![Page 1: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/1.jpg)
OWASP Tampa Day 2011
How to Defend the Universe from Evil-doers
A Guide for Software Developers and Security Teams
Bruce Jenkins
Managing Consultant
20 Jun 2011
![Page 2: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/2.jpg)
OWASP Tampa Day 2011
About the Presenter
Bruce Jenkins (Major, USAF, Ret.) enlisted in the US Air Force in 1979 as a weapons control systems
technician for the F-4 Phantom. After assignments to military bases in Denver, Colorado, and the Mojave
Desert in California, he spent 10 years in Germany, with short assignments to Spain and the United
Kingdom. In 1992, after completing a BS in computer science, he transferred to the computer-
communications field and performed technical analysis on NORAD’s Integrated Tactical Warning / Attack
Assessment network in Colorado Springs. In 1995 Jenkins was commissioned a second lieutenant and
then managed the Crime and Counterintelligence Terrorism Information System at the Office of Special
Investigations in Washington, D.C. From 1998 to 2000, he obtained his MS in operations research
(management science) in Dayton, Ohio, after which he project managed wargame simulation software
development at the Wargaming Institute in Montgomery, Alabama. He then was CISO at the College for
Professional Development before spending 14 months commanding a communications squadron in
Kuwait. He returned to Montgomery in March 2005, where he was responsible for systems security policy
and compliance. He led the Crisis Action Team following a USAF personnel system breach, and then
managed an 11-month pilot program to evaluate software security products. His final project before his
USAF retirement in 2007 was to design the framework and resource requirements for what is now the
Application Software Assurance Center of Excellence (ASACoE). Mr. Jenkins then joined HP Fortify,
where he assists organizations in developing software security assurance strategies and programs.
![Page 3: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/3.jpg)
OWASP Tampa Day 2011
Agenda
• Why Software Security?
• Software (Dev) vs. Security
• How to Save the Day (Seriously)
![Page 4: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/4.jpg)
OWASP Tampa Day 2011
What this presentation is based on…
• Four years of anecdotal accounts from software security
consultants working with clients
• Over 300 software security assessments spanning DoD,
finance, retail, utilities, ISVs, systems integrators…
• Personal involvement in over 60 professional services
engagements since July 2007
![Page 5: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/5.jpg)
OWASP Tampa Day 2011
What this presentation is based on…
• Four years of anecdotal accounts from software security
consultants working with clients
• Over 300 software security assessments spanning DoD,
finance, retail, utilities, ISVs, systems integrators…
• Personal involvement in over 60 professional services
engagements since July 2007
• And… really intense conversations with ―passionate‖
developers and security teams
![Page 6: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/6.jpg)
OWASP Tampa Day 2011
“Enough is Enough: The Threats Have Changed”
– Michael Howard and Steve LipnerThe Security Development Lifecycle
So… Why Software Security?
![Page 7: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/7.jpg)
OWASP Tampa Day 2011
Why Software Security?
![Page 8: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/8.jpg)
OWASP Tampa Day 2011
Why Software Security?
1. Customer Demands
2. Regulatory Compliance
3. Breach / Data Loss
4. Well-informed, Proactive
(This group has been breached and they’re just not
admitting it.)
![Page 9: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/9.jpg)
OWASP Tampa Day 2011
Security Spending and Regulation
Continue to Increase
1980s 1990s 2000s
Computer Security
Act of 1987
FFIEC IT Exam
Handbook
EU Data Protection
Directive
HIPAA
FD 21CFR Part 11
GLBA
NIST
PIPEDA (Canada)
USA Patriot Act
EC 8th Directive
PCI
EC Data Privacy
FISMA I and II
CA SB 1386
NERC CIP
SOX
Basel II Accord
National Credit
Union
Administration
regulations
National Defense
Authorization Act
![Page 10: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/10.jpg)
OWASP Tampa Day 2011
0
200
400
600
800
2005 2006 2007 2008 2009 2010
Yet, Security Breaches Continue
Number of Data Security Breaches2005-2010
Source: Identify Theft Resource Center
Num
ber
of
Data
Secu
rity
Bre
ach
es
158
315
446
657
# of Records Exposed 65MM 20MM 127MM 36MM 223MM 16MM
498
662
![Page 11: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/11.jpg)
OWASP Tampa Day 2011
Why Software is Attacked
Intellectual
Property
Customer
Data
Business
Processes
Trade Secrets
Hardware
Network
Software & Data
![Page 12: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/12.jpg)
OWASP Tampa Day 2011
Why Software is Attacked
Intellectual
Property
Customer
Data
Business
Processes
Trade Secrets
Hardware
Network
Software & Data
![Page 13: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/13.jpg)
OWASP Tampa Day 2011
Why Software is Attacked
Intellectual
Property
Customer
Data
Business
Processes
Trade Secrets
Hardware
Network
Software & Data
![Page 14: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/14.jpg)
OWASP Tampa Day 2011
Exploiting Weaknesses: Path of Least Resistance
![Page 15: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/15.jpg)
OWASP Tampa Day 2011
Quality Issue or Security Issue?
![Page 16: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/16.jpg)
OWASP Tampa Day 2011
“Security is never black and white, and
context matters more than technology”
– Bruce SchneierSecrets & Lies: Digital Security
in a Networked World
Quality Issue or Security Issue?
![Page 17: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/17.jpg)
OWASP Tampa Day 2011
So… Quality Issue or Security Issue?
![Page 18: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/18.jpg)
OWASP Tampa Day 2011
The Incident
• Breach reported Jan 2009
• 94M credit records stolen
• Fines levied to banks > $6M
• Total cost of damages / loss > $140M
Quality Issue or Security Issue?
