SlideShare une entreprise Scribd logo

Reducing software risk: minimizing your application's attack surface

Security Innovation
Security Innovation

This webcast (now in PDF format) will present best practices for minimizing code exposed to untrusted users and protect against vulnerabilities and threats that you don’t know about.

Technologie
1  sur  13
Télécharger pour lire hors ligne
Reducing Software Risk: Minimizing your Application’s Attack Surface Jason Taylor CTO Security Innovation About Security Innovation • Software and Crypto Security Experts – 10+ years research on vulnerabilities and cryptography – Hundreds of assessments on world’s most dominant software • Products, Services & Training – Software Assurance • white and black box assessments • secure development lifecycle and crypto consulting – Training & Guidance • eLearning, instructor-led, and secure coding standards – Data Encryption • fast, lightweight, patented, and future-proof • Helping organizations: – Build internal software security competency – Roll out secure software applications and products – Protect data in transit and while applications are accessing it 1
Agenda • Objectives of Attack Surface Analysis and Reduction • Measuring and Reducing your Attack Surface • Conclusion A Software Application’s Attack Surface • Software exposes key business and customer assets via entry points: – user interfaces – web services – direct database access – network channels, pipes, files, APIs … • The entire collection of entry points in a product is called it’s Attack Surface – Set of ways in which adversaries can attack a software system – not limited to local resources; channels used to communicate with remote resources are vectors for attack • Big Attack Surface = Big Security Work= Big Security Problems – with big attack surface, you must spend more time making sure the code is excellent quality, conservative, and defensive 2
Understanding Attack Surface • Attack Surface can Gauge Risk of Attack – Attack surface measures potential avenues of attack – Attack surface measures potential impact of an attack • Useful as a Metric in Design through Deployment – Measurement is both point-in-time and relative • Attacks over the years show that certain vectors are more likely to be opportunities of attack than others – Known (and un-patched) vulnerabilities – services running as privileged user root (in UNIX) are more likely to be targets of attack than services running as non-root users – files with full control (e.g., rwxrwxrwx) are more likely to be attacked than files with less generous permissions – symbolic links are highly likely to be used as enablers in attacks – Windows apps with VBScript, JScript, or ActiveX controls enabled are more likely to be enablers of attack than if such scripting engines and controls were disabled Main Goals of Attack Surface Reduction • Reduce the amount of code executing by default • Reduce the volume of code that is accessible to untrusted users by default • Close doors (access points) that can be easily opened/exploited • Limit the damage if the access point is exploited Bottom Line: Fend off Future Attacks 3
Agenda • Objectives of Attack Surface Reduction • Measuring and Reducing your Attack Surface • Conclusion Common Metrics for Software Security • At CODE LEVEL – We count the number of bugs found – Not an ideal metric because: • It misses bugs that are not found (or fixed), perhaps the one that gets exploited • equal importance is given to all bugs, even though some bugs are easier to exploit than others • the exploit of one may result in more damage than the exploit of another • At the PRODUCT/SYSTEM level – We count the number of times a system version is mentioned in CERT, Microsoft Security Bulletins, MITRE CVEs, etc. – Not an ideal metric because it ignores the specific system configuration that gave rise to the vulnerability • whether a security patch has been installed • whether defaults are turned off • whether it always runs in system administrator mode. 4
New Metric to Add: Attack Surface • Rather than count bugs at code level or vulnerability reports at system level, you can measure the avenues of attack – The counts of these “more likely to be attacked” features determine a system’s attack surface • Attack Surface attempts to measure security in relative terms – Useful as a delta measurement (i.e. v1.2 to v1.n of a product) – Not useful for comparing app to app or as stand-alone metric Measuring attack surface • Start with baseline, then measure each week – Define your minimal attack surface early on during design • If the attack surface count goes up, determine why and see if you can drive it back down – When engineers know you are measuring the attack surface, they may improve efforts Baseline Baseline + 1 month Comment 3 x TCP ports 2 x TCP ports Good; one fewer port to worry about. 1 x UDP port 2 x UDP port Which functionality opened the new UDP port? Why is it open by default? Is it authenticated? Is it restricted to a subnet? 2 x Services (both 3 x Services (2 x SYSTEM, Why is another service running by default? Why are any SYSTEM) 1 x LocalService) running as SYSTEM? 3 x ActiveX controls 4 x ActiveX controls Why is the new control installed? Is it safe for scripting? No additional user 1 x application account Turns out this is a member of the administrators group accounts too! Why? What's the password? 5
Potential Uses for Attack Surface Measurement • Developers and architects can better prioritize testing efforts – If a software’s attack surface measurement is high, they may want to invest more in testing • Developers can use it as a guide while implementing patches of security vulnerabilities – A good patch should not only remove a vulnerability from a system, but also should not increase the system's attack surface. • Consumers can use it to guide their choice of configuration – Since a system's attack surface measurement is dependent on the system's configuration, software consumers would choose a configuration that results in a smaller attack surface exposure. • Risk Management/Corporate Security can understand their potential business exposure Attack Surface & Entry Points • To attack an application, attackers will – Identify entry points – Exploit the entry point or the backend exposed behind it – Try to deny legitimate users access to these entry points • In our software, we have to: – Understand the attack surface – Reduce it as much as possible – Test against it for exposed vulnerabilities • Mapping our Attack Surface – Architecture and design docs, code.. – But how many entry points are undocumented • Temporary files? Pipes? Network communication? Registry keys? Embeddable code? 6
The Attack Surface Reduction Process • Look at all of your entry points – Network I/O – File I/O • Rank them – Authenticated versus anonymous – Administrator only versus user – Network versus local Attack Surface Reduction is as important as trying to get the code right It’s Not Just About Turning Stuff Off! Higher Attack Surface Lower Attack Surface Executing by default Off by default Open socket Closed socket Anonymous access Authenticated access Constantly on Intermittently on Admin access User access Internet access Local subnet access SYSTEM Not SYSTEM! Uniform defaults User-chosen settings Large code Small code Weak ACLs Strong ACLs 7
