You are on page 1of 39

David Rook Jedi mind tricks for building application security programs SecurityBSides, London

if (slide == introduction) System.out.println("I’m David Rook");
• Security Analyst, Realex Payments, Ireland
CISSP, CISA, GCIH and many other acronyms

• Security Ninja ( • Speaker at international security conferences • Nominated for multiple blog awards • A mentor in the InfoSecMentors project • Developed and released Agnitio

Agenda • Using Jedi mind tricks on your developers • s/Application Security Alien/Business Language/i;

use this! • They want security knowledge with good practices and tools .Using Jedi mind tricks on developers • Most developers actually want to write secure code • You need to take ownership of the app sec problems with them • Developers generally like producing quality code.

I need practices and tools that work.-rugged-development . I don’t need a” http://securosis.Using Jedi mind tricks on developers Jim Bird. blog comment: “I’m a software guy. better software that is more reliable and more secure. that help me get software out the door.

Using Jedi mind tricks on developers • How you can help developers? • Help them understand how to write secure code • Own application security problems with them • Don’t dictate! Speak. listen. learn and improve things .

jackings and pwnings .Application Security Alien • We speak an alien language • We talk of injections.




jackings and pwnings • We present findings in weird formats with a side order of FUD .Application Security Alien • We speak an alien language • We talk of injections.

Application Security Alien • I will use CVSS as an example • Let’s pretend we are analysing a SQL Injection vulnerability .


5)*f(Impact)Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))Exploitability = 20*AccessComplexity*Authentication*AccessVectorf(Impact) = 0 if Impact=0.176 otherwise .6*Impact +.4*Exploitability-1.Application Security Alien CVSS base score equation BaseScore = (. 1.

Application Security Alien CVSS Temporal Equation TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfi dence .

10.AdjustedImpact = Min(10.Application Security Alien CVSS Environmental Equation EnvironmentalScore=(AdjustedTemporal+(10AdjustedTemporal)*CollateralDamagePotential) * TargetDistributionAdjustedTemporal = TemporalScore recomputed with the Impact sub-equation replaced with the following AdjustedImpact equation.41*(1-(1ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1AvailImpact*AvailReq))) .


Application Security Alien • We speak an alien language • We talk of injections. jackings and pwnings • We present findings in weird formats with a side order of FUD • We feel security should just happen without having to justify it .

The Business Language • We need to speak the business language • We need to talk about things the business cares about • We need to present findings in a format that makes sense .

The Business Language • How does your business score risks? • Let’s pretend we are analysing a SQL Injection vulnerability .

The Business Language A simple (common!) risk equation Probability*Impact Probability 3 Impact 5 Score 15 Appetite 12 .

The Business Language • We need to speak the business language • We need to talk about things the business cares about • Present findings in a format that makes sense to the business • Application security is no exception when it comes to resourcing .

complexity doesn’t help • Understand what developers want and need to write secure code • Work with the business and use their language and formats .Jedi mind tricks and alien translations • Apply the KISS principle to everything you do • Keep everything as simple as possible.

uk @securityninja /realexninja /securityninja /realexninja .co.QUESTIONS? www.securityninja.

Jedi mind tricks for building application security programs Chris Wysopal CTO & Co-founder .

Cold Fusion Windows Security: Netcat for Windows. L0phtCrack Early disclosure policies: RFPolicy. L0pht Advisories . Early web app testing: Lotus Domino.The formative years Padawan? It was all about attack.

Now with professional PR team Time to help the defensive side Led @stake research team @stake application security consultant Published Art of Software Security Testing Veracode CTO and Co-Founder .

Why do we need executive buy in? Application security programs will require developer training Application security programs will require tools/services Application security programs will impact delivery schedules Application security cannot be “voluntary” Authority .

Speaking the language of executives CEOs CFOs CIOs .

Then we can we can speak the same language.If money is the language of execs what do they say? How do I grow my top line? How do I lower costs? How do I mitigate risk? Talk in terms of business risk and use monetary terms when possible. .

Different types of risk Legal risk – Legal costs. settlement costs. fines Compliance risk – fines.???? . lost business Brand risk – lost business Security risk .

your breach cost. derived from your vulnerabilities. threat space data Your Vulnerabilities Your Breach Cost Threat Space Data 32 .Translate technical risk to monetary risk What is the monetary risk from vulnerabilities in your application portfolio? Monetary risk is your expected loss.

751.514.451 204 Average Per-capita Ponemon average and per-capita US breach cost (US Dollars) Comm unicati on 209 Consu mer Educat ion Energ y Financi al Health care Hotel & Leisur e 153 Manu facturin g 136 Media Pharma Researc h Retail Serv ices Tech nology Transp ortatio n 121 159 203 237 248 294 149 310 266 133 256 192 Ponemon per-capita data by US industry sector (US Dollars) 33 .Your Breach Cost Use cost analysis from your earlier breaches Use breach cost from public sources – Example: April 2010 Ponemon Institute Report (US Dollars) Detection & Escalation 264.321 15 Ex-Post Response 1.472.819 46 Lost Business 4.208 8 Notification 500.030 135 Total 6.

Threat Space Data Error Physical Misuse Social Hacking Malware Attack Type Hacking Root Cause (Vulnerability Category) Remote File Inclusion Insufficient Authorization Insufficient Authentication XSS Command Injection SQL Injection Backdoor/Control Channel 0% 20% 40% 60% 0% 10% 20% 30% 40% 40% of data breaches are due to hacking Top 7 application vulnerability categories Source: Verizon 2010 Data Breach Investigations Report 62% of organizations experienced breaches in critical applications in 12 month period Source: Forrester 2009 Application Risk Management and Business Survey 34 .

00 X 25% ) *If your SQL Injection prevalence is similar to average SQL Injection prevalence. assumes 100.000 records 35 .How to Derive Your Expected Loss expected loss vulnerability category = f ( f % of orgs breached X breach cost X breach likelihood from vuln. category ) Baseline expected loss for your organization due to SQL Injection* expected loss Sql injection = ( 62% X $248 X 100.

320 1.844.520 24% 7% 34% 5% 7% <1% 10% 6% 5% 2% 7% <1% lower same lower lower same same 36 Assume 100.320 307. 2 De-identified financial service company data from Veracode industry data . For SQLi the expected loss is: 62% * $248 * 100.840 1.040 Average % of Apps Affected1 8% Your % of Apps Affected2 15% Your Monetary Risk higher 25% 14% 9% 7% 7% 2% 3. Veracode 2010 State of Software Security Report.000 2. 2.076.076.Monetary Risk Derived From Relative Prevalence Vulnerability Category Backdoor/ Control Channel SQL Injections Command Injection XSS Insufficient Authentication Insufficient Authorization Remote File Inclusion Breach Likelihoo d 29% Baseline Expected loss $4.152.000 1.640 1.383.844.000 customer records.459. Vol.000 * 25% = $3.

Executives want An organizational wide view. outsourcers are performing well? – How is my organization doing relative to my peers? . What am I getting for the money I am spending? A program that is measurable: metrics and reporting. Am I lowering overall application risk? – – – – Internal code Outsourced Vendor supplied Open source A program that has achievable objectives. Am I marching toward the objectives? – Which dev teams.

Tips to make the program successful The right people have to understand what is going to happen before you start Do a real world pen test or assessment of a project. Integrate into existing processes SDLC Procurement/legal M&A . Demonstrate relevant risk. Twitter: @WeldPond David Rook @securityninja /realexninja /securityninja 39 /realexninja .co.Q&A Speaker Contact Information: Chris Wysopal (cwysopal@veracode.