From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, and an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture of fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective measures. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent. Finally we will show examples of how difficult it is to design the user experience of security.

1. @pati_gallardo
T
S

3. Make it Fixable
Living with Risk
Patricia Aas
CppCon 2018
T
S
@pati_gallardo

4. Patricia Aas - Consultant
Programmer, Application Security
Currently : T S
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software
Master in Computer Science - main language Java
Pronouns: she/her T
S
@pati_gallardo

5. Security is Hard @pati_gallardo
5

6. Just Remember :
- You live in the real world
- Take one step at a time
- Make a Plan
@pati_gallardo
6

7. You Need A Security
“Hotline”
security@example.com
Symbiotic relationship
Be polite
Be grateful
Be professional
Be efficient and transparent @pati_gallardo
7

8. - What is a System? - What is a vulnerability? -
@pati_gallardo
8

9. 1. Unable to Roll Out Fixes
2. No Control over Dependencies
3. The Team is Gone
4. It’s in Our Code
5. My Boss Made Me Do It
6. User Experience of Security
Outline
@pati_gallardo
9

10. Unable to Roll Out Fixes
1
@pati_gallardo
10

11. Unable to
Roll out Fixes
Unable to Update
Unable to Build
@pati_gallardo
11

12. Internet of Things
Toys: My Friend Cayla, i-Que Intelligent
Robots, Hello Barbie
Mirai: Botnets created with IOT
devices, users don’t update
“Shelfware”
No Maintenance contract
Abandonware
Closed source - no way to fix/fork
Unable to Roll Out Fixes.
12
@pati_gallardo

13. Internet of Things
- Auto-update
- Different default passwords
- Unboxing security (make the user
change the password)
“Shelfware”
- Get maintenance contract
- Change supplier
- Do in-house
- Use only Open Source Software
Fix : Ship It!
Unable to Roll Out Fixes.
13
@pati_gallardo

14. Fix : Ship It!
Holy Grail : Continuous Deployment and
Auto Update
- A Build Environment
- Update Mechanism
Unable to Roll Out Fixes.
14
@pati_gallardo

15. Some systems
should not be “fixed”
A major election software maker
allowed remote access on its systems
for years
Exceptions?
15
@pati_gallardo

16. No Control over Dependencies
2
@pati_gallardo

17. No Control over
Dependencies
No inventory
No update routines
No auditing
@pati_gallardo
17

18. Equifax Breach
Known vulunerability in Apache
Struts 2
Heartbleed
Bug in openssl
Left-Pad
Developer unpublished a
mini-Js library
No Control over Dependencies 18
@pati_gallardo

19. Equifax Breach
Continuous Dependency Auditing
Heartbleed
Control over production
environment
Left-Pad
Remove unnecessary dependencies
Fix: Control It!
No Control over Dependencies
19
@pati_gallardo

20. Fix: Control It!
Goal : Largely Automated Dependency
Monitoring
Remember transitive
dependencies
Monitor and Update
No Control over Dependencies
@pati_gallardo
20

21. The Team is Gone
3
@pati_gallardo
21

22. The Team Is Gone
- Team were consultants
- They were downsized
- The job was outsourced
- “Bus factor”
- “Binary blob”
- Abandonware
@pati_gallardo
22

23. Fix : Own It!
Goal : Complete Build Environment
Fork it, own it
The Team Is Gone.
@pati_gallardo
23

24. Use It!
@pati_gallardo
24

25. It’s in Our Code
4
@pati_gallardo
25

26. It’s in Our Code
Congratulations!
This is Actually
the
BEST CASE SCENARIO
@pati_gallardo
26

27. Keeper Password Manager
- Reporter: Tavis Ormandy
(@taviso)
- “allowing any website to
steal any password”
- Browser plugin preinstalled
on Windows
- Badly handled report: Sues
news reporter Dan Goodin
It’s In Our Code 27
@pati_gallardo

28. gitlab.com
- “rm -rf”
- Sysadmin maintenance
- Cascading errors as backups
fail
- All logged Publicly in real
time
Transparency Breeds Trust
That is how you recover
Fix : Live It!
It’s In Our Code 28
@pati_gallardo

29. Fix : Live It!
Goal : Prevent & Cure
Prevention is great,
but
the Cure is to Ship
It’s In Our Code
29
@pati_gallardo

30. My Boss Made Me Do It
5
@pati_gallardo
30

31. My Boss Made Me Do It
The Feature
is the Bug
How?
- Security Problem
- Privacy Problem
- Unethical
- Illegal @pati_gallardo
31

32. Capcom's Street Fighter V
- Installed a driver
- “anti-crack solution”
“...disables supervisor-mode execution
protection and then runs the arbitrary
code passed in through the ioctl buffer
with kernel permissions..”
- Reddit user extrwi
My Boss Made Me Do It 32
@pati_gallardo

33. KrebsOnSecurity: "For
2nd Time in 3 Years,
Mobile Spyware Maker
mSpy Leaks Millions of
Sensitive Records"
@pati_gallardo
33

34. Fix : Protect It!
Goal : Protect your user
Prevent : Protect your team
- Workers rights
- Team can diffuse blame
Cure : Protect your company
- Find a Powerful Ally
- Do Risk Analysis : Brand Reputation,
Trust
- Use the Law
LAST RESORT : Whistleblowing & Quitting
My Boss Made Me Do It
34
@pati_gallardo

35. Google: DragonFly
- "A plan to launch a censored search
engine in China"
- Employee authors a memo
- Internal protests
Maersk: NotPetya
- Ransomware spreads globally,
insufficient network segmentation
- “IT executives had pushed for a
preemptive security redesign”
These are often the Unsung Heroes
(Last Resort : Edward Snowden)
Fix : Protect It!
My Boss Made Me Do It
35
@pati_gallardo

36. Ship It, Control It, Own It, Live It & Protect It
@pati_gallardo
36

37. - You need a Security Hotline
- You Have to Ship
Recap
@pati_gallardo
37

38. Designing the User Experience of Security
6
@pati_gallardo
38

39. @pati_gallardo
39

40. The Users Won’t Read
Error blindness
“Just click next”
“Make it go away”
40
@pati_gallardo

41. Fix : Less is More
Don’t leave it to the user
Have good defaults
Be very explicit when
needed
41
@pati_gallardo

42. They Trust You
With Personal Information
With Data
With Money
42
@pati_gallardo

43. Fix : Be Trustworthy
Only store what you have to
Back up everything
Use third party payment
Be loyal to your end user
43
@pati_gallardo

44. Ship It, Control It, Own It, Live It & Protect It
Design For It
@pati_gallardo
44

45. T
S
P f .
Patricia Aas, T S
@pati_gallardo

46. @pati_gallardo
T
S