Reducing your Attack Surface – Best Practices • Reduce the amount of code running by default • Reduce access to entry points by untrusted users – restrict access to network endpoints used by your application to the local subnet or IP range – limit access to network endpoints using authentication. • Reduce privilege to limit damage potential – Sandbox running code – Give higher permissions for as short a period as possible – Pay attention to trust boundaries • Define attack surface during design ASR Best Practices Reduce the Amount of Running Code • Apply the 80/20 rule – Ask yourself, "Do 80 percent of users/customers use this feature?“ – If the answer is no, then turn it off and make it easy to turn the feature back on • Services can’t be attacked if they are not running – All forms of dynamic Web content should be opt-in – If there is security defect in a service, this ensures that the only affected users are those actively running the service (versus all software users) • ASR is not just an "on or off" proposition – You can reduce attack surface by limiting who can access the code once it is running – This has an interesting side effect: many features are still usable, but are inaccessible by attackers (must have knowledge of access controls?) 8
ASR Best Practices Reduce access to entry points by untrusted users • Example: Web Site – By default, most Web sites are accessible to all users – If the Web server limited access only to trusted users, or users on a specific subnet, then fewer users could take advantage of the defect – This is good because the code works for those who require the functionality – Restrict access to network endpoints used by your application to the local subnet or IP range. • To reduce the number of users who can communicate with potentially vulnerable code, authenticate before they can access the code – limit access to network endpoints using authentication. Simply validating the user reduces your component's attack surface. – most bad guys are unauthenticated, and by raising the authentication bar a little you can eliminate a large population of potential attackers. ASR Best Practices Reduce access to entry points by untrusted users • Pay attention to trust boundaries – Review the entire data flow from entry point to data store – Look for all the potential data flows, data stores, and processes that the code touches (code that an attacker can touch) – Determine what privilege is required to access that entry point – Can you raise the authorization bar? • Example: Code with only two network-facing entry points – One is anonymous and the other can only be accessed by administrators – Hacker is going to attack the code along the anonymous data path simply because they can • Not going to exercise the administrative code path because, if they can, then they are already an administrator (and your problems are only just starting)  As you review dataflow, look for anonymous threat paths. It may be prudent to raise the authorization bar on these paths 9
ASR Best Practices Reduce privilege to limit damage potential • Even if your code has vulnerabilities, and you don’t limit access to the code, you can still reduce the damage potential by operating the code with reduced privileges – remove any privileges not explicitly required by the application • Example: Dangerous Backup Privilege – Any process running under an account with this privilege can read any file in the file system, regardless of the access control list (ACL) on the file – Wrong way run as SYSTEM, which has backup privilege, but also has restore, debug, and "act as part of operating system" privilege; and is an admin account too – Right Way: run service under a specific authenticated account that has this privilege Never run services as SYSTEM, or daemons as root, or user accounts with administrative rights unless you have exhausted all other possibilities Define Attack Surface During Design • When designing your application, outline what the attack surface will look like and identify the following: – The networking protocols you enabled by default – The endpoints that should support authentication and authorization. Focus on other anonymous endpoints – The off-by-default features • Look for code that auto-starts or will execute when accessed, such as services, daemons, ISAPI filters and applications, SOAP services, and Web roots – Reusable components (ActiveX® controls, COM objects, and .NET Framework assemblies, etc) – Process identities for all the code you run – User accounts installed When developers know early what the attack surface looks like, they can design and code defensively from the start 10
Other Activities to help Minimize your Attack Surface • Threat Modeling – Identify threats and reduce risk – Identify trust boundaries – Discover entry points and design flaws • Design Review – Check design for attack surface reduction opportunities – Check design against threats uncovered in the threat model • Code Review – Increase awareness of secure coding principles – Discover dangerous code changes that can add vulnerabilities or impact attack surface Agenda • Objectives of Attack Surface Reduction • Measuring and Reducing your Attack Surface • Conclusion 11
Conclusion • Use Attack Surface Reduction to reduce your overall security profile – Protect against the threats and vulnerabilities you don’t know about • Match attack surface risk to the level of effort devoted to secure design, development and testing – Include Attack Surface analysis as part of your overall strategy – Include design, development and test best practices as effective ways to minimize your attack surface and overall risk How Security Innovation can Help • Source Software Development Services – SDLC Process review – Design & Requirements Review – Code Review – Security Testing • eKnowledge products – Software and information security eLearning – Secure Development Knowledgebase and Guidance System • Data Encryption – Fastest, most secure cryptography available on the market 12
eKnowledge Solutions for Secure Development TeamMentor: Secure Development Guidance System – Out of the box secure development standards and best practices for: • Secure Design • Secure Coding • Security Testing – How-to’s, how not-to’s, code snippets, attacks, checklists Software Security eLearning: – Introduction to Threat Modeling – Architecture Risk Analysis – Intro to Cryptography – Creating Secure Code – Web Vulnerabilities: Threats & Mitigations Try eLearning for free http://elearning.securityinnovation.com Free eLearning Course for Attending Introduction to Threat Modeling Creating Secure Code Fundamentals of Application Security Contact getsecure@securityinnovation.com jtaylor@securityinnovation.com 13

