SlideShare ist ein Scribd-Unternehmen logo

Human is an amateur; the monkey is an expert. How to stop trying to secure your software.

Vlad Styran
Vlad Styran

Talk at TestingStage 2020

Technologie
1 von 42
Human is an amateur; the monkey is an expert. How to stop trying to secure your software. Vlad Styran OSCP CISSP CISA
# whoami 15 years in security 10 years in appsec 5 years cofounder Running cons for 10 years Podcasting for 9 years Marathons finisher Father of two
Today I will show you 1. that there is no way to fully secure our software 2. that there is no good reason to try to do that 3. what we should do instead 4. how we should do it* ____ * Spoiler: we should train the monkey
There is no way to fully secure our software
Bad news: it is literally economically impossible 0,00% 10,00% 20,00% 30,00% 40,00% 50,00% 60,00% 70,00% 80,00% 90,00% 100,00% 0 10 20 30 40 50 60 70 80 90 100 SecurityEfficiency Security Investment, 1000 USD
Good news: There is no reason to try to do it
Good news: There is no reason to try to do it 0,00% 10,00% 20,00% 30,00% 40,00% 50,00% 60,00% 70,00% 80,00% 90,00% 100,00% 0 10 20 30 40 50 60 70 80 90 100 Probability Security Loss, 1000 USD
This is what we should do instead: Find optimal investment options 0,00% 10,00% 20,00% 30,00% 40,00% 50,00% 60,00% 70,00% 80,00% 90,00% 100,00% 0 10 20 30 40 50 60 70 80 90 100
Gordon-Loeb model (just in case you are interested) Information security investment against a certain threat scenario should not exceed 37% of expected loss. Cyber Security Economics, © Delft University of Technology Wikipedia, the free encyclopedia
So, this is what we do Asset value: $1,000,000 Attack occurrence probability: 1,3% Attack success probability: 17% Our optimal investment = $1,000,000 * 0.013 * 0.17 * 0.37 = $817.70
How to invest in software security
How to invest into software security Buy a firewall and put all sensitive stuff behind it Buy a WAF (Web Application Firewall) Buy Static & Dynamic Application Security Testing tool Deploy to AWS/GCP/Azure Use military-grade encryption Pay lawyers to carefully design EULA Use a distributed ledger for transaction data storage
Wrong! It’s all about the root cause Put it all behind a firewall, it will be secure WAF will stop all attacks, it will be secure NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure Put it into “the cloud”, it will be secure Encrypt all the data, it will be secure Threaten to put all hackers to jail, it will be secure Use the Blockchain (which is secure), it will be secure Write code in a way that there are no bugs Find and fix all the bugs
But let’s be honest with ourselves Put it all behind a firewall, it will be secure WAF will stop all attacks, it will be secure NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure Put it into “the cloud”, it will be secure Encrypt all the data, it will be secure Threaten to put all hackers to jail, it will be secure Use the Blockchain (which is secure), it will be secure Write code in a way that there are no fewer bugs Find and fix all the as many bugs as you can
How to secure our software 1. WRITE CODE IN A WAY THAT THERE ARE FEWER BUGS 2. FIND AND FIX AS MANY BUGS AS YOU CAN
How to achieve software security
Compliance Apply one of the credible security standards: • ISO/IEC 27002 • PCI DSS • SOC2 • SOX • HIPAA • GDPR • NIST
Wrong! Compliance is security against liability.
Best practice Apply generally accepted methodologies: • MS SDL • BSIMM • NIST SP800-64 • OWASP: ASVS, xSTG, SAMM etc.
Wrong! Best practice is not for everyone.
Real security KNOW WHAT YOU PROTECT KNOW WHAT CAN GO WRONG KNOW WHAT YOU WILL DO ABOUT IT KNOW HOW TO TEST IF YOU DID IT
1. Develop more securely • Threat Modeling • Developer Awareness Training • Security Requirements • Secure Architecture & Design • Supply Chain Security • Incident Response Lots of boring yet important stuff (another time)
2. Find and kill fix bugs •Security Testing •Security Code Review •Application Penetration Testing •Security Bug Bounty
Human-Monkey dualism
Amos Tversky & Daniel Kahneman, late 1970’
Realistic Development Lifecycle
Agile security
What can we do about it?
Hard lessons from 40 years on earth 1. We move brain activities from System2 to System1 ASAP 2. True expertise = professional skill + deliberate practice 3. Expert intuition exists and it’s in your System1 Monkey knows the answer when human doesn’t know why.
Wicked vs Kind learning domains 1. Patterns repeat 2. Feedback accurate and rapid 3. Rules of game well-defined Classical music, aviation pilots, emergency room nurse, fire fighter… Security Testing 1. Patterns not obvious or repeating 2. Feedback delayed and inaccurate 3. Rules unclear and incomplete Improvisational jazz, surgeon, radiologist, financial & political analyst… Secure Development
Hard lessons from 10 years in appsec 1. We cannot slow down the DEVs 2. We cannot prevent all bugs 3. We cannot automate efficient security testing
Bright side of things 1. With enough skilled hackers, we can move as fast as DEVs 2. With enough practice, we can find and fix most severe bugs 3. With enough expertise, we can train to do it automatically
Hopes for the future One day we can automate bug hunting properly One day the DEVs’ monkey will learn to make fewer bugs
What we can do right now Web Application Hacker’s Handbook PortSwigger Web Security Academy
OWASP Kyiv
OWASP Ukraine
NoNameCon
Start hacking legally today: Bug Bounties
How you find me @arunninghacker fb.me/arunninghacker berezhasecurity.com

