SlideShare ist ein Scribd-Unternehmen logo

AppSec is Eating Security

Alex Stamos
Alex Stamos

This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result. Here is the video of me giving the talk: https://www.youtube.com/watch?v=-1kZMn1RueI

Internet
1 von 51
Downloaden Sie, um offline zu lesen
AppSec is Eating Security P R E S E N T E D B Y A l e x S t a m o s A p p S e c C a l i | J a n u a r y 2 7 , 2 0 1 5
2
Most enterprises are not safe 3
Most enterprises are not safe 3 • Big Banks + other FIs • Defense Industrial Base • Oil and Gas • Critical Infrastructure • Big Tech • Some Retail “SECURE 100”
Most enterprises are not safe 3 • Big Banks + other FIs • Defense Industrial Base • Oil and Gas • Critical Infrastructure • Big Tech • Some Retail Everybody Else “SECURE 100” “TOASTED 400”
Most enterprises are not safe 3 • Big Banks + other FIs • Defense Industrial Base • Oil and Gas • Critical Infrastructure • Big Tech • Some Retail Everybody Else “SECURE 100” What are they missing? • Secure software engineering • Engineering focused IR • Ability to create, not buy, solutions “TOASTED 400”
Almost no users are safe 4
5 Arista 7508E 1152 x 10GbE 30Tbps backplane 5kW Security hardware is becoming un-buyable
5 Arista 7508E 1152 x 10GbE 30Tbps backplane 5kW Palo Alto 7050 120Gbps throughput 2.4kW Security hardware is becoming un-buyable
6
6
6 5kW 600kW
Containerization collapses the security perimeter 7 Diagrams from docker.com
Containerization collapses the security perimeter 7 No: • Virtual soundcard • Guest OS patching • VT-x enforcement • Network controls • Stable naming • 1:1 service relationshipsDiagrams from docker.com
Containerization collapses the security perimeter 7 In the long run, this is a good thing! In the short term, it’s a mess to deal with! No: • Virtual soundcard • Guest OS patching • VT-x enforcement • Network controls • Stable naming • 1:1 service relationshipsDiagrams from docker.com
The Internet of Unpatchable Crap Things 8 store.idevices.com
What AppSec Needs to Accomplish
Apps have to be secure by default 10 https://code.google.com/p/mustache-security/ by cure53.de
Apps have to be secure by default 10 How many developers understand the security risk they imported? https://code.google.com/p/mustache-security/ by cure53.de
App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames
App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames ▪ 100Gb Ethernet = 6.7ns between frames
App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames ▪ 100Gb Ethernet = 6.7ns between frames
App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames ▪ 100Gb Ethernet = 6.7ns between frames Is this actually necessary? No. Is it a good idea? Probably not.
12 by Flickr user Keith Allison CC-BY-SA
12 by Flickr user Keith Allison CC-BY-SA by Warren Sharp www.sharpfootballanalysis.com
Bug bounty communities need to reform to grow 13
Accept that the browser is the new OS 14 I hate it when good points get twisted to prevent progress
Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why….
Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why…. › Complexity: dnsviz.net via @jpmens
Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why…. › Complexity: › Not end-to-end. How much do you trust your DNS provider? dnsviz.net via @jpmens
Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why…. › Complexity: › Not end-to-end. How much do you trust your DNS provider? › Invisible to user applications! dnsviz.net via @jpmens
Build apps that are safe, not just secure 16 ▪ Way too little focus on user experience ▪ Classic difficult example is cert info (see APF tonight)
What is a safe app? 17 ▪ Safest mode is the default
What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself
What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures
What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures ▪ Recognizes the difficulties it’s users face
What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures ▪ Recognizes the difficulties it’s users face ▪ Takes into account the entire lifecycle of the user
What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures ▪ Recognizes the difficulties it’s users face ▪ Takes into account the entire lifecycle of the user Yes, I’m a security paternalist
Passwords are dead 18 Every big password dump has 10-20% matches
Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries
Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries ▪ TOTP › Bad user experience › Many apps means no control over seeds
Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries ▪ Push notifications › Much more secure › Require more user interaction ▪ TOTP › Bad user experience › Many apps means no control over seeds
Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries ▪ Push notifications › Much more secure › Require more user interaction ▪ TOTP › Bad user experience › Many apps means no control over seeds None solve the account lifecycle management problem This is the #1 issue for user safety
So… 19 Looks like we all have a lot of work to do to:
So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections
So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines
So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines • Provide end-to-end and transformable encryption
So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines • Provide end-to-end and transformable encryption • Make browsers more trustworthy than the OS
So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines • Provide end-to-end and transformable encryption • Make browsers more trustworthy than the OS • More work for AppSec, less for the rest of security • Can we solve some of these problems without selling product
Shameless Pitch 20 At Yahoo, our security goal is for all users to be safe using any of our products from any country on any platform. I’m currently looking for a Director of Product Security to reinvent how we build safe products and meet this goal for 1.3B users
Thank you stamos@yahoo-inc.com @alexstamos

