SlideShare ist ein Scribd-Unternehmen logo

Software Security Austerity - 44CON 2012

44CON
44CON

Ollie Whitehouse presents Software Security Austerity at 44CON 2012 in London, September 2012.

Technologie
1 von 35
Downloaden Sie, um offline zu lesen
Software Security Austerity Security Debt in Modern Software Development Ollie Whitehouse, Associate Director, NCC Group
Agenda •Introduction •Software Security Debt •Debt Management •Conclusions
Before we begin… metaphor abuse warning!
… before we begin part 2… there is a white paper available
Security debt
Technical debt "Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt."
Security debt… • Present in all software • Analogous to development and bugs • security is just a type of bug • Analogous to development and tech debt • The trade off between • fix everything and ship nothing -versus- • fix only the critical -versus- • real world business
Security debt… • You get good… • .. you get a new problem • Too many vulnerabilities! • You focus on just the critical / serious • … the low / medium mountain grows
Security debt – types? • Known – identified, but yet to be addressed • Unknown – latent issues yet to be discovered
Security debt – source? • Self my development • Supply chain my outsourced development • Dependency COTS component use without formal support
Security debt and SDLs • SDL does not mean 0 debt • SDL means known security debt • with a repayment plan • No SDL means latent security debt • with no repayment plan • SDL means more bugs than resources • quite quickly / in the short to medium term • SDL means accelerated discovery • you get too good
Security debt and SDLs • Why accelerated discovery? • requirements reviews • static code analysis • manual code analysis • automated testing (fuzzing) • increased awareness and knowledge • root cause analysis and variations
Accruing debt based on risk • Financial cost versus • Revenue • Cost of a response incident • Brand impact • Liability • Time cost versus • Resources • Time to market • Financial costs
Accruing debt based on risk • Impact versus • Discovery • Mitigations • Complexity and prerequisite conditions • Access requirements • Marker expectation
Latent debt resilience • Latent debt will always exist • through own activities • through suppliers • through dependencies • The need to feed upstream • The need to build resilient software
Debt Management
Why we care • Client expectation • Regulatory requirements • Increasing cost of debt • Attacker capability evolution • Increased external focus
Why we care
Why we care
Assigning interest rates to security debt • Interest rate = Priority • Priority = risk • Risk = informed
Assigning interest rates to security debt Threat = f (Motivation, Capability, Opportunity, Impact)
Assigning interest rates to security debt DREAD
Assigning interest rates to security debt CVSS
Assigning interest rates to security debt • Impact • Distribution • Disclosure • Likelihood of discovery • Presence of mitigations • Complexity of exploitation • Access requirements • Customer expectation
Repayment – New version requirements
Repayment – Severity prioritization • Next release (any type) • Next release (major version) • Next release +1 (any type) • Next release +2 (any type) • Next release +3 (any type)
Repayment – Percentage reduction Severity Percentage to be resolved Critical 100% Serious 50% Moderate 30% Low 20% Other 0 to 5 %
Repayment – Forced
Debt Expiry
Debt Overhang • Stuart Myers paper (1977) ‘Determinants of Corporate Borrowing’ • Debt mountain equals death by a thousand cuts • Leading to inability to accrue more security debt • Leading to slower innovation
Strategic Debt Restructuring
Bankruptcy
Non Repayment – Consequence Planning "We may be at the point of diminishing returns by trying to buy down vulnerability," the general observed. Instead, he added, "maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can "self-heal" or "self-limit“ the damages inflicted upon them. "
Conclusions • Zero debt is not good business practice • SDLs enable debt discovery and repayment • A pure risk approach allows the mountain to grow • Outsourcing carries risk of larger latent debt • A mature model is to understand and plan payment • … while educating upstream • … while paying down the mountain • … while still using risk
Thanks! Questions? UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Ollie Whitehouse Munich – Germany Zurich - Switzerland ollie.whitehouse@nccgroup.com

Empfohlen

Ann Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsAnn Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsSocial Media for Nonprofits
 
Crisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaCrisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaAtlantic Training, LLC.
 
Decision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintyDecision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintysapna moodautia
 
Crisis management
Crisis managementCrisis management
Crisis managementahmadsanadsalim
 
Crisis management plan presentation
Crisis management plan presentationCrisis management plan presentation
Crisis management plan presentationSandra Eblevi
 
Crisis management
Crisis managementCrisis management
Crisis managementAtindya K Ghosh
 
Environmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementEnvironmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementThis account is closed
 
Crisis management
Crisis managementCrisis management
Crisis managementBusiness Management
 

Empfohlen

Ann Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsAnn Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsSocial Media for Nonprofits
 
Crisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaCrisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaAtlantic Training, LLC.
 
