-end PKI and drop-in key management. Talk to us if you need better data security for your app. Learn More

×