Human is an amateur; the monkey is an expert. How to stop trying to secure your software.
1. Human is an amateur; the monkey is an expert.
How to stop trying to secure your software.
Vlad Styran
OSCP CISSP CISA
2. # whoami
15 years in security
10 years in appsec
5 years cofounder
Running cons for 10 years
Podcasting for 9 years
Marathons finisher
Father of two
3. Today I will show you
1. that there is no way to fully
secure our software
2. that there is no good reason to
try to do that
3. what we should do instead
4. how we should do it*
____
* Spoiler: we should train the monkey
7. Good news:
There is no reason to try to do it
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
0 10 20 30 40 50 60 70 80 90 100
Probability
Security Loss, 1000 USD
8. This is what we should do instead:
Find optimal investment options
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
0 10 20 30 40 50 60 70 80 90 100
12. How to invest
into software
security
Buy a firewall and put all sensitive stuff behind it
Buy a WAF (Web Application Firewall)
Buy Static & Dynamic Application Security Testing tool
Deploy to AWS/GCP/Azure
Use military-grade encryption
Pay lawyers to carefully design EULA
Use a distributed ledger for transaction data storage
13. Wrong! It’s all about the root cause
Put it all behind a firewall, it will be secure
WAF will stop all attacks, it will be secure
NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure
Put it into “the cloud”, it will be secure
Encrypt all the data, it will be secure
Threaten to put all hackers to jail, it will be secure
Use the Blockchain (which is secure), it will be secure
Write code in a way that there are no bugs
Find and fix all the bugs
14. But let’s be honest with ourselves
Put it all behind a firewall, it will be secure
WAF will stop all attacks, it will be secure
NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure
Put it into “the cloud”, it will be secure
Encrypt all the data, it will be secure
Threaten to put all hackers to jail, it will be secure
Use the Blockchain (which is secure), it will be secure
Write code in a way that there are no fewer bugs
Find and fix all the as many bugs as you can
15. How to secure our software
1. WRITE CODE IN A WAY THAT
THERE ARE FEWER BUGS
2. FIND AND FIX AS MANY
BUGS AS YOU CAN
31. Hard lessons from 40
years on earth
1. We move brain activities from System2 to
System1 ASAP
2. True expertise = professional skill +
deliberate practice
3. Expert intuition exists and it’s in your
System1
Monkey knows the answer
when human doesn’t know why.
32. Wicked vs Kind learning domains
1. Patterns repeat
2. Feedback accurate and rapid
3. Rules of game well-defined
Classical music, aviation pilots,
emergency room nurse, fire fighter…
Security Testing
1. Patterns not obvious or repeating
2. Feedback delayed and inaccurate
3. Rules unclear and incomplete
Improvisational jazz, surgeon, radiologist,
financial & political analyst…
Secure Development
33. Hard lessons from 10 years in
appsec
1. We cannot slow down the DEVs
2. We cannot prevent all bugs
3. We cannot automate efficient security testing
34. Bright side of things
1. With enough skilled hackers, we can move as fast as DEVs
2. With enough practice, we can find and fix most severe bugs
3. With enough expertise, we can train to do it automatically
35. Hopes for the
future
One day we can
automate bug
hunting properly
One day the DEVs’
monkey will learn to
make fewer bugs
36. What we can do right now
Web Application Hacker’s Handbook PortSwigger Web Security Academy