SlideShare a Scribd company logo

Jedi mind tricks for building application security programs

S
Security Ninja

Presentation by David Rook and Chris Wysopal

Technology
1 of 39
Download to read offline
David Rook Jedi mind tricks for building application security programs SecurityBSides, London
if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (www.securityninja.co.uk) • Speaker at international security conferences • Nominated for multiple blog awards • A mentor in the InfoSecMentors project • Developed and released Agnitio
Agenda • Using Jedi mind tricks on your developers • s/Application Security Alien/Business Language/i;
Using Jedi mind tricks on developers • Most developers actually want to write secure code • You need to take ownership of the app sec problems with them • Developers generally like producing quality code, use this! • They want security knowledge with good practices and tools
Using Jedi mind tricks on developers Jim Bird, blog comment: “I’m a software guy. I don’t need a meme. I need practices and tools that work, that help me get software out the door, better software that is more reliable and more secure.” http://securosis.com/blog/good-programming-practices-vs.-rugged-development
Using Jedi mind tricks on developers • How you can help developers? • Help them understand how to write secure code • Own application security problems with them • Don’t dictate! Speak, listen, learn and improve things
Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings
Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings • We present findings in weird formats with a side order of FUD
Application Security Alien • I will use CVSS as an example • Let’s pretend we are analysing a SQL Injection vulnerability
Application Security Alien CVSS base score equation BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))Exploitability = 20*AccessComplexity*Authentication*AccessVectorf(Impact) = 0 if Impact=0; 1.176 otherwise
Application Security Alien CVSS Temporal Equation TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfi dence
Application Security Alien CVSS Environmental Equation EnvironmentalScore=(AdjustedTemporal+(10- AdjustedTemporal)*CollateralDamagePotential) * TargetDistributionAdjustedTemporal = TemporalScore recomputed with the Impact sub-equation replaced with the following AdjustedImpact equation.AdjustedImpact = Min(10, 10.41*(1-(1- ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1- AvailImpact*AvailReq)))
Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings • We present findings in weird formats with a side order of FUD • We feel security should just happen without having to justify it
The Business Language • We need to speak the business language • We need to talk about things the business cares about • We need to present findings in a format that makes sense
The Business Language • How does your business score risks? • Let’s pretend we are analysing a SQL Injection vulnerability
The Business Language A simple (common!) risk equation Probability*Impact Probability Impact Score Appetite 3 5 15 12
The Business Language • We need to speak the business language • We need to talk about things the business cares about • Present findings in a format that makes sense to the business • Application security is no exception when it comes to resourcing
Jedi mind tricks and alien translations • Apply the KISS principle to everything you do • Keep everything as simple as possible, complexity doesn’t help • Understand what developers want and need to write secure code • Work with the business and use their language and formats
QUESTIONS? www.securityninja.co.uk @securityninja /realexninja /securityninja /realexninja
Jedi mind tricks for building application security programs Chris Wysopal CTO & Co-founder
The formative years… Padawan? It was all about attack. Early web app testing: Lotus Domino, Cold Fusion Windows Security: Netcat for Windows, L0phtCrack Early disclosure policies: RFPolicy, L0pht Advisories
