bringing nothing to the party vincenzo iozzo director of security engineering trail of bits, inc
TRANSCRIPT
![Page 1: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/1.jpg)
Bringing nothing to the party
Vincenzo Iozzo
Director of Security EngineeringTrail of Bits, Inc
![Page 2: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/2.jpg)
It’s about time we make AppSec understandable to the lay person (read: your executives)
![Page 3: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/3.jpg)
There’s no real accountability at company-wide level for AppSec, this has to change
![Page 4: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/4.jpg)
Games we play these days..
![Page 5: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/5.jpg)
Fail to separate threats
![Page 6: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/6.jpg)
Compare and contrast
![Page 7: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/7.jpg)
And this..
![Page 8: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/8.jpg)
With this
![Page 9: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/9.jpg)
Forget the good ol’weak links
![Page 10: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/10.jpg)
Macro-level example
![Page 11: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/11.jpg)
Eco101
![Page 12: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/12.jpg)
The market for lemons
Improper threat analysis and quality control leads to a market for lemons scenario
![Page 13: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/13.jpg)
Free riders!
The careless employee/company is free-riding on somebody else’s security investment
![Page 14: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/14.jpg)
Externality
Both internally and externally security is far too often an (good|bad) externality
![Page 15: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/15.jpg)
What has any of this to do with AppSec?
![Page 16: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/16.jpg)
A lot of AppSec is “miracle work”
![Page 17: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/17.jpg)
Bounties
They don’t attract “professionals”
They attract weak automation (fuzzers)
They don’t solve the big-picture problem
They are taxing for developers and security people alike
![Page 18: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/18.jpg)
Do somebody else’s work
![Page 19: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/19.jpg)
“Reactive security”
iOS jailbreaking saga has a primary example
![Page 20: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/20.jpg)
Lack of devs accountability
![Page 21: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/21.jpg)
Stuff that works today
![Page 22: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/22.jpg)
Bug hunting
HAVOC/HAVOC-LITE (Julien Vanegue et al)
Bochspwn (Jurczyk et al)
![Page 23: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/23.jpg)
BlueHat prize/Pwnium/Pwn2Own
Bugs Techniques
![Page 24: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/24.jpg)
Some tools
EMET… ? ? ?
![Page 25: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/25.jpg)
Let’s talk about tomorrow
![Page 26: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/26.jpg)
Meditation interlude
Please pause for a second and contemplate what it means from a technical and sophistication POV for someone to backdoor NIST standards
![Page 27: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/27.jpg)
A line in the sand
If you want to fight this…
This has to go…
![Page 28: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/28.jpg)
Warning
![Page 29: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/29.jpg)
Proposal 1
Make AppSec risk understandable by non-infosec people/investors
![Page 30: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/30.jpg)
You can start from this
Elderwood NYU-Poly Davis
Plugins Required
Flash, Office, Java
.NET None
Version Support
IE8 / Win XP IE8 / Win7 IE9 / Win7
Reliability ~50% ~95% ~99%
Features Hardcoded ROP Hardcoded ROP
Dynamic ROP
Time to Develop
? (probably 8 hrs)
~5 days ~10 days
Experience Professional Amateur Amateur
![Page 31: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/31.jpg)
And this
![Page 32: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/32.jpg)
Proposal 2
Make bug-hunting a commodity by creating appropriate tools. Focus on the errors your developers make
![Page 33: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/33.jpg)
Proposal 3
Engage researchers/firms in DARPA CFT-like ways
![Page 34: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/34.jpg)
Proposal 4
Talk to your CFO and make security an integral factor in M&A activities
![Page 35: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/35.jpg)
Proposal 5
Do your own internal offensive research, it builds intuition and it makes for great ‘pro-active’ mitigations
![Page 36: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/36.jpg)
Conclusions
![Page 37: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/37.jpg)
AppSec can and should become a profit-center
If we don’t do anything policy-makers will and we’re not going to like it
Insane amount of money is being poured in InfoSec, let’s not ruin this by fostering lemons
Freeriding is why we can’t have nice things
![Page 38: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/38.jpg)
Final quote
"Mass markets demand security, along with safety and reliability, only after the product becomes commoditized."
- Alex Gantman
![Page 39: Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc](https://reader035.vdocument.in/reader035/viewer/2022062409/5697bfeb1a28abf838cb81c4/html5/thumbnails/39.jpg)
Thanks! Questions? [email protected]