+ All Categories
Home > Technology > Secure App Aspirations: Why it is very difficult in the real world

Secure App Aspirations: Why it is very difficult in the real world

Date post: 29-Nov-2014
Category:

Technology
Upload: ollie-whitehouse
View: 442 times
Download: 1 times
Download Report this document
Share this document with a friend
Description:
Discussion on why developing secure software is actually quite hard in the real world.
27
Secure App Aspirations: Why it is very difficult in the real world
Transcript
Page 1: Secure App Aspirations: Why it is very difficult in the real world

Secure App Aspirations: Why it is very difficult in the real world

Page 2: Secure App Aspirations: Why it is very difficult in the real world

Why it’s difficult

Page 3: Secure App Aspirations: Why it is very difficult in the real world

Secure Apps, Applications & Code

• Developed using: Waterfall / Agile / Wagile etc..

• Secure code costs: ~14% more*

• Microsoft’s SDLC is too expensive for most

• BSIMM is far more practical

• Segregation costs

Page 4: Secure App Aspirations: Why it is very difficult in the real world

Accepted wisdom

• Requirements / Stories: Risk review

• Design / Architecture: Threat model and review

• Implementation: Secure* frameworks and code review

• Test: Fuzzing, penetration tests etc.

• Sustainment: DiD and quick patching

Page 5: Secure App Aspirations: Why it is very difficult in the real world

Architecture assessment: challenges

• Data flows

• Component functionality knowledge

• Framework selection

• Security capability knowledge

Page 6: Secure App Aspirations: Why it is very difficult in the real world

Threat modelling

• Teams: rarely have the skills

• All: see it as a chore / gate

• Distributed teams make it complex

• Natural ability for geeks to communicate also a challenge

• COTS / components make it complex

Page 7: Secure App Aspirations: Why it is very difficult in the real world

Threat modelling: Example

Web app that uses full patched JQuery

What’s the threat?

Page 8: Secure App Aspirations: Why it is very difficult in the real world

Threat modelling: Example - Reality

Page 9: Secure App Aspirations: Why it is very difficult in the real world

Code: where is it coming from?

Page 10: Secure App Aspirations: Why it is very difficult in the real world

Code: where is it coming from?

source: https://sourceclear.com/

https://sourceclear.com/
https://sourceclear.com/
Page 11: Secure App Aspirations: Why it is very difficult in the real world

Code review

Page 12: Secure App Aspirations: Why it is very difficult in the real world

Code review: static analysis example

Page 13: Secure App Aspirations: Why it is very difficult in the real world

Code review

Page 14: Secure App Aspirations: Why it is very difficult in the real world

Code review

• Good code review is hard

• Good code reviewers are rare

• Difficult to keep people focused (~3 hours a day)

• Most reliable vulnerabilities are logic which need confidence, understanding and time

Page 15: Secure App Aspirations: Why it is very difficult in the real world

DevOps

Page 16: Secure App Aspirations: Why it is very difficult in the real world

DevOps: Network Zones Ideal

Page 17: Secure App Aspirations: Why it is very difficult in the real world

DevOps: Network Zones Reality

Page 18: Secure App Aspirations: Why it is very difficult in the real world

General developer, test & ops hygiene

• Often high privileges on their box

• Responsible for own patching

• External e-mail / web on machines

• Test often contractors due to flux requirement

• Code signing certs in CVS etc.

Page 19: Secure App Aspirations: Why it is very difficult in the real world

Beyond: Dev Ops – cloud services!

Page 20: Secure App Aspirations: Why it is very difficult in the real world

But…

No one has the source code!

Page 21: Secure App Aspirations: Why it is very difficult in the real world

Why security via obscurity might not work…

Page 22: Secure App Aspirations: Why it is very difficult in the real world

Why security via obscurity might not work…

Chinese case study

Page 23: Secure App Aspirations: Why it is very difficult in the real world

Why security via obscurity might not work…

!Chinese case study

Page 24: Secure App Aspirations: Why it is very difficult in the real world

Why security via obscurity might not work…

Page 25: Secure App Aspirations: Why it is very difficult in the real world

Why security via obscurity might not work…

Page 26: Secure App Aspirations: Why it is very difficult in the real world

Final thought….

Page 27: Secure App Aspirations: Why it is very difficult in the real world

UK Offices

Manchester - Head Office

Cheltenham

Edinburgh

Leatherhead

London

Milton Keynes

North American Offices

San Francisco

Atlanta

New York

Seattle

Austin

Australian Offices

Sydney

European Offices

Amsterdam - Netherlands

Munich – Germany

Zurich - Switzerland

Thanks? Questions?

Ollie [email protected]


Recommended
High Aspirations

High Aspirations

Documents

Wesak 2012...Aspirations

Wesak 2012...Aspirations

Documents

ENERGIZING ASPIRATIONS

ENERGIZING ASPIRATIONS

Documents

Career Aspirations

Career Aspirations

Documents

Memory Workbook - Aspirations

Memory Workbook - Aspirations

Documents

Panel II “CERD’s Aspirations Towards Innovative National ... · CERD’s Aspirations Towards New and Innovative National Curricula ... CERD’s Aspirations Towards New and Innovative

Panel II “CERD’s Aspirations Towards Innovative National ... · CERD’s Aspirations Towards New and Innovative National Curricula ... CERD’s Aspirations Towards New and Innovative

Documents

Sparkling aspirations

Sparkling aspirations

Documents

Inspirations and Aspirations - sustain.ubc.ca · 2.2. Development of Inspirations and Aspirations Inspirations and Aspirations represents the culmination of a campus wide, multi-year

Inspirations and Aspirations - sustain.ubc.ca · 2.2. Development of Inspirations and Aspirations Inspirations and Aspirations represents the culmination of a campus wide, multi-year

Documents

Capture aspirations - KHL

Capture aspirations - KHL

Art & Photos

2013 All Aspirations

2013 All Aspirations

Documents

inequality. When aspirations

inequality. When aspirations

Documents

Aspirations Brochure 2012

Aspirations Brochure 2012

Documents

Wesak 2011 Aspirations

Wesak 2011 Aspirations

Spiritual

China's Arctic Aspirations

China's Arctic Aspirations

Documents

Devonwaynespoetry aspirations firstdraft

Devonwaynespoetry aspirations firstdraft

Documents

Commission on Audit - impactconference2018.com · Filipino society, and as necessary, ... aims to secure concrete ... of aspirations, goals and objectives between the

Commission on Audit - impactconference2018.com · Filipino society, and as necessary, ... aims to secure concrete ... of aspirations, goals and objectives between the

Documents

ASPIRATIONS & INSPIRATIONS

ASPIRATIONS & INSPIRATIONS

Documents

Determinants of Aspirations

Determinants of Aspirations

Documents