Decision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintyDecision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintysapna moodautia
 
Crisis management
Crisis managementCrisis management
Crisis managementahmadsanadsalim
 
Crisis management plan presentation
Crisis management plan presentationCrisis management plan presentation
Crisis management plan presentationSandra Eblevi
 
Crisis management
Crisis managementCrisis management
Crisis managementAtindya K Ghosh
 
Environmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementEnvironmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementThis account is closed
 
Crisis management
Crisis managementCrisis management
Crisis managementBusiness Management
 
Crisis And Risk
Crisis And RiskCrisis And Risk
Crisis And Riskkktv
 
Crisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster StrikesCrisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster StrikesThe Windsdor Consulting Group, Inc.
 
Chapter 2 (crisis management)
Chapter 2 (crisis management)Chapter 2 (crisis management)
Chapter 2 (crisis management)Abdul Jawad Chaudhry
 
Crisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCrisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCORE Consulting
 
SoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumSoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumPeadar Duffy
 
Adw
AdwAdw
Adwbigj686
 
Crisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSCrisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSAtlantic Training, LLC.
 
Crisis management
Crisis managementCrisis management
Crisis managementRajat Ghosh
 
Crisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityCrisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityAtlantic Training, LLC.
 
Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Atlantic Training, LLC.
 
Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Alaa Abdallah
 
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011gajananh999
 
Crisis Management
Crisis ManagementCrisis Management
Crisis ManagementRalph Bateman
 
Crisis management
Crisis management Crisis management
Crisis management Tribhuvan University,
 
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityDavid Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityAssociation for Project Management
 
risk management
risk managementrisk management
risk managementQue Tomeyz
 
Crisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINCrisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINTaha ABULAYNIN
 
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)Devin DeCiantis
 
Risk transfer strategy.
Risk transfer strategy.Risk transfer strategy.
Risk transfer strategy.Ignacio Reclusa
 
Crisis management final
Crisis management finalCrisis management final
Crisis management finalGeeg geeh
 
Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?easy2comply
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 

Weitere ähnliche Inhalte

Was ist angesagt?

Crisis And Risk
Crisis And RiskCrisis And Risk
Crisis And Riskkktv
 
Crisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCrisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCORE Consulting
 
SoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumSoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumPeadar Duffy
 
Crisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSCrisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSAtlantic Training, LLC.
 
Crisis management
Crisis managementCrisis management
Crisis managementRajat Ghosh
 
Crisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityCrisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityAtlantic Training, LLC.
 
Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Atlantic Training, LLC.
 
Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Alaa Abdallah
 
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011gajananh999
 
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityDavid Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityAssociation for Project Management
 
risk management
risk managementrisk management
risk managementQue Tomeyz
 
Crisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINCrisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINTaha ABULAYNIN
 
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)Devin DeCiantis
 
Crisis management final
Crisis management finalCrisis management final
Crisis management finalGeeg geeh
 

Was ist angesagt? (20)

Crisis And Risk
Crisis And RiskCrisis And Risk
Crisis And Risk
 
Crisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster StrikesCrisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster Strikes
 
Chapter 2 (crisis management)
Chapter 2 (crisis management)Chapter 2 (crisis management)
Chapter 2 (crisis management)
 
Crisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCrisis Management Webinar - Core Consulting
Crisis Management Webinar - Core Consulting
 
SoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumSoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty Continuum
 
Adw
AdwAdw
Adw
 
Crisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSCrisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMS
 
Crisis management
Crisis managementCrisis management
Crisis management
 
Crisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityCrisis Management Training by Iowa State University
Crisis Management Training by Iowa State University
 
Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...
 
Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Crisis Management and Crisis Communication
Crisis Management and Crisis Communication
 
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
 
Crisis Management
Crisis ManagementCrisis Management
Crisis Management
 
Crisis management
Crisis management Crisis management
Crisis management
 
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityDavid Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
 
risk management
risk managementrisk management
risk management
 
Crisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINCrisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNIN
 
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
 
Risk transfer strategy.
Risk transfer strategy.Risk transfer strategy.
Risk transfer strategy.
 
Crisis management final
Crisis management finalCrisis management final
Crisis management final
 

Ähnlich wie Software Security Austerity - 44CON 2012

Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?easy2comply
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Understanding credit risk : mint2save
Understanding credit risk : mint2saveUnderstanding credit risk : mint2save
Understanding credit risk : mint2saveMint2Save
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision makingDennis Stevens
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision makingdrewz lin
 
Getting down to business with security
Getting down to business with securityGetting down to business with security
Getting down to business with securityGerhard de Klerk
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testingrrice2000
 
Risk management automation
Risk management automationRisk management automation
Risk management automationsheyam selvaraj
 
Rims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliencyRims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliencyLootok, Ltd
 
Risk Management in Financial Institutions
Risk Management in Financial InstitutionsRisk Management in Financial Institutions
Risk Management in Financial InstitutionsArchanaKamble18
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSaraPia5
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
 
Risk managemet made easy
Risk managemet made easyRisk managemet made easy
Risk managemet made easysheyam selvaraj
 
Introduction to credit risk management
Introduction to credit risk managementIntroduction to credit risk management
Introduction to credit risk managementTOSHI STATS Co.,Ltd.
 
Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"Alert Logic
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...CODE BLUE
 

Ähnlich wie Software Security Austerity - 44CON 2012 (20)

Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Understanding credit risk : mint2save
Understanding credit risk : mint2saveUnderstanding credit risk : mint2save
Understanding credit risk : mint2save
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision making
 
Presentation on credit risk
Presentation on credit risk Presentation on credit risk
Presentation on credit risk
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision making
 
DRIDeckFinalMar3
DRIDeckFinalMar3DRIDeckFinalMar3
DRIDeckFinalMar3
 
Getting down to business with security
Getting down to business with securityGetting down to business with security
Getting down to business with security
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
 
Risk management automation
Risk management automationRisk management automation
Risk management automation
 
Rims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliencyRims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliency
 
Risk Management in Financial Institutions
Risk Management in Financial InstitutionsRisk Management in Financial Institutions
Risk Management in Financial Institutions
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor Hersom
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
 
Risk managemet made easy
Risk managemet made easyRisk managemet made easy
Risk managemet made easy
 
Managing Risk
Managing RiskManaging Risk
Managing Risk
 
Introduction to credit risk management
Introduction to credit risk managementIntroduction to credit risk management
Introduction to credit risk management
 
Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
 
PCG Presentation
PCG PresentationPCG Presentation
PCG Presentation
 

Mehr von 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 

Mehr von 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 

Kürzlich hochgeladen

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

Software Security Austerity - 44CON 2012

  • 1. Software Security Austerity Security Debt in Modern Software Development Ollie Whitehouse, Associate Director, NCC Group
  • 3. Before we begin… metaphor abuse warning!
  • 4. … before we begin part 2… there is a white paper available
  • 6. Technical debt "Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt."
  • 7. Security debt… • Present in all software • Analogous to development and bugs • security is just a type of bug • Analogous to development and tech debt • The trade off between • fix everything and ship nothing -versus- • fix only the critical -versus- • real world business
  • 8. Security debt… • You get good… • .. you get a new problem • Too many vulnerabilities! • You focus on just the critical / serious • … the low / medium mountain grows
  • 9. Security debt – types? • Known – identified, but yet to be addressed • Unknown – latent issues yet to be discovered
  • 10. Security debt – source? • Self my development • Supply chain my outsourced development • Dependency COTS component use without formal support
  • 11. Security debt and SDLs • SDL does not mean 0 debt • SDL means known security debt • with a repayment plan • No SDL means latent security debt • with no repayment plan • SDL means more bugs than resources • quite quickly / in the short to medium term • SDL means accelerated discovery • you get too good
  • 12. Security debt and SDLs • Why accelerated discovery? • requirements reviews • static code analysis • manual code analysis • automated testing (fuzzing) • increased awareness and knowledge • root cause analysis and variations
  • 13. Accruing debt based on risk • Financial cost versus • Revenue • Cost of a response incident • Brand impact • Liability • Time cost versus • Resources • Time to market • Financial costs
  • 14. Accruing debt based on risk • Impact versus • Discovery • Mitigations • Complexity and prerequisite conditions • Access requirements • Marker expectation
  • 15. Latent debt resilience • Latent debt will always exist • through own activities • through suppliers • through dependencies • The need to feed upstream • The need to build resilient software
  • 17. Why we care • Client expectation • Regulatory requirements • Increasing cost of debt • Attacker capability evolution • Increased external focus
  • 20. Assigning interest rates to security debt • Interest rate = Priority • Priority = risk • Risk = informed
  • 21. Assigning interest rates to security debt Threat = f (Motivation, Capability, Opportunity, Impact)
  • 22. Assigning interest rates to security debt DREAD
  • 23. Assigning interest rates to security debt CVSS
  • 24. Assigning interest rates to security debt • Impact • Distribution • Disclosure • Likelihood of discovery • Presence of mitigations • Complexity of exploitation • Access requirements • Customer expectation
  • 25. Repayment – New version requirements
  • 26. Repayment – Severity prioritization • Next release (any type) • Next release (major version) • Next release +1 (any type) • Next release +2 (any type) • Next release +3 (any type)
  • 27. Repayment – Percentage reduction Severity Percentage to be resolved Critical 100% Serious 50% Moderate 30% Low 20% Other 0 to 5 %
  • 30. Debt Overhang • Stuart Myers paper (1977) ‘Determinants of Corporate Borrowing’ • Debt mountain equals death by a thousand cuts • Leading to inability to accrue more security debt • Leading to slower innovation
  • 33. Non Repayment – Consequence Planning "We may be at the point of diminishing returns by trying to buy down vulnerability," the general observed. Instead, he added, "maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can "self-heal" or "self-limit“ the damages inflicted upon them. "
  • 34. Conclusions • Zero debt is not good business practice • SDLs enable debt discovery and repayment • A pure risk approach allows the mountain to grow • Outsourcing carries risk of larger latent debt • A mature model is to understand and plan payment • … while educating upstream • … while paying down the mountain • … while still using risk
  • 35. Thanks! Questions? UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Ollie Whitehouse Munich – Germany Zurich - Switzerland ollie.whitehouse@nccgroup.com