Now with professional PR team… Time to help the defensive side Led @stake research team @stake application security consultant Published Art of Software Security Testing Veracode CTO and Co-Founder
Why do we need executive buy in? Application security programs will require developer training Application security programs will require tools/services Application security programs will impact delivery schedules Application security cannot be “voluntary” Authority
Speaking the language of executives CEOs CFOs CIOs
If money is the language of execs what do they say? How do I grow my top line? How do I lower costs? How do I mitigate risk? Talk in terms of business risk and use monetary terms when possible. Then we can we can speak the same language.
Different types of risk Legal risk – Legal costs, settlement costs, fines Compliance risk – fines, lost business Brand risk – lost business Security risk - ????
Translate technical risk to monetary risk What is the monetary risk from vulnerabilities in your application portfolio? Monetary risk is your expected loss; derived from your vulnerabilities, your breach cost, threat space data Your Threat Your Breach Space Vulnerabilities Cost Data 32
Your Breach Cost Use cost analysis from your earlier breaches Use breach cost from public sources – Example: April 2010 Ponemon Institute Report (US Dollars) Detection & Notification Ex-Post Lost Total Escalation Response Business Average 264,208 500,321 1,514,819 4,472,030 6,751,451 Per-capita 8 15 46 135 204 Ponemon average and per-capita US breach cost (US Dollars) Comm Consu Educat Energ Financi Health Hotel Manu Media Pharma Researc Retail Serv Tech Transp unicati mer ion y al care & facturin h ices nology ortatio on Leisur g n e 209 159 203 237 294 153 136 149 310 266 133 256 192 121 248 Ponemon per-capita data by US industry sector (US Dollars) 33
Threat Space Data 40% of data breaches are due to hacking Top 7 application vulnerability categories Source: Verizon 2010 Data Breach Investigations Report 62% of organizations experienced breaches in critical applications in 12 month period Source: Forrester 2009 Application Risk Management and Business Survey 34
How to Derive Your Expected Loss expected loss vulnerability category = f ( % of orgs breached X breach cost X breach likelihood from vuln. category ) Baseline expected loss for your organization due to SQL Injection* ( ) 62% X expected loss Sql injection = f $248 X 100,00 X 25% *If your SQL Injection prevalence is similar to average SQL Injection prevalence, assumes 100,000 records 35
Monetary Risk Derived From Relative Prevalence Vulnerability Breach Baseline Average % of Your % of Your Monetary Category Likelihoo Expected Apps Affected1 Apps Risk d loss Affected2 Backdoor/ 29% $4,459,040 8% 15% higher Control Channel SQL Injections 25% 3,844,000 24% 10% lower Command 14% 2,152,640 7% 6% same Injection XSS 9% 1,383,840 34% 5% lower Insufficient 7% 1,076,320 5% 2% lower Authentication Insufficient 7% 1,076,320 7% 7% same Authorization Remote File 2% 307,520 <1% <1% same Inclusion Assume 100,000 customer records. For SQLi the expected loss is: 36 62% * $248 * 100,000 * 25% = $3,844,000 1. Veracode 2010 State of Software Security Report, Vol. 2 2. De-identified financial service company data from Veracode industry data
Executives want… An organizational wide view. Am I lowering overall application risk? – Internal code – Outsourced – Vendor supplied – Open source A program that has achievable objectives. What am I getting for the money I am spending? A program that is measurable: metrics and reporting. Am I marching toward the objectives? – Which dev teams, outsourcers are performing well? – How is my organization doing relative to my peers?
Tips to make the program successful The right people have to understand what is going to happen before you start Do a real world pen test or assessment of a project. Demonstrate relevant risk. Integrate into existing processes SDLC Procurement/legal M&A
Q&A Speaker Contact Information: Chris Wysopal (cwysopal@veracode.com) Twitter: @WeldPond David Rook www.securityninja.co.uk @securityninja /realexninja /securityninja 39 /realexninja