Recommandé

White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity ModelSecurity Innovation
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Defense In Depth With AOP
Defense In Depth With AOPDefense In Depth With AOP
Defense In Depth With AOPnerdybeardo
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospectiveSecurity Innovation
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 

Recommandé

White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity ModelSecurity Innovation
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Defense In Depth With AOP
Defense In Depth With AOPDefense In Depth With AOP
Defense In Depth With AOPnerdybeardo
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospectiveSecurity Innovation
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxnull - The Open Security Community
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Contenu connexe

Dernier

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Dernier (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

En vedette

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

En vedette (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Reducing software risk: minimizing your application's attack surface

  • 1. Reducing Software Risk: Minimizing your Application’s Attack Surface Jason Taylor CTO Security Innovation About Security Innovation • Software and Crypto Security Experts – 10+ years research on vulnerabilities and cryptography – Hundreds of assessments on world’s most dominant software • Products, Services & Training – Software Assurance • white and black box assessments • secure development lifecycle and crypto consulting – Training & Guidance • eLearning, instructor-led, and secure coding standards – Data Encryption • fast, lightweight, patented, and future-proof • Helping organizations: – Build internal software security competency – Roll out secure software applications and products – Protect data in transit and while applications are accessing it 1
  • 2. Agenda • Objectives of Attack Surface Analysis and Reduction • Measuring and Reducing your Attack Surface • Conclusion A Software Application’s Attack Surface • Software exposes key business and customer assets via entry points: – user interfaces – web services – direct database access – network channels, pipes, files, APIs … • The entire collection of entry points in a product is called it’s Attack Surface – Set of ways in which adversaries can attack a software system – not limited to local resources; channels used to communicate with remote resources are vectors for attack • Big Attack Surface = Big Security Work= Big Security Problems – with big attack surface, you must spend more time making sure the code is excellent quality, conservative, and defensive 2
  • 3. Understanding Attack Surface • Attack Surface can Gauge Risk of Attack – Attack surface measures potential avenues of attack – Attack surface measures potential impact of an attack • Useful as a Metric in Design through Deployment – Measurement is both point-in-time and relative • Attacks over the years show that certain vectors are more likely to be opportunities of attack than others – Known (and un-patched) vulnerabilities – services running as privileged user root (in UNIX) are more likely to be targets of attack than services running as non-root users – files with full control (e.g., rwxrwxrwx) are more likely to be attacked than files with less generous permissions – symbolic links are highly likely to be used as enablers in attacks – Windows apps with VBScript, JScript, or ActiveX controls enabled are more likely to be enablers of attack than if such scripting engines and controls were disabled Main Goals of Attack Surface Reduction • Reduce the amount of code executing by default • Reduce the volume of code that is accessible to untrusted users by default • Close doors (access points) that can be easily opened/exploited • Limit the damage if the access point is exploited Bottom Line: Fend off Future Attacks 3
  • 4. Agenda • Objectives of Attack Surface Reduction • Measuring and Reducing your Attack Surface • Conclusion Common Metrics for Software Security • At CODE LEVEL – We count the number of bugs found – Not an ideal metric because: • It misses bugs that are not found (or fixed), perhaps the one that gets exploited • equal importance is given to all bugs, even though some bugs are easier to exploit than others • the exploit of one may result in more damage than the exploit of another • At the PRODUCT/SYSTEM level – We count the number of times a system version is mentioned in CERT, Microsoft Security Bulletins, MITRE CVEs, etc. – Not an ideal metric because it ignores the specific system configuration that gave rise to the vulnerability • whether a security patch has been installed • whether defaults are turned off • whether it always runs in system administrator mode. 4