Empfohlen

Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooAlex Stamos
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 

Empfohlen

Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooAlex Stamos
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryJames Wickett
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
The Factoring Dead: Preparing for the Cryptopocalypse
The Factoring Dead: Preparing for the CryptopocalypseThe Factoring Dead: Preparing for the Cryptopocalypse
The Factoring Dead: Preparing for the CryptopocalypseAlex Stamos
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 

Weitere ähnliche Inhalte

Was ist angesagt?

Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryJames Wickett
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 

Was ist angesagt? (20)

Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Security as Code
Security as CodeSecurity as Code
Security as Code
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. Kail
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
 

Andere mochten auch

The Factoring Dead: Preparing for the Cryptopocalypse
The Factoring Dead: Preparing for the CryptopocalypseThe Factoring Dead: Preparing for the Cryptopocalypse
The Factoring Dead: Preparing for the CryptopocalypseAlex Stamos
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
BASH 漏洞深入探討
BASH 漏洞深入探討BASH 漏洞深入探討
BASH 漏洞深入探討Tim Hsu
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Dinis Cruz
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
勒索軟體態勢與應措
勒索軟體態勢與應措勒索軟體態勢與應措
勒索軟體態勢與應措jack51706
 
台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤jack51706
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec toolsOWASP EEE
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
如何用 Docker 快速建立 honeypot public
如何用 Docker 快速建立 honeypot public如何用 Docker 快速建立 honeypot public
如何用 Docker 快速建立 honeypot publicTim Hsu
 
如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全Tim Hsu
 
Webshell 簡單應用
Webshell 簡單應用Webshell 簡單應用
Webshell 簡單應用hackstuff
 
資安人員如何協助企業面對層出不窮的資安威脅
資安人員如何協助企業面對層出不窮的資安威脅 資安人員如何協助企業面對層出不窮的資安威脅
資安人員如何協助企業面對層出不窮的資安威脅 Tim Hsu
 

Andere mochten auch (20)

The Factoring Dead: Preparing for the Cryptopocalypse
The Factoring Dead: Preparing for the CryptopocalypseThe Factoring Dead: Preparing for the Cryptopocalypse
The Factoring Dead: Preparing for the Cryptopocalypse
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
Обзор возможностей HTML5
Обзор возможностей HTML5Обзор возможностей HTML5
Обзор возможностей HTML5
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
BASH 漏洞深入探討
BASH 漏洞深入探討BASH 漏洞深入探討
BASH 漏洞深入探討
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 
Crawler
CrawlerCrawler
Crawler
 
勒索軟體態勢與應措
勒索軟體態勢與應措勒索軟體態勢與應措
勒索軟體態勢與應措
 
台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤台科大網路鑑識課程 封包分析及中繼站追蹤
台科大網路鑑識課程 封包分析及中繼站追蹤
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
如何用 Docker 快速建立 honeypot public
如何用 Docker 快速建立 honeypot public如何用 Docker 快速建立 honeypot public
如何用 Docker 快速建立 honeypot public
 
如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全如何利用 Docker 強化網站安全
如何利用 Docker 強化網站安全
 