Recommended

Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesSecunia
 
Web Application Security: Connecting the Dots
Web Application Security: Connecting the DotsWeb Application Security: Connecting the Dots
Web Application Security: Connecting the DotsInnoTech
 
Threat Report H2 2012
Threat Report H2 2012Threat Report H2 2012
Threat Report H2 2012F-Secure Corporation
 
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsAddressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsPrecisely
 
Risk management
Risk managementRisk management
Risk managementIben Engenharia
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revShanker Sareen
 

Recommended

Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesSecunia
 
Web Application Security: Connecting the Dots
Web Application Security: Connecting the DotsWeb Application Security: Connecting the Dots
Web Application Security: Connecting the DotsInnoTech
 
Threat Report H2 2012
Threat Report H2 2012Threat Report H2 2012
Threat Report H2 2012F-Secure Corporation
 
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsAddressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsPrecisely
 
Risk management
Risk managementRisk management
Risk managementIben Engenharia
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revShanker Sareen
 
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010Jorge Sebastiao
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Corporation
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security RisksEnterprise Security Risk Management
 
Rm
RmRm
Rmansulag19
 
The software-security-risk-report
The software-security-risk-reportThe software-security-risk-report
The software-security-risk-reportКомсс Файквэе
 
ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonUlf Mattsson
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012Ulf Mattsson
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security SoftwareSymantec Italia
 
Attackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumAttackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumRadware
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Kim Jensen
 
Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROISymosis Security (Previously C-Level Security)
 
How to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web ComponentsHow to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web ComponentsCompuware APM
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverviewDavid C. Petty
 
What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)Neil Thompson
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Blue Slate Solutions
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Ricardo Resnik
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17Security Ninja
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Security Ninja
 

More Related Content

What's hot

GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010Jorge Sebastiao
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Skybox Security
 
F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Corporation
 
ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonUlf Mattsson
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012Ulf Mattsson
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security SoftwareSymantec Italia
 
Attackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumAttackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumRadware
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Kim Jensen
 
How to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web ComponentsHow to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web ComponentsCompuware APM
 
What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)Neil Thompson
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Blue Slate Solutions
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Ricardo Resnik
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 

What's hot (20)

GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
 
F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012F-Secure Security Threat Report, H1 2012
F-Secure Security Threat Report, H1 2012
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
Rm
RmRm
Rm
 
The software-security-risk-report
The software-security-risk-reportThe software-security-risk-report
The software-security-risk-report
 
ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf Mattsson
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security Software
 
Attackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the EquilibriumAttackers Vs. Defenders: Restoring the Equilibrium
Attackers Vs. Defenders: Restoring the Equilibrium
 
Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014
 
Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROI
 
How to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web ComponentsHow to Mitigate the Performance Risk of Third-party Web Components
How to Mitigate the Performance Risk of Third-party Web Components
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverview
 
What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)What is Risk? - lightning talk for software testers (2011)
What is Risk? - lightning talk for software testers (2011)
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not Enough
 

Viewers also liked

The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17Security Ninja
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Security Ninja
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7Security Ninja
 
Owasp talk-november-08
Owasp talk-november-08Owasp talk-november-08
Owasp talk-november-08Security Ninja
 
Dennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicDennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicMyRadioFashion
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurity Ninja
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Security Ninja
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurity Ninja
 

Viewers also liked (9)

The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17The Security Risks of Web 2.0 - DEF CON 17
The Security Risks of Web 2.0 - DEF CON 17
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010
 
SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7SecurityBSides London - windows phone 7
SecurityBSides London - windows phone 7
 
Owasp talk-november-08
Owasp talk-november-08Owasp talk-november-08
Owasp talk-november-08
 
Dennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magicDennis Clark & RYAN SEACREST - morning show magic
Dennis Clark & RYAN SEACREST - morning show magic
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
SecurityBSides las vegas - Agnitio
SecurityBSides las vegas - AgnitioSecurityBSides las vegas - Agnitio
SecurityBSides las vegas - Agnitio
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know it
 

Similar to Jedi mind tricks for building application security programs

Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloudInterop
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxjessiehampson
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceTieu Luu
 
Cognitive security
Cognitive securityCognitive security
Cognitive securityIqra khalil
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentationrfragola
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyananthakrishnansblit
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiamallblitz0
 

Similar to Jedi mind tricks for building application security programs (20)

Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Managing Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docxManaging Riskin InformationSystemsPowered by vLab Solu.docx
Managing Riskin InformationSystemsPowered by vLab Solu.docx
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber Intelligence
 
Cognitive security
Cognitive securityCognitive security
Cognitive security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochi
 

More from Security Ninja

The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application StorySecurity Ninja
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecuritySecurity Ninja
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecuritySecurity Ninja
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio WorkshopSecurity Ninja
 
Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - AgnitioSecurity Ninja
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinSecurity Ninja
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSSSecurity Ninja
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applicationsSecurity Ninja
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure DevelopmentSecurity Ninja
 

More from Security Ninja (10)

Hack in Paris 2013
Hack in Paris 2013Hack in Paris 2013
Hack in Paris 2013
 
The Realex Payments Application Story
The Realex Payments Application StoryThe Realex Payments Application Story
The Realex Payments Application Story
 
Owasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 SecurityOwasp App Sec Ireland Windows Phone 7 Security
Owasp App Sec Ireland Windows Phone 7 Security
 
OWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application SecurityOWASP Birmingham - Mobile Application Security
OWASP Birmingham - Mobile Application Security
 
BruCON Agnitio Workshop
BruCON Agnitio WorkshopBruCON Agnitio Workshop
BruCON Agnitio Workshop
 
Hack in Paris - Agnitio
Hack in Paris - AgnitioHack in Paris - Agnitio
Hack in Paris - Agnitio
 
The Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter DublinThe Principles of Secure Development - Epicenter Dublin
The Principles of Secure Development - Epicenter Dublin
 
Application security and PCI DSS
Application security and PCI DSSApplication security and PCI DSS
Application security and PCI DSS
 
Developing secure web applications
Developing secure web applicationsDeveloping secure web applications
Developing secure web applications
 
The Principles of Secure Development
The Principles of Secure DevelopmentThe Principles of Secure Development
The Principles of Secure Development
 

Recently uploaded

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Jedi mind tricks for building application security programs

  • 1. David Rook Jedi mind tricks for building application security programs SecurityBSides, London
  • 2. if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (www.securityninja.co.uk) • Speaker at international security conferences • Nominated for multiple blog awards • A mentor in the InfoSecMentors project • Developed and released Agnitio
  • 3. Agenda • Using Jedi mind tricks on your developers • s/Application Security Alien/Business Language/i;
  • 4. Using Jedi mind tricks on developers • Most developers actually want to write secure code • You need to take ownership of the app sec problems with them • Developers generally like producing quality code, use this! • They want security knowledge with good practices and tools
  • 5. Using Jedi mind tricks on developers Jim Bird, blog comment: “I’m a software guy. I don’t need a meme. I need practices and tools that work, that help me get software out the door, better software that is more reliable and more secure.” http://securosis.com/blog/good-programming-practices-vs.-rugged-development
  • 6. Using Jedi mind tricks on developers • How you can help developers? • Help them understand how to write secure code • Own application security problems with them • Don’t dictate! Speak, listen, learn and improve things
  • 7. Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings
  • 8.
  • 9.
  • 10.
  • 11. Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings • We present findings in weird formats with a side order of FUD
  • 12. Application Security Alien • I will use CVSS as an example • Let’s pretend we are analysing a SQL Injection vulnerability
  • 13.
  • 14. Application Security Alien CVSS base score equation BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))Exploitability = 20*AccessComplexity*Authentication*AccessVectorf(Impact) = 0 if Impact=0; 1.176 otherwise
  • 15. Application Security Alien CVSS Temporal Equation TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfi dence
  • 16. Application Security Alien CVSS Environmental Equation EnvironmentalScore=(AdjustedTemporal+(10- AdjustedTemporal)*CollateralDamagePotential) * TargetDistributionAdjustedTemporal = TemporalScore recomputed with the Impact sub-equation replaced with the following AdjustedImpact equation.AdjustedImpact = Min(10, 10.41*(1-(1- ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1- AvailImpact*AvailReq)))
  • 17.
  • 18. Application Security Alien • We speak an alien language • We talk of injections, jackings and pwnings • We present findings in weird formats with a side order of FUD • We feel security should just happen without having to justify it
  • 19. The Business Language • We need to speak the business language • We need to talk about things the business cares about • We need to present findings in a format that makes sense
  • 20. The Business Language • How does your business score risks? • Let’s pretend we are analysing a SQL Injection vulnerability
  • 21. The Business Language A simple (common!) risk equation Probability*Impact Probability Impact Score Appetite 3 5 15 12
  • 22. The Business Language • We need to speak the business language • We need to talk about things the business cares about • Present findings in a format that makes sense to the business • Application security is no exception when it comes to resourcing
  • 23. Jedi mind tricks and alien translations • Apply the KISS principle to everything you do • Keep everything as simple as possible, complexity doesn’t help • Understand what developers want and need to write secure code • Work with the business and use their language and formats