Empfohlen

Security for Thinkers
Security for ThinkersSecurity for Thinkers
Security for Thinkers
grabyourfreedom
 
Mastering next gen-siem-usecases-part1
Mastering next gen-siem-usecases-part1Mastering next gen-siem-usecases-part1
Mastering next gen-siem-usecases-part1
Priyanka Aash
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016
Ben Finke
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
 
HPBigData2015Predicting Cyber Security Industry-JohnPark
HPBigData2015Predicting Cyber Security Industry-JohnParkHPBigData2015Predicting Cyber Security Industry-JohnPark
HPBigData2015Predicting Cyber Security Industry-JohnPark
John D. Park
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!
Ammar WK
 
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE - ATT&CKcon
 
Sect f41
Sect f41Sect f41
Sect f41
SelectedPresentations
 

Empfohlen

Security for Thinkers
Security for ThinkersSecurity for Thinkers
Security for Thinkers
grabyourfreedom
 
Mastering next gen-siem-usecases-part1
Mastering next gen-siem-usecases-part1Mastering next gen-siem-usecases-part1
Mastering next gen-siem-usecases-part1
Priyanka Aash
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016
Ben Finke
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
 
HPBigData2015Predicting Cyber Security Industry-JohnPark
HPBigData2015Predicting Cyber Security Industry-JohnParkHPBigData2015Predicting Cyber Security Industry-JohnPark
HPBigData2015Predicting Cyber Security Industry-JohnPark
John D. Park
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!
Ammar WK
 
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE - ATT&CKcon
 
Sect f41
Sect f41Sect f41
Sect f41
SelectedPresentations
 
See Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointSee Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the Endpoint
ProtectWise
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
Ammar WK
 
Cybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesCybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician Practices
Ravi D. Goel, MD
 
network security
network securitynetwork security
network security
PREMKUMAR
 
Building a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into ItBuilding a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into It
Adam Baldwin
 
Cyber Security - You will be challenged
Cyber Security - You will be challengedCyber Security - You will be challenged
Cyber Security - You will be challenged
Reading Room
 
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin
 
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy [Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
Nur Shiqim Chok
 
SAFEFI Tyler - Advanced Security
SAFEFI Tyler - Advanced Security SAFEFI Tyler - Advanced Security
SAFEFI Tyler - Advanced Security
Dr. Edwin Hernandez
 