Webshell 簡單應用
Webshell 簡單應用Webshell 簡單應用
Webshell 簡單應用
 
資安人員如何協助企業面對層出不窮的資安威脅
資安人員如何協助企業面對層出不窮的資安威脅 資安人員如何協助企業面對層出不窮的資安威脅
資安人員如何協助企業面對層出不窮的資安威脅
 

Ähnlich wie AppSec is Eating Security

The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
Of innovation and impatience - Future Decoded 2015
Of innovation and impatience - Future Decoded 2015Of innovation and impatience - Future Decoded 2015
Of innovation and impatience - Future Decoded 2015Christian Heilmann
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
 
High availability in IT: AAAARGH
High availability in IT: AAAARGHHigh availability in IT: AAAARGH
High availability in IT: AAAARGHMattias Geniar
 
DevSecOps | How hard it is?
DevSecOps | How hard it is?DevSecOps | How hard it is?
DevSecOps | How hard it is?PhishX
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?morisson
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
Perfect product architecture in a non-stop start-up
Perfect product architecture in a non-stop start-upPerfect product architecture in a non-stop start-up
Perfect product architecture in a non-stop start-upDroidConTLV
 
Subverting the monolith!
Subverting the monolith!Subverting the monolith!
Subverting the monolith!Sophia Russell
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudPhillip Maddux
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Advanced monitoring
 

Ähnlich wie AppSec is Eating Security (20)

The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
Of innovation and impatience - Future Decoded 2015
Of innovation and impatience - Future Decoded 2015Of innovation and impatience - Future Decoded 2015
Of innovation and impatience - Future Decoded 2015
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
 
High availability in IT: AAAARGH
High availability in IT: AAAARGHHigh availability in IT: AAAARGH
High availability in IT: AAAARGH
 
DevSecOps | How hard it is?
DevSecOps | How hard it is?DevSecOps | How hard it is?
DevSecOps | How hard it is?
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Perfect product architecture in a non-stop start-up
Perfect product architecture in a non-stop start-upPerfect product architecture in a non-stop start-up
Perfect product architecture in a non-stop start-up
 
Subverting the monolith!
Subverting the monolith!Subverting the monolith!
Subverting the monolith!
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloud
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 

Kürzlich hochgeladen

Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...rrouter90
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 

Kürzlich hochgeladen (9)

Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 

AppSec is Eating Security

  • 1. AppSec is Eating Security P R E S E N T E D B Y A l e x S t a m o s A p p S e c C a l i | J a n u a r y 2 7 , 2 0 1 5
  • 2. 2
  • 3. Most enterprises are not safe 3
  • 4. Most enterprises are not safe 3 • Big Banks + other FIs • Defense Industrial Base • Oil and Gas • Critical Infrastructure • Big Tech • Some Retail “SECURE 100”
  • 5. Most enterprises are not safe 3 • Big Banks + other FIs • Defense Industrial Base • Oil and Gas • Critical Infrastructure • Big Tech • Some Retail Everybody Else “SECURE 100” “TOASTED 400”
  • 6. Most enterprises are not safe 3 • Big Banks + other FIs • Defense Industrial Base • Oil and Gas • Critical Infrastructure • Big Tech • Some Retail Everybody Else “SECURE 100” What are they missing? • Secure software engineering • Engineering focused IR • Ability to create, not buy, solutions “TOASTED 400”
  • 7. Almost no users are safe 4
  • 8. 5 Arista 7508E 1152 x 10GbE 30Tbps backplane 5kW Security hardware is becoming un-buyable
  • 9. 5 Arista 7508E 1152 x 10GbE 30Tbps backplane 5kW Palo Alto 7050 120Gbps throughput 2.4kW Security hardware is becoming un-buyable
  • 10. 6
  • 11. 6
  • 13. Containerization collapses the security perimeter 7 Diagrams from docker.com
  • 14. Containerization collapses the security perimeter 7 No: • Virtual soundcard • Guest OS patching • VT-x enforcement • Network controls • Stable naming • 1:1 service relationshipsDiagrams from docker.com
  • 15. Containerization collapses the security perimeter 7 In the long run, this is a good thing! In the short term, it’s a mess to deal with! No: • Virtual soundcard • Guest OS patching • VT-x enforcement • Network controls • Stable naming • 1:1 service relationshipsDiagrams from docker.com
  • 16. The Internet of Unpatchable Crap Things 8 store.idevices.com
  • 17. What AppSec Needs to Accomplish
  • 18. Apps have to be secure by default 10 https://code.google.com/p/mustache-security/ by cure53.de
  • 19. Apps have to be secure by default 10 How many developers understand the security risk they imported? https://code.google.com/p/mustache-security/ by cure53.de
  • 20. App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames
  • 21. App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames ▪ 100Gb Ethernet = 6.7ns between frames
  • 22. App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames ▪ 100Gb Ethernet = 6.7ns between frames
  • 23. App Sec doesn’t have to be realtime or inline 11 ▪ 10Gb Ethernet = 67ns between frames ▪ 100Gb Ethernet = 6.7ns between frames Is this actually necessary? No. Is it a good idea? Probably not.
  • 24. 12 by Flickr user Keith Allison CC-BY-SA
  • 25. 12 by Flickr user Keith Allison CC-BY-SA by Warren Sharp www.sharpfootballanalysis.com
  • 26. Bug bounty communities need to reform to grow 13
  • 27. Accept that the browser is the new OS 14 I hate it when good points get twisted to prevent progress
  • 28. Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why….
  • 29. Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why…. › Complexity: dnsviz.net via @jpmens
  • 30. Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why…. › Complexity: › Not end-to-end. How much do you trust your DNS provider? dnsviz.net via @jpmens
  • 31. Network security must be transparent to applications 15 ▪ DNSSEC is dead. Several reasons why…. › Complexity: › Not end-to-end. How much do you trust your DNS provider? › Invisible to user applications! dnsviz.net via @jpmens
  • 32. Build apps that are safe, not just secure 16 ▪ Way too little focus on user experience ▪ Classic difficult example is cert info (see APF tonight)
  • 33. What is a safe app? 17 ▪ Safest mode is the default
  • 34. What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself
  • 35. What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures
  • 36. What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures ▪ Recognizes the difficulties it’s users face
  • 37. What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures ▪ Recognizes the difficulties it’s users face ▪ Takes into account the entire lifecycle of the user
  • 38. What is a safe app? 17 ▪ Safest mode is the default ▪ Automatically fixes itself ▪ Fails gracefully instead of failing insecurely and immediately ▪ Including client-side failures ▪ Recognizes the difficulties it’s users face ▪ Takes into account the entire lifecycle of the user Yes, I’m a security paternalist
  • 39. Passwords are dead 18 Every big password dump has 10-20% matches
  • 40. Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries
  • 41. Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries ▪ TOTP › Bad user experience › Many apps means no control over seeds
  • 42. Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries ▪ Push notifications › Much more secure › Require more user interaction ▪ TOTP › Bad user experience › Many apps means no control over seeds
  • 43. Passwords are dead 18 Every big password dump has 10-20% matches ▪ SMS › Lowest common denominator › Surprisingly expensive › Unreliable › Insecure in many countries ▪ Push notifications › Much more secure › Require more user interaction ▪ TOTP › Bad user experience › Many apps means no control over seeds None solve the account lifecycle management problem This is the #1 issue for user safety
  • 44. So… 19 Looks like we all have a lot of work to do to:
  • 45. So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections
  • 46. So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines
  • 47. So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines • Provide end-to-end and transformable encryption
  • 48. So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines • Provide end-to-end and transformable encryption • Make browsers more trustworthy than the OS
  • 49. So… 19 Looks like we all have a lot of work to do to: • Build apps with no L3 protections • Patch in our CI/CD pipelines • Provide end-to-end and transformable encryption • Make browsers more trustworthy than the OS • More work for AppSec, less for the rest of security • Can we solve some of these problems without selling product
  • 50. Shameless Pitch 20 At Yahoo, our security goal is for all users to be safe using any of our products from any country on any platform. I’m currently looking for a Director of Product Security to reinvent how we build safe products and meet this goal for 1.3B users