Weitere ähnliche Inhalte Ähnlich wie Milton smith 2013 (20) Mehr von jowen_evansdata (9) Milton smith 20131. 1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
2. Keeping the Future Secure
with Java
Milton Smith Email: milton.smith@oracle.com
Sr. Principal Security PM Blog: http://spoofzu.blogspot.com/
Twitter: @spoofzu
2 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
3. Notice
"THE FOLLOWING IS INTENDED TO OUTLINE OUR GENERAL PRODUCT
DIRECTION. IT IS INTENDED FOR INFORMATION PURPOSES ONLY, AND MAY NOT
BE INCORPORATED INTO ANY CONTRACT. IT IS NOT A COMMITMENT TO DELIVER
ANY MATERIAL, CODE, OR FUNCTIONALITY, AND SHOULD NOT BE RELIED UPON
IN MAKING PURCHASING DECISION. THE DEVELOPMENT, RELEASE, AND TIMING
OF ANY FEATURES OR FUNCTIONALITY DESCRIBED FOR ORACLE'S PRODUCTS
REMAINS AT THE SOLE DISCRETION OF ORACLE."
3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
4. Who Am I?
Milton Smith
§ Responsible for Java platform security: vision/features, internal/
external communications – everything Java except EE.
§ 20+ years of programming and specializing in security.
§ Former employer was Yahoo! where I managed security for the User
Data Analytics property.
4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
5. Program Agenda
§ Security Industry Challenges
§ Risk Choices & Methodologies
§ Security at Oracle
§ Ongoing Security Improvements
§ Security in Development Communities
§ Call to Action
5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
6. Security Industry &
Challenges
6 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
7. Java Ecosystem
Level of Security Challenge…
Facts
Desktops § Java deployed on 97 Percent desktops
§ Java deployed on 80 percent of mobile platforms
Devices
§ Java deployed on 125 million television sets
§ 1 billion Java downloads per year
Community
§ 9 million developers worldwide
Ref: http://www.oracle.com/us/corporate/press/1843546
7 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
8. Security Threat Landscape
A lot has changed since 1995 when Java started…
That was Then… This is Now…
• State or Terrorist Cyber
• Data Destruction
Warfare
• Denial of Service
• Intellectual Property Theft
• Hacktivism
Individual pranksters Well funded and organized
8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
9. Why is Java a Favored Target for Attack?
§ Java is deployed widely across homes and business computers.
§ Multi-platform features of Java allow attackers to indiscriminately
target Windows, Mac, and even Linux versions.
§ Unlike data centers, physical and logical security controls for the
home systems are less sophisticated.
9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
10. What Uses of Java are Highest Risk?
Highest Risk…
§ Java Applets and Web Start plugins running in the browser.
Why…
§ Java users have valuable information (e.g., credit cards, licensee keys, etc)
§ Java desktops security controls are either missing or poorly configured
10 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
11. Strong Security is the Expectation…
Challenges across entire industry…
§ Security concerns across industry are elevated
§ Strong vs. poor security is difficult for users to evaluate
11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
12. Risk Choices &
Methodologies
12 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
13. Risk vs. Reward
WE MAKE CHOICES BASED UPON RISK EVERY
DAY
THIS IS HOW HUMANS FUNCTION
13 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
14. Everyday Risk Choices
Do animals drink at the water hole? Animals with big teeth may be
present.
– Answer = Depends, how thirsty.
14 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
15. Everyday Risk Choices
Everyone treated by a doctor – has or will die. Success rate is precisely
zero. Do we continue to visit doctors?
– Answer = Yes!
15 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
16. Everyday Risk Choices
Life is risky. Do we visit the doctor every day for a check-up?
– Answer = No!
16 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
17. Risk Based Security Methodology
§ Many of us today use informal risk based approaches.
§ Some don’t take the next steps – formalize thoughts about risk and
how it governs our behavior.
§ Risk methodology helps drive security decisions
17 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
18. Security Risk Applied to a Web Application
Example
§ A few simple considerations…
– How important is the application to the business? Dollar loss, compliance
requirements, inconvenience?
– Internet facing application interfaces (web, web data services)?
– Any unauthenticated application interfaces (no logon)?
– and many more factors…
§ Platforms have different concerns but the approach is similar
18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
19. Security at Oracle
19 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
20. Why is Security Important to Oracle?
Java is at the center of our
applications
Your
Apps
Java
Platform
ORA Vendor
Apps Apps
20 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
21. Overview – Larger Security Policy Areas
§ SA/CPU RSS § Architecture Review
Feeds § Peer Review
§ Security Blog § Security Testing
Communications Development
§ eBlasts § Post Mortems
Lifecycle
§ Java.com Security
Security
§ CPU
Remediation § Security Alerts
21 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
22. Security Policies - Communications
§ Security news & alerts are communicated via several channels
– Security Alerts (RSS feed)
– Critical Patch Update Advisories
– eBlasts
– Blogs (like blogs.oracle.com/security)
§ Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html
22 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
23. Security Policies - Communications
Why we don’t respond to published reports of alleged security
vulnerabilities in Oracle products…
§ Correcting and corroborating articles provides more information to attackers
§ Many reports don’t provide the required engineering details for proper
verification. Technical details like: pre-conditions, impacts, remediation/
mitigation details are light or non-existent.
§ Responding to individual reports forces communities to track vulnerabilities in
social media sites – not good.
23 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
24. Security Policies - Communications
Why we don’t respond to published reports of alleged security
vulnerabilities in Oracle products…
§ The information Oracle releases is: precise, actionable, and everyone
receives it at the same time.