Advanced Mobile Safety with SAFEFI
Advanced Mobile Safety with SAFEFI Advanced Mobile Safety with SAFEFI
Advanced Mobile Safety with SAFEFI
Dr. Edwin Hernandez
 
Observability, what, why and how
Observability, what, why and howObservability, what, why and how
Observability, what, why and how
Neeraj Bagga
 
The Other Side of the SEO Coin: Conversion Rate Optimization, Gamification, a...
The Other Side of the SEO Coin: Conversion Rate Optimization, Gamification, a...The Other Side of the SEO Coin: Conversion Rate Optimization, Gamification, a...
The Other Side of the SEO Coin: Conversion Rate Optimization, Gamification, a...
Nik Pasic
 
Testing or Hacking: Real Advice on Effective Security Testing Stratagies
Testing or Hacking: Real Advice on Effective Security Testing StratagiesTesting or Hacking: Real Advice on Effective Security Testing Stratagies
Testing or Hacking: Real Advice on Effective Security Testing Stratagies
Daniel Billing
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
vicenteDiaz_KL
 
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
adamdeja
 
Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield Cloud Security 101
Stackfield Cloud Security 101
Stackfield
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
Stu Hirst
 
Hushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoHushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for Echo
Deja vu Security
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
sanfranAIG3
sanfranAIG3sanfranAIG3
sanfranAIG3
Ian Murphy 2500+ all connections welcome
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Sigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesCybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician Practices
Ravi D. Goel, MD
 
network security
network securitynetwork security
network security
PREMKUMAR
 

Was ist angesagt? (13)

See Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointSee Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the Endpoint
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
 
Cybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician PracticesCybersecurity 101 for Ophthalmology & Physician Practices
Cybersecurity 101 for Ophthalmology & Physician Practices
 
network security
network securitynetwork security
network security
 
Building a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into ItBuilding a Threat Model & How npm Fits Into It
Building a Threat Model & How npm Fits Into It
 
Cyber Security - You will be challenged
Cyber Security - You will be challengedCyber Security - You will be challenged
Cyber Security - You will be challenged
 
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004
 
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy [Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
[Cisco Connect 2018 - Vietnam] Brian cotaz cyber security strategy
 
SAFEFI Tyler - Advanced Security
SAFEFI Tyler - Advanced Security SAFEFI Tyler - Advanced Security
SAFEFI Tyler - Advanced Security
 
Advanced Mobile Safety with SAFEFI
Advanced Mobile Safety with SAFEFI Advanced Mobile Safety with SAFEFI
Advanced Mobile Safety with SAFEFI
 
Observability, what, why and how
Observability, what, why and howObservability, what, why and how
Observability, what, why and how
 
The Other Side of the SEO Coin: Conversion Rate Optimization, Gamification, a...
The Other Side of the SEO Coin: Conversion Rate Optimization, Gamification, a...The Other Side of the SEO Coin: Conversion Rate Optimization, Gamification, a...
The Other Side of the SEO Coin: Conversion Rate Optimization, Gamification, a...
 
Testing or Hacking: Real Advice on Effective Security Testing Stratagies
Testing or Hacking: Real Advice on Effective Security Testing StratagiesTesting or Hacking: Real Advice on Effective Security Testing Stratagies
Testing or Hacking: Real Advice on Effective Security Testing Stratagies
 

Ähnlich wie Human is an amateur; the monkey is an expert. How to stop trying to secure your software.

Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
adamdeja
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
Stu Hirst
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
Hackers contemplations
Hackers contemplationsHackers contemplations
Hackers contemplations
Chris Roberts
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
DevSecCon
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 

Ähnlich wie Human is an amateur; the monkey is an expert. How to stop trying to secure your software. (20)

Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
 
Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield Cloud Security 101
Stackfield Cloud Security 101
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
 
Hushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoHushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for Echo
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
sanfranAIG3
sanfranAIG3sanfranAIG3
sanfranAIG3
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
 
How to Secure America
How to Secure AmericaHow to Secure America
How to Secure America
 
Hackers contemplations
Hackers contemplationsHackers contemplations
Hackers contemplations
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Security is dead, Long live the Hacker
Security is dead, Long live the HackerSecurity is dead, Long live the Hacker
Security is dead, Long live the Hacker
 

Mehr von Vlad Styran

Berezha Security
Berezha SecurityBerezha Security
Berezha Security
Vlad Styran
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностью
Vlad Styran
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINT
Vlad Styran
 

Mehr von Vlad Styran (20)

В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101
 
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
BSides Kharkiv 2018: Social-engineering your quality of work, personal, and s...
 
