This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
4. Most enterprises are not safe
3
• Big Banks + other FIs
• Defense Industrial Base
• Oil and Gas
• Critical Infrastructure
• Big Tech
• Some Retail
“SECURE 100”
5. Most enterprises are not safe
3
• Big Banks + other FIs
• Defense Industrial Base
• Oil and Gas
• Critical Infrastructure
• Big Tech
• Some Retail
Everybody Else
“SECURE 100”
“TOASTED 400”
6. Most enterprises are not safe
3
• Big Banks + other FIs
• Defense Industrial Base
• Oil and Gas
• Critical Infrastructure
• Big Tech
• Some Retail
Everybody Else
“SECURE 100”
What are they missing?
• Secure software engineering
• Engineering focused IR
• Ability to create, not buy, solutions
“TOASTED 400”
14. Containerization collapses the security perimeter
7
No:
• Virtual soundcard
• Guest OS patching
• VT-x enforcement
• Network controls
• Stable naming
• 1:1 service relationshipsDiagrams from docker.com
15. Containerization collapses the security perimeter
7
In the long run, this is a good thing!
In the short term, it’s a mess to deal with!
No:
• Virtual soundcard
• Guest OS patching
• VT-x enforcement
• Network controls
• Stable naming
• 1:1 service relationshipsDiagrams from docker.com
16. The Internet of Unpatchable Crap Things
8
store.idevices.com
18. Apps have to be secure by default
10
https://code.google.com/p/mustache-security/
by cure53.de
19. Apps have to be secure by default
10
How many developers
understand the security
risk they imported?
https://code.google.com/p/mustache-security/
by cure53.de
20. App Sec doesn’t have to be realtime or inline
11
▪ 10Gb Ethernet = 67ns between frames
21. App Sec doesn’t have to be realtime or inline
11
▪ 10Gb Ethernet = 67ns between frames
▪ 100Gb Ethernet = 6.7ns between frames
22. App Sec doesn’t have to be realtime or inline
11
▪ 10Gb Ethernet = 67ns between frames
▪ 100Gb Ethernet = 6.7ns between frames
23. App Sec doesn’t have to be realtime or inline
11
▪ 10Gb Ethernet = 67ns between frames
▪ 100Gb Ethernet = 6.7ns between frames
Is this actually necessary? No.
Is it a good idea? Probably not.
27. Accept that the browser is the new OS
14
I hate it when good points get twisted to prevent progress
28. Network security must be transparent to applications
15
▪ DNSSEC is dead. Several reasons why….
29. Network security must be transparent to applications
15
▪ DNSSEC is dead. Several reasons why….
› Complexity:
dnsviz.net
via @jpmens
30. Network security must be transparent to applications
15
▪ DNSSEC is dead. Several reasons why….
› Complexity:
› Not end-to-end. How much do you trust your DNS provider?
dnsviz.net
via @jpmens
31. Network security must be transparent to applications
15
▪ DNSSEC is dead. Several reasons why….
› Complexity:
› Not end-to-end. How much do you trust your DNS provider?
› Invisible to user applications!
dnsviz.net
via @jpmens
32. Build apps that are safe, not just secure
16
▪ Way too little focus on user experience
▪ Classic difficult example is cert info (see APF tonight)
33. What is a safe app?
17
▪ Safest mode is the default
34. What is a safe app?
17
▪ Safest mode is the default
▪ Automatically fixes itself
35. What is a safe app?
17
▪ Safest mode is the default
▪ Automatically fixes itself
▪ Fails gracefully instead of failing insecurely and immediately
▪ Including client-side failures
36. What is a safe app?
17
▪ Safest mode is the default
▪ Automatically fixes itself
▪ Fails gracefully instead of failing insecurely and immediately
▪ Including client-side failures
▪ Recognizes the difficulties it’s users face
37. What is a safe app?
17
▪ Safest mode is the default
▪ Automatically fixes itself
▪ Fails gracefully instead of failing insecurely and immediately
▪ Including client-side failures
▪ Recognizes the difficulties it’s users face
▪ Takes into account the entire lifecycle of the user
38. What is a safe app?
17
▪ Safest mode is the default
▪ Automatically fixes itself
▪ Fails gracefully instead of failing insecurely and immediately
▪ Including client-side failures
▪ Recognizes the difficulties it’s users face
▪ Takes into account the entire lifecycle of the user
Yes, I’m a security paternalist
40. Passwords are dead
18
Every big password dump has 10-20% matches
▪ SMS
› Lowest common denominator
› Surprisingly expensive
› Unreliable
› Insecure in many countries
41. Passwords are dead
18
Every big password dump has 10-20% matches
▪ SMS
› Lowest common denominator
› Surprisingly expensive
› Unreliable
› Insecure in many countries
▪ TOTP
› Bad user experience
› Many apps means no control over seeds
42. Passwords are dead
18
Every big password dump has 10-20% matches
▪ SMS
› Lowest common denominator
› Surprisingly expensive
› Unreliable
› Insecure in many countries
▪ Push notifications
› Much more secure
› Require more user interaction
▪ TOTP
› Bad user experience
› Many apps means no control over seeds
43. Passwords are dead
18
Every big password dump has 10-20% matches
▪ SMS
› Lowest common denominator
› Surprisingly expensive
› Unreliable
› Insecure in many countries
▪ Push notifications
› Much more secure
› Require more user interaction
▪ TOTP
› Bad user experience
› Many apps means no control over seeds
None solve the account lifecycle management problem
This is the #1 issue for user safety
45. So…
19
Looks like we all have a lot of work to do to:
• Build apps with no L3 protections
46. So…
19
Looks like we all have a lot of work to do to:
• Build apps with no L3 protections
• Patch in our CI/CD pipelines
47. So…
19
Looks like we all have a lot of work to do to:
• Build apps with no L3 protections
• Patch in our CI/CD pipelines
• Provide end-to-end and transformable encryption
48. So…
19
Looks like we all have a lot of work to do to:
• Build apps with no L3 protections
• Patch in our CI/CD pipelines
• Provide end-to-end and transformable encryption
• Make browsers more trustworthy than the OS
49. So…
19
Looks like we all have a lot of work to do to:
• Build apps with no L3 protections
• Patch in our CI/CD pipelines
• Provide end-to-end and transformable encryption
• Make browsers more trustworthy than the OS
• More work for AppSec, less for the rest of security
• Can we solve some of these problems without selling product
50. Shameless Pitch
20
At Yahoo, our security goal is for all users to be safe using any of
our products from any country on any platform.
I’m currently looking for a Director of Product Security to
reinvent how we build safe products and meet this goal for 1.3B
users