3rd largest US payment processer
The Attack
• Personnel application attacked by SQL Injection
• Attackers inject code into data processing network
• Credit card transactions stolen
![Page 19: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/19.jpg)
OWASP Tampa Day 2011
Who is Responsible for Software Security?
![Page 20: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/20.jpg)
OWASP Tampa Day 2011
Who is Responsible for Software Security?
“I just want to be a coder; I’m really not
interested in security.”
– Anonymous
![Page 21: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/21.jpg)
OWASP Tampa Day 2011
Cut the Developers Some Slack?
“Everyone knows that debugging is twice as
hard as writing a program in the first place. So
if you are as clever as you can be when you
write it, how will you ever debug it?”
– Brian Kernighan
The Elements of Programming Style
![Page 22: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/22.jpg)
OWASP Tampa Day 2011
Cut the Developers Some Slack? (No way!)
“How do I get the software engineering teams to
wake up and start taking software security
seriously?”
– Brad Arkin, Senior Director of Product Security and
Privacy, Adobe Systems
IEEE Security & Privacy, May / June 2011
![Page 23: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/23.jpg)
OWASP Tampa Day 2011
Software (Dev) vs. Security
![Page 24: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/24.jpg)
OWASP Tampa Day 2011
Software (Dev) vs. Security
(Don’t worry—it’s not really that bad.)
![Page 25: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/25.jpg)
OWASP Tampa Day 2011
Software (Dev) vs. Security: Four “Concerns”
• Awareness
• Education, Training
• Issue Management
• Source Integrity (this is about trust)
![Page 26: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/26.jpg)
OWASP Tampa Day 2011
Viewpoint: Software Developer
• Awareness
– Don’t know about the issue
– Don’t know about the requirement
• Education, Training
– Don’t know how to fix it
– Definitely don’t have time to get trained on how to fix it
• Issue Management
– What am I going to do with 35,000+ ―findings‖?
– No way these are legit—these definitely are false positives!
• Source (Messenger) Integrity
– Those security guys don’t know what they’re talking about!
– They don’t understand how we write our code.
![Page 27: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/27.jpg)
OWASP Tampa Day 2011
Viewpoint: Security Team
• Awareness
– These issues are common knowledge.
– The requirement for security is inherent.
• Education, Training
– Don’t know how to fix it.
– Too busy to show up for ―developer training.‖
• Issue Management
– Why can’t these guys just fix this stuff? They have the whole list….
– We tell them what’s important, and they tell us that it isn’t an issue.
• Source (Code) Integrity
– Why is their code so messed up!?
– Developers are sneaky; they’ll do anything to not look bad.
![Page 28: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/28.jpg)
OWASP Tampa Day 2011
How to Save the Day…
1. Obtain Executive Sponsorship
– Influence spans business units
– Supports… and holds accountable
2. Define Program Goals
– Associate AppSec goals to company goals
– Consider tying to MBOs
3. Develop a Reasoned Strategy
(with Objectives!) for supporting
Program Goals
– Keep it simple
– Ensure Objectives are measurable
and time-boxed
![Page 29: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/29.jpg)
OWASP Tampa Day 2011
―Implement a five-phased approach to raising awareness of
application security, educating and training stakeholders on
process changes, and building security into the SDLC.‖
Strategy Example
![Page 30: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/30.jpg)
OWASP Tampa Day 2011
How to Save the Day… (cont’d)
4. Communicate the Plan
– Who, what, when, where, why (and how)
– Communicate again (and again) (and again)
5. Measure Progress
– Collect metrics for a specific reason, not simply because you can
– Use the right KPIs
(search: magic numbers kpi hp owasp webcast)
6. Report Results
– Agree on what will be reported, when
and to whom
– Be creative with rewards
– Hold people accountable
![Page 31: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/31.jpg)
OWASP Tampa Day 2011
How to Save the Day… (a few more tips)
• Put Experienced Developers on the Security Team
• Publish Secure Coding Standards
• Train Developers and Security Teams
• Collaborate on the ―Top n‖ Security Issues for <period>
• Obtain C-level Sponsorship / Approval of Your Top n
• ―Tune‖ Your Security Testing Product(s) to Support the
Identification and Presentation of the
Top n Security Issues
• Treat All Security Issues as You Would
Any Other Software Defect (i.e., get the
issues into your defect tracking system)
![Page 32: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/32.jpg)
OWASP Tampa Day 2011
Where are you now?
![Page 33: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/33.jpg)
OWASP Tampa Day 2011
“There is a difference between knowing the
path and walking the path.”
– Morpheus, The Matrix
![Page 34: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/34.jpg)
OWASP Tampa Day 2011
Final Thought…
“Ever wonder why so many programmers are
so bad at security?
![Page 35: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/35.jpg)
OWASP Tampa Day 2011
Final Thought…
“Ever wonder why so many programmers are
so bad at security? Part of the problem is
that most of them don't know they're bad.”
– Dr. Brian Chess
Founder & Chief Scientist, HP Fortifyhttp://blog.fortify.com/
(There is an easy fix for this. Really!)
![Page 36: How to Defend the Universe from Evil-doers · 2020. 1. 17. · • Awareness –These issues are common knowledge. ... ―Implement a five-phased approach to raising awareness of](https://reader036.vdocument.in/reader036/viewer/2022070108/603df668e464fb0e193328d9/html5/thumbnails/36.jpg)
OWASP Tampa Day 2011
Questionsb c j e n k i n s @ h p . c o m