  • 5. New Metric to Add: Attack Surface • Rather than count bugs at code level or vulnerability reports at system level, you can measure the avenues of attack – The counts of these “more likely to be attacked” features determine a system’s attack surface • Attack Surface attempts to measure security in relative terms – Useful as a delta measurement (i.e. v1.2 to v1.n of a product) – Not useful for comparing app to app or as stand-alone metric Measuring attack surface • Start with baseline, then measure each week – Define your minimal attack surface early on during design • If the attack surface count goes up, determine why and see if you can drive it back down – When engineers know you are measuring the attack surface, they may improve efforts Baseline Baseline + 1 month Comment 3 x TCP ports 2 x TCP ports Good; one fewer port to worry about. 1 x UDP port 2 x UDP port Which functionality opened the new UDP port? Why is it open by default? Is it authenticated? Is it restricted to a subnet? 2 x Services (both 3 x Services (2 x SYSTEM, Why is another service running by default? Why are any SYSTEM) 1 x LocalService) running as SYSTEM? 3 x ActiveX controls 4 x ActiveX controls Why is the new control installed? Is it safe for scripting? No additional user 1 x application account Turns out this is a member of the administrators group accounts too! Why? What's the password? 5
  • 6. Potential Uses for Attack Surface Measurement • Developers and architects can better prioritize testing efforts – If a software’s attack surface measurement is high, they may want to invest more in testing • Developers can use it as a guide while implementing patches of security vulnerabilities – A good patch should not only remove a vulnerability from a system, but also should not increase the system's attack surface. • Consumers can use it to guide their choice of configuration – Since a system's attack surface measurement is dependent on the system's configuration, software consumers would choose a configuration that results in a smaller attack surface exposure. • Risk Management/Corporate Security can understand their potential business exposure Attack Surface & Entry Points • To attack an application, attackers will – Identify entry points – Exploit the entry point or the backend exposed behind it – Try to deny legitimate users access to these entry points • In our software, we have to: – Understand the attack surface – Reduce it as much as possible – Test against it for exposed vulnerabilities • Mapping our Attack Surface – Architecture and design docs, code.. – But how many entry points are undocumented • Temporary files? Pipes? Network communication? Registry keys? Embeddable code? 6
  • 7. The Attack Surface Reduction Process • Look at all of your entry points – Network I/O – File I/O • Rank them – Authenticated versus anonymous – Administrator only versus user – Network versus local Attack Surface Reduction is as important as trying to get the code right It’s Not Just About Turning Stuff Off! Higher Attack Surface Lower Attack Surface Executing by default Off by default Open socket Closed socket Anonymous access Authenticated access Constantly on Intermittently on Admin access User access Internet access Local subnet access SYSTEM Not SYSTEM! Uniform defaults User-chosen settings Large code Small code Weak ACLs Strong ACLs 7
  • 8. Reducing your Attack Surface – Best Practices • Reduce the amount of code running by default • Reduce access to entry points by untrusted users – restrict access to network endpoints used by your application to the local subnet or IP range – limit access to network endpoints using authentication. • Reduce privilege to limit damage potential – Sandbox running code – Give higher permissions for as short a period as possible – Pay attention to trust boundaries • Define attack surface during design ASR Best Practices Reduce the Amount of Running Code • Apply the 80/20 rule – Ask yourself, "Do 80 percent of users/customers use this feature?“ – If the answer is no, then turn it off and make it easy to turn the feature back on • Services can’t be attacked if they are not running – All forms of dynamic Web content should be opt-in – If there is security defect in a service, this ensures that the only affected users are those actively running the service (versus all software users) • ASR is not just an "on or off" proposition – You can reduce attack surface by limiting who can access the code once it is running – This has an interesting side effect: many features are still usable, but are inaccessible by attackers (must have knowledge of access controls?) 8
