David Rook Jedi mind tricks for building application security programs SecurityBSides, London

if (slide == introduction) System.out.println("Im David Rook");

Security Analyst, Realex Payments, Ireland
CISSP, CISA, GCIH and many other acronyms

Security Ninja (www.securityninja.co.uk) Speaker at international security conferences Nominated for multiple blog awards A mentor in the InfoSecMentors project Developed and released Agnitio

Agenda Using Jedi mind tricks on your developers s/Application Security Alien/Business Language/i;

Using Jedi mind tricks on developers Most developers actually want to write secure code
You need to take ownership of the app sec problems with them Developers generally like producing quality code, use this! They want security knowledge with good practices and tools

Using Jedi mind tricks on developers Jim Bird, blog comment:

Im a software guy. I dont need a meme. I need practices and tools that work, that help me get software out the door, better software that is more reliable and more secure.

http://securosis.com/blog/good-programming-practices-vs.-rugged-development

Using Jedi mind tricks on developers How you can help developers?
Help them understand how to write secure code Own application security problems with them Dont dictate! Speak, listen, learn and improve things

Application Security Alien We speak an alien language

We talk of injections, jackings and pwnings

Application Security Alien We speak an alien language

We talk of injections, jackings and pwnings We present findings in weird formats with a side order of FUD

Application Security Alien I will use CVSS as an example

Lets pretend we are analysing a SQL Injection vulnerability

Application Security Alien CVSS base score equation

BaseScore = (.6*Impact +.4*Exploitability-1.5)*f(Impact)Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact))Exploitability = 20*AccessComplexity*Authentication*AccessVectorf(Impact) = 0 if Impact=0; 1.176 otherwise

Application Security Alien CVSS Temporal Equation

TemporalScore=BaseScore*Exploitability*RemediationLevel*ReportConfi dence

Application Security Alien CVSS Environmental Equation

EnvironmentalScore=(AdjustedTemporal+(10AdjustedTemporal)*CollateralDamagePotential) * TargetDistributionAdjustedTemporal = TemporalScore recomputed with the Impact sub-equation replaced with the following AdjustedImpact equation.AdjustedImpact = Min(10, 10.41*(1-(1ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)*(1AvailImpact*AvailReq)))

Application Security Alien We speak an alien language

We talk of injections, jackings and pwnings We present findings in weird formats with a side order of FUD We feel security should just happen without having to justify it

The Business Language We need to speak the business language

We need to talk about things the business cares about We need to present findings in a format that makes sense

The Business Language How does your business score risks?

Lets pretend we are analysing a SQL Injection vulnerability

The Business Language A simple (common!) risk equation

Probability*Impact

Probability 3

Impact 5

Score 15

Appetite 12

The Business Language We need to speak the business language

We need to talk about things the business cares about Present findings in a format that makes sense to the business Application security is no exception when it comes to resourcing

Jedi mind tricks and alien translations Apply the KISS principle to everything you do
Keep everything as simple as possible, complexity doesnt help Understand what developers want and need to write secure code Work with the business and use their language and formats

QUESTIONS?
www.securityninja.co.uk @securityninja /realexninja /securityninja /realexninja

Jedi mind tricks for building application security programs

Chris Wysopal CTO & Co-founder

The formative years

Padawan?

It was all about attack. Early web app testing: Lotus Domino, Cold Fusion Windows Security: Netcat for Windows, L0phtCrack Early disclosure policies: RFPolicy, L0pht Advisories

Now with professional PR team

Time to help the defensive side Led @stake research team @stake application security consultant Published Art of Software Security Testing Veracode CTO and Co-Founder

Why do we need executive buy in? Application security programs will require developer training Application security programs will require tools/services Application security programs will impact delivery schedules Application security cannot be voluntary

Authority

Speaking the language of executives

CEOs CFOs CIOs

If money is the language of execs what do they say?

How do I grow my top line? How do I lower costs? How do I mitigate risk? Talk in terms of business risk and use monetary terms when possible. Then we can we can speak the same language.

Different types of risk

Legal risk Legal costs, settlement costs, fines Compliance risk fines, lost business Brand risk lost business Security risk - ????

Translate technical risk to monetary risk

What is the monetary risk from vulnerabilities in your application portfolio? Monetary risk is your expected loss; derived from your vulnerabilities, your breach cost, threat space data

Your Vulnerabilities

Your Breach Cost

Threat Space Data

32

Your Breach Cost

Use cost analysis from your earlier breaches Use breach cost from public sources
Example: April 2010 Ponemon Institute Report
(US Dollars)

Detection & Escalation 264,208 8

Notification 500,321 15

Ex-Post Response 1,514,819 46

Lost Business 4,472,030 135

Total 6,751,451 204

Average Per-capita

Ponemon average and per-capita US breach cost (US Dollars)

Comm unicati on 209 Consu mer Educat ion Energ y Financi al Health care Hotel & Leisur e 153 Manu facturin g 136 Media Pharma Researc h Retail Serv ices Tech nology Transp ortatio n 121

159

203

237

248

294

149

310

266

133

256

192

Ponemon per-capita data by US industry sector (US Dollars)

33

Threat Space Data

Error Physical Misuse Social Hacking Malware

Attack Type

Hacking Root Cause (Vulnerability Category)

Remote File Inclusion Insufficient Authorization Insufficient Authentication XSS Command Injection SQL Injection Backdoor/Control Channel

0%

20%

40%

60%

0%

10%

20%

30%

40%

40% of data breaches are due to hacking

Top 7 application vulnerability categories

Source: Verizon 2010 Data Breach Investigations Report

62% of organizations experienced breaches in critical applications in 12 month period

Source: Forrester 2009 Application Risk Management and Business Survey

34

How to Derive Your Expected Loss

expected loss vulnerability category =

(
f

% of orgs breached X breach cost X breach likelihood from vuln. category

Baseline expected loss for your organization due to SQL Injection*

expected loss Sql injection =

62% X $248 X 100,00 X 25%

*If your SQL Injection prevalence is similar to average SQL Injection prevalence, assumes 100,000 records

35

Monetary Risk Derived From Relative Prevalence

Vulnerability Category Backdoor/ Control Channel SQL Injections Command Injection XSS Insufficient Authentication Insufficient Authorization Remote File Inclusion Breach Likelihoo d 29% Baseline Expected loss $4,459,040 Average % of Apps Affected1 8% Your % of Apps Affected2 15% Your Monetary Risk higher

25% 14% 9% 7% 7% 2%

3,844,000 2,152,640 1,383,840 1,076,320 1,076,320 307,520

24% 7% 34% 5% 7% <1%

10% 6% 5% 2% 7% <1%

lower same lower lower same same

36

Assume 100,000 customer records. For SQLi the expected loss is: 62% * $248 * 100,000 * 25% = $3,844,000
1. 2. Veracode 2010 State of Software Security Report, Vol. 2 De-identified financial service company data from Veracode industry data

Executives want
An organizational wide view. Am I lowering overall application risk?
Internal code Outsourced Vendor supplied Open source

A program that has achievable objectives. What am I getting for the money I am spending? A program that is measurable: metrics and reporting. Am I marching toward the objectives?
Which dev teams, outsourcers are performing well? How is my organization doing relative to my peers?

Tips to make the program successful The right people have to understand what is going to happen before you start Do a real world pen test or assessment of a project. Demonstrate relevant risk. Integrate into existing processes
SDLC Procurement/legal M&A

Q&A
Speaker Contact Information: Chris Wysopal (cwysopal@veracode.com) Twitter: @WeldPond

David Rook
www.securityninja.co.uk @securityninja /realexninja /securityninja
39

/realexninja