§ Policy: http://www.oracle.com/us/support/assurance/disclosure-policies/index.html
24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
25. Security Throughout the Development Lifecycle
Non-specific lifecycle methodology
Concept Analysis Coding Testing Delivery
Risk Factors Project Review Peer Review Security Tests Java.com
• Less Scrutiny • Architecture • Manual • Static Analysis
• More Scrutiny • Compliance • Automated • Fuzzing
Policy: http://www.oracle.com/us/support/assurance/development/index.html
25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
26. Outside the Development Lifecycle
Throughout Development
Cycle
• GPS
• Ethical Hacking
• Security Training
• Tech Talks
…and more.
26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
27. Security Policies - Remediation
§ Common Vulnerability Scoring System (CVSS)
§ Vulnerabilities reviewed and CVSS score assigned
§ Remediation strongly influenced by CVSS score
Policy: http://www.oracle.com/us/support/assurance/fixing-policies/index.html#scoring
27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
28. Security Policies - Remediation
§ Critical Patch Updates (CPU) - Security patches
– October, February, June for Java Platform Group
– Java Platform Group Different from Oracle CPU
– Emergency releases are infrequent but do happen
§ Policy: http://www.oracle.com/technetwork/topics/security/alerts-086861.html
28 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
29. Java CPU
Planned
7 GA 7u1 7u2 7u3 7u4 7u5 7u6 7u7 7u9
CPU Non CPU CPU Non CPU CPU Non CPU SecAlert* CPU
Every 4 months
Rules for Java CPUs
§ Main release for security vulnerabilities
§ Covers all families (7, 6, 5.0, 1.4.2)
§ CPU release triggers Auto-update
§ Dates published 12 months in advance
§ Security Alerts are released as necessary
§ Based off the previous (non-CPU) release
§ Released simultaneously on java.com and OTN
29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
30. Securing Platforms vs. Securing Applications
§ Different tools for securing platforms and applications
– Platform development often precedes tool features
§ Platforms support a wider range of use cases
§ Different techniques for securing platforms and applications
30 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
31. Ongoing Security
Improvements
31 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
32. Theme, Preventing Drive-By Exploitation
§ Defense against phishing attacks
§ “Best used before” date for JRE security
– Largest number of exploits are against out-of-date software
32 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
33. Theme, Preventing Drive-By Exploitation
§ Easier to disable Java in Browser (Applet/JNLP)
§ Encourage users to uninstall older JREs
– First step, as an applet
– Next step, component of the installer
33 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
34. Theme, JRE Security Hardening
§ Configurable IT security policy
§ More frequent security feeds (blacklists, security baseline updates)
34 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
35. Security in Development
Communities
35 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
36. What is Impact of Security Incidents?
Schedule
§ Security firefighting derails the release train
Moral
§ Security firefighting hits home when your staff burns nights and weekends
Confidence
§ Too many incidents or too severe shakes confidence
36 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
37. Mitigating Security Impacts
Before an Incident (otherwise known as Prevention)
§ Best incident is the one you can avoid
§ Ensure security investments are commensurate with risk
§ What should they be? Depends, based upon security maturity
During an Incident
§ Have an emergency action plan. Relevant leadership? Responsibilities?
Process? Actions? Expected outcomes?
After an Incident
§ Questions may linger for months after an incident
§ Have a communications policy and plan of execution
37 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
38. Open Source Projects
§ Millions of eyeballs does not mean they are trained on security
§ Communities focus on what is important to them - features
§ If you manage a developer community - set code quality standards
§ Ensure the quality standards include security (e.g., OWASP)
38 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
39. Restoring Confidence
Product Improvement
§ Understand your vulnerabilities and get them fixed
§ Make new security feature improvements as necessary
§ Make it happen
Communication
§ Code cannot fix a confidence problem
§ Likewise communication without action is meaningless
§ Make improvements and then communicate your progress
The currency of confidence is “hard work” and it’s slow won
39 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
40. Call to Action
40 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
41. Vulnerability Reporting &
Security Feature Suggestions
§ Report Vulnerabilities
– Support Customers: My Oracle Support
– Others: secalert_us@oracle.com
Policy:
http://www.oracle.com/us/support/assurance/reporting/index.html
§ Suggest New Features
– http://bugreport.sun.com/bugreport/
41 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
42. Upcoming CPU’s
§ April 16, 2013
§ June 18, 2013
§ October 15, 2013 (transition to Oracle CPU schedule)
§ January 14, 2013
§ CPUs
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
42 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
43. Java Platform Support
§ I receive many questions on support programs and to answer a few…
§ 3 Options
– Premier, 5 years from GA
– Extended, Premier + 3 years
– Sustaining, “as long as you own your Oracle products”
Disclaimer: No, I don’t receive a commission. ;o)
Ref:
http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf
43 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
44. Java Root Certificate Program
§ Like browsers, Java ships with root certificates.
§ Our roots establish intrinsic “trust” for Java users.
§ Of course, users are always free to include their own certificates.
§ Program rules apply, see following link.
Ref:
http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html
44 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
45. Help Us Keep You Secure
§ To end users…
– Keep your JRE’s updated (auto-update on)
– Practice defense-in-depth: virus scanner, firewall
§ To developers…
– Support current JRE’s so end users can upgrade
– Sign your applications (use timestamp)
– Validate untrusted data (input/output validation)
– Follow Open Web Application Security Project, https://www.owasp.org/
§ All
– Attend new security track at JavaOne 2013 in San Francisco CA, USA
45 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
46. oracle.com/javajobs
46 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public
47. 47 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Information Classification, Public