Application Security Webcast
Application Security WebcastApplication Security Webcast
Application Security Webcast
 
NoNameCon partnership opportunities
NoNameCon partnership opportunitiesNoNameCon partnership opportunities
NoNameCon partnership opportunities
 
BruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't SuckBruCON 0x09 Building Security Awareness Programs That Don't Suck
BruCON 0x09 Building Security Awareness Programs That Don't Suck
 
Организация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностьюОрганизация, культура, и управление кибер-безопасностью
Организация, культура, и управление кибер-безопасностью
 
Cybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UACybersecurity Framework 021214 Final UA
Cybersecurity Framework 021214 Final UA
 
Fantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from themFantastic Beasts and where to hide from them
Fantastic Beasts and where to hide from them
 
Кібер-Шмібер
Кібер-ШміберКібер-Шмібер
Кібер-Шмібер
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016
 
Berezha Security
Berezha SecurityBerezha Security
Berezha Security
 
#root это только начало
#root это только начало#root это только начало
#root это только начало
 
Путевые заметки социального инженера
Путевые заметки социального инженераПутевые заметки социального инженера
Путевые заметки социального инженера
 
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновениеНаступательная безопасность: шпаргалка заказчика тестов на проникновение
Наступательная безопасность: шпаргалка заказчика тестов на проникновение
 
Построение Secure Development Lifecycle
Построение Secure Development Lifecycle Построение Secure Development Lifecycle
Построение Secure Development Lifecycle
 
Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...Использование приватных, публичных и гибридных облаков для обеспечения информ...
Использование приватных, публичных и гибридных облаков для обеспечения информ...
 
Центр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностьюЦентр оперативного управления информационной безопасностью
Центр оперативного управления информационной безопасностью
 
Прелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINTПрелюдия к атаке: практика и автоматизация OSINT
Прелюдия к атаке: практика и автоматизация OSINT
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

Human is an amateur; the monkey is an expert. How to stop trying to secure your software.