  • 9. ASR Best Practices Reduce access to entry points by untrusted users • Example: Web Site – By default, most Web sites are accessible to all users – If the Web server limited access only to trusted users, or users on a specific subnet, then fewer users could take advantage of the defect – This is good because the code works for those who require the functionality – Restrict access to network endpoints used by your application to the local subnet or IP range. • To reduce the number of users who can communicate with potentially vulnerable code, authenticate before they can access the code – limit access to network endpoints using authentication. Simply validating the user reduces your component's attack surface. – most bad guys are unauthenticated, and by raising the authentication bar a little you can eliminate a large population of potential attackers. ASR Best Practices Reduce access to entry points by untrusted users • Pay attention to trust boundaries – Review the entire data flow from entry point to data store – Look for all the potential data flows, data stores, and processes that the code touches (code that an attacker can touch) – Determine what privilege is required to access that entry point – Can you raise the authorization bar? • Example: Code with only two network-facing entry points – One is anonymous and the other can only be accessed by administrators – Hacker is going to attack the code along the anonymous data path simply because they can • Not going to exercise the administrative code path because, if they can, then they are already an administrator (and your problems are only just starting)  As you review dataflow, look for anonymous threat paths. It may be prudent to raise the authorization bar on these paths 9
  • 10. ASR Best Practices Reduce privilege to limit damage potential • Even if your code has vulnerabilities, and you don’t limit access to the code, you can still reduce the damage potential by operating the code with reduced privileges – remove any privileges not explicitly required by the application • Example: Dangerous Backup Privilege – Any process running under an account with this privilege can read any file in the file system, regardless of the access control list (ACL) on the file – Wrong way run as SYSTEM, which has backup privilege, but also has restore, debug, and "act as part of operating system" privilege; and is an admin account too – Right Way: run service under a specific authenticated account that has this privilege Never run services as SYSTEM, or daemons as root, or user accounts with administrative rights unless you have exhausted all other possibilities Define Attack Surface During Design • When designing your application, outline what the attack surface will look like and identify the following: – The networking protocols you enabled by default – The endpoints that should support authentication and authorization. Focus on other anonymous endpoints – The off-by-default features • Look for code that auto-starts or will execute when accessed, such as services, daemons, ISAPI filters and applications, SOAP services, and Web roots – Reusable components (ActiveX® controls, COM objects, and .NET Framework assemblies, etc) – Process identities for all the code you run – User accounts installed When developers know early what the attack surface looks like, they can design and code defensively from the start 10
  • 11. Other Activities to help Minimize your Attack Surface • Threat Modeling – Identify threats and reduce risk – Identify trust boundaries – Discover entry points and design flaws • Design Review – Check design for attack surface reduction opportunities – Check design against threats uncovered in the threat model • Code Review – Increase awareness of secure coding principles – Discover dangerous code changes that can add vulnerabilities or impact attack surface Agenda • Objectives of Attack Surface Reduction • Measuring and Reducing your Attack Surface • Conclusion 11
  • 12. Conclusion • Use Attack Surface Reduction to reduce your overall security profile – Protect against the threats and vulnerabilities you don’t know about • Match attack surface risk to the level of effort devoted to secure design, development and testing – Include Attack Surface analysis as part of your overall strategy – Include design, development and test best practices as effective ways to minimize your attack surface and overall risk How Security Innovation can Help • Source Software Development Services – SDLC Process review – Design & Requirements Review – Code Review – Security Testing • eKnowledge products – Software and information security eLearning – Secure Development Knowledgebase and Guidance System • Data Encryption – Fastest, most secure cryptography available on the market 12
  • 13. eKnowledge Solutions for Secure Development TeamMentor: Secure Development Guidance System – Out of the box secure development standards and best practices for: • Secure Design • Secure Coding • Security Testing – How-to’s, how not-to’s, code snippets, attacks, checklists Software Security eLearning: – Introduction to Threat Modeling – Architecture Risk Analysis – Intro to Cryptography – Creating Secure Code – Web Vulnerabilities: Threats & Mitigations Try eLearning for free http://elearning.securityinnovation.com Free eLearning Course for Attending Introduction to Threat Modeling Creating Secure Code Fundamentals of Application Security Contact getsecure@securityinnovation.com jtaylor@securityinnovation.com 13