  • 24. QUESTIONS? www.securityninja.co.uk @securityninja /realexninja /securityninja /realexninja
  • 25. Jedi mind tricks for building application security programs Chris Wysopal CTO & Co-founder
  • 26. The formative years… Padawan? It was all about attack. Early web app testing: Lotus Domino, Cold Fusion Windows Security: Netcat for Windows, L0phtCrack Early disclosure policies: RFPolicy, L0pht Advisories
  • 27. Now with professional PR team… Time to help the defensive side Led @stake research team @stake application security consultant Published Art of Software Security Testing Veracode CTO and Co-Founder
  • 28. Why do we need executive buy in? Application security programs will require developer training Application security programs will require tools/services Application security programs will impact delivery schedules Application security cannot be “voluntary” Authority
  • 29. Speaking the language of executives CEOs CFOs CIOs
  • 30. If money is the language of execs what do they say? How do I grow my top line? How do I lower costs? How do I mitigate risk? Talk in terms of business risk and use monetary terms when possible. Then we can we can speak the same language.
  • 31. Different types of risk Legal risk – Legal costs, settlement costs, fines Compliance risk – fines, lost business Brand risk – lost business Security risk - ????
  • 32. Translate technical risk to monetary risk What is the monetary risk from vulnerabilities in your application portfolio? Monetary risk is your expected loss; derived from your vulnerabilities, your breach cost, threat space data Your Threat Your Breach Space Vulnerabilities Cost Data 32
  • 33. Your Breach Cost Use cost analysis from your earlier breaches Use breach cost from public sources – Example: April 2010 Ponemon Institute Report (US Dollars) Detection & Notification Ex-Post Lost Total Escalation Response Business Average 264,208 500,321 1,514,819 4,472,030 6,751,451 Per-capita 8 15 46 135 204 Ponemon average and per-capita US breach cost (US Dollars) Comm Consu Educat Energ Financi Health Hotel Manu Media Pharma Researc Retail Serv Tech Transp unicati mer ion y al care & facturin h ices nology ortatio on Leisur g n e 209 159 203 237 294 153 136 149 310 266 133 256 192 121 248 Ponemon per-capita data by US industry sector (US Dollars) 33
  • 34. Threat Space Data 40% of data breaches are due to hacking Top 7 application vulnerability categories Source: Verizon 2010 Data Breach Investigations Report 62% of organizations experienced breaches in critical applications in 12 month period Source: Forrester 2009 Application Risk Management and Business Survey 34
  • 35. How to Derive Your Expected Loss expected loss vulnerability category = f ( % of orgs breached X breach cost X breach likelihood from vuln. category ) Baseline expected loss for your organization due to SQL Injection* ( ) 62% X expected loss Sql injection = f $248 X 100,00 X 25% *If your SQL Injection prevalence is similar to average SQL Injection prevalence, assumes 100,000 records 35
  • 36. Monetary Risk Derived From Relative Prevalence Vulnerability Breach Baseline Average % of Your % of Your Monetary Category Likelihoo Expected Apps Affected1 Apps Risk d loss Affected2 Backdoor/ 29% $4,459,040 8% 15% higher Control Channel SQL Injections 25% 3,844,000 24% 10% lower Command 14% 2,152,640 7% 6% same Injection XSS 9% 1,383,840 34% 5% lower Insufficient 7% 1,076,320 5% 2% lower Authentication Insufficient 7% 1,076,320 7% 7% same Authorization Remote File 2% 307,520 <1% <1% same Inclusion Assume 100,000 customer records. For SQLi the expected loss is: 36 62% * $248 * 100,000 * 25% = $3,844,000 1. Veracode 2010 State of Software Security Report, Vol. 2 2. De-identified financial service company data from Veracode industry data
  • 37. Executives want… An organizational wide view. Am I lowering overall application risk? – Internal code – Outsourced – Vendor supplied – Open source A program that has achievable objectives. What am I getting for the money I am spending? A program that is measurable: metrics and reporting. Am I marching toward the objectives? – Which dev teams, outsourcers are performing well? – How is my organization doing relative to my peers?
  • 38. Tips to make the program successful The right people have to understand what is going to happen before you start Do a real world pen test or assessment of a project. Demonstrate relevant risk. Integrate into existing processes SDLC Procurement/legal M&A
  • 39. Q&A Speaker Contact Information: Chris Wysopal (cwysopal@veracode.com) Twitter: @WeldPond David Rook www.securityninja.co.uk @securityninja /realexninja /securityninja 39 /realexninja