  • 1. Human is an amateur; the monkey is an expert. How to stop trying to secure your software. Vlad Styran OSCP CISSP CISA
  • 2. # whoami 15 years in security 10 years in appsec 5 years cofounder Running cons for 10 years Podcasting for 9 years Marathons finisher Father of two
  • 3. Today I will show you 1. that there is no way to fully secure our software 2. that there is no good reason to try to do that 3. what we should do instead 4. how we should do it* ____ * Spoiler: we should train the monkey
  • 4. There is no way to fully secure our software
  • 5. Bad news: it is literally economically impossible 0,00% 10,00% 20,00% 30,00% 40,00% 50,00% 60,00% 70,00% 80,00% 90,00% 100,00% 0 10 20 30 40 50 60 70 80 90 100 SecurityEfficiency Security Investment, 1000 USD
  • 6. Good news: There is no reason to try to do it
  • 7. Good news: There is no reason to try to do it 0,00% 10,00% 20,00% 30,00% 40,00% 50,00% 60,00% 70,00% 80,00% 90,00% 100,00% 0 10 20 30 40 50 60 70 80 90 100 Probability Security Loss, 1000 USD
  • 8. This is what we should do instead: Find optimal investment options 0,00% 10,00% 20,00% 30,00% 40,00% 50,00% 60,00% 70,00% 80,00% 90,00% 100,00% 0 10 20 30 40 50 60 70 80 90 100
  • 9. Gordon-Loeb model (just in case you are interested) Information security investment against a certain threat scenario should not exceed 37% of expected loss. Cyber Security Economics, © Delft University of Technology Wikipedia, the free encyclopedia
  • 10. So, this is what we do Asset value: $1,000,000 Attack occurrence probability: 1,3% Attack success probability: 17% Our optimal investment = $1,000,000 * 0.013 * 0.17 * 0.37 = $817.70
  • 11. How to invest in software security
  • 12. How to invest into software security Buy a firewall and put all sensitive stuff behind it Buy a WAF (Web Application Firewall) Buy Static & Dynamic Application Security Testing tool Deploy to AWS/GCP/Azure Use military-grade encryption Pay lawyers to carefully design EULA Use a distributed ledger for transaction data storage
  • 13. Wrong! It’s all about the root cause Put it all behind a firewall, it will be secure WAF will stop all attacks, it will be secure NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure Put it into “the cloud”, it will be secure Encrypt all the data, it will be secure Threaten to put all hackers to jail, it will be secure Use the Blockchain (which is secure), it will be secure Write code in a way that there are no bugs Find and fix all the bugs
  • 14. But let’s be honest with ourselves Put it all behind a firewall, it will be secure WAF will stop all attacks, it will be secure NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure Put it into “the cloud”, it will be secure Encrypt all the data, it will be secure Threaten to put all hackers to jail, it will be secure Use the Blockchain (which is secure), it will be secure Write code in a way that there are no fewer bugs Find and fix all the as many bugs as you can
  • 15. How to secure our software 1. WRITE CODE IN A WAY THAT THERE ARE FEWER BUGS 2. FIND AND FIX AS MANY BUGS AS YOU CAN
  • 17. Compliance Apply one of the credible security standards: • ISO/IEC 27002 • PCI DSS • SOC2 • SOX • HIPAA • GDPR • NIST
  • 18. Wrong! Compliance is security against liability.
  • 19. Best practice Apply generally accepted methodologies: • MS SDL • BSIMM • NIST SP800-64 • OWASP: ASVS, xSTG, SAMM etc.
  • 20. Wrong! Best practice is not for everyone.
  • 21. Real security KNOW WHAT YOU PROTECT KNOW WHAT CAN GO WRONG KNOW WHAT YOU WILL DO ABOUT IT KNOW HOW TO TEST IF YOU DID IT
  • 22. 1. Develop more securely • Threat Modeling • Developer Awareness Training • Security Requirements • Secure Architecture & Design • Supply Chain Security • Incident Response Lots of boring yet important stuff (another time)
  • 23. 2. Find and kill fix bugs •Security Testing •Security Code Review •Application Penetration Testing •Security Bug Bounty
  • 26.
  • 27.
  • 30. What can we do about it?
  • 31. Hard lessons from 40 years on earth 1. We move brain activities from System2 to System1 ASAP 2. True expertise = professional skill + deliberate practice 3. Expert intuition exists and it’s in your System1 Monkey knows the answer when human doesn’t know why.
  • 32. Wicked vs Kind learning domains 1. Patterns repeat 2. Feedback accurate and rapid 3. Rules of game well-defined Classical music, aviation pilots, emergency room nurse, fire fighter… Security Testing 1. Patterns not obvious or repeating 2. Feedback delayed and inaccurate 3. Rules unclear and incomplete Improvisational jazz, surgeon, radiologist, financial & political analyst… Secure Development
  • 33. Hard lessons from 10 years in appsec 1. We cannot slow down the DEVs 2. We cannot prevent all bugs 3. We cannot automate efficient security testing
  • 34. Bright side of things 1. With enough skilled hackers, we can move as fast as DEVs 2. With enough practice, we can find and fix most severe bugs 3. With enough expertise, we can train to do it automatically
  • 35. Hopes for the future One day we can automate bug hunting properly One day the DEVs’ monkey will learn to make fewer bugs
  • 36. What we can do right now Web Application Hacker’s Handbook PortSwigger Web Security Academy
  • 40. Start hacking legally today: Bug Bounties
  • 41.
  • 42. How you find me @arunninghacker fb.me/arunninghacker berezhasecurity.com