Date post: | 29-Nov-2014 |
Category: |
Technology |
Upload: | ollie-whitehouse |
View: | 442 times |
Download: | 1 times |
Secure App Aspirations: Why it is very difficult in the real world
Why it’s difficult
Secure Apps, Applications & Code
• Developed using: Waterfall / Agile / Wagile etc..
• Secure code costs: ~14% more*
• Microsoft’s SDLC is too expensive for most
• BSIMM is far more practical
• Segregation costs
Accepted wisdom
• Requirements / Stories: Risk review
• Design / Architecture: Threat model and review
• Implementation: Secure* frameworks and code review
• Test: Fuzzing, penetration tests etc.
• Sustainment: DiD and quick patching
Architecture assessment: challenges
• Data flows
• Component functionality knowledge
• Framework selection
• Security capability knowledge
Threat modelling
• Teams: rarely have the skills
• All: see it as a chore / gate
• Distributed teams make it complex
• Natural ability for geeks to communicate also a challenge
• COTS / components make it complex
Threat modelling: Example
Web app that uses full patched JQuery
What’s the threat?
Threat modelling: Example - Reality
Code: where is it coming from?
Code: where is it coming from?
source: https://sourceclear.com/
Code review
Code review: static analysis example
Code review
Code review
• Good code review is hard
• Good code reviewers are rare
• Difficult to keep people focused (~3 hours a day)
• Most reliable vulnerabilities are logic which need confidence, understanding and time
DevOps
DevOps: Network Zones Ideal
DevOps: Network Zones Reality
General developer, test & ops hygiene
• Often high privileges on their box
• Responsible for own patching
• External e-mail / web on machines
• Test often contractors due to flux requirement
• Code signing certs in CVS etc.
Beyond: Dev Ops – cloud services!
But…
No one has the source code!
Why security via obscurity might not work…
Why security via obscurity might not work…
Chinese case study
Why security via obscurity might not work…
!Chinese case study
Why security via obscurity might not work…
Why security via obscurity might not work…
Final thought….
UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Milton Keynes
North American Offices
San Francisco
Atlanta
New York
Seattle
Austin
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Thanks? Questions?
Ollie [email protected]