SlideShare une entreprise Scribd logo

Software Security Austerity - 44CON 2012

44CON
44CON

Ollie Whitehouse presents Software Security Austerity at 44CON 2012 in London, September 2012.

Technologie
1  sur  35
Télécharger pour lire hors ligne
Software Security Austerity Security Debt in Modern Software Development Ollie Whitehouse, Associate Director, NCC Group
Agenda •Introduction •Software Security Debt •Debt Management •Conclusions
Before we begin… metaphor abuse warning!
… before we begin part 2… there is a white paper available
Security debt
Technical debt "Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt."
Security debt… • Present in all software • Analogous to development and bugs • security is just a type of bug • Analogous to development and tech debt • The trade off between • fix everything and ship nothing -versus- • fix only the critical -versus- • real world business
Security debt… • You get good… • .. you get a new problem • Too many vulnerabilities! • You focus on just the critical / serious • … the low / medium mountain grows
Security debt – types? • Known – identified, but yet to be addressed • Unknown – latent issues yet to be discovered
Security debt – source? • Self my development • Supply chain my outsourced development • Dependency COTS component use without formal support
Security debt and SDLs • SDL does not mean 0 debt • SDL means known security debt • with a repayment plan • No SDL means latent security debt • with no repayment plan • SDL means more bugs than resources • quite quickly / in the short to medium term • SDL means accelerated discovery • you get too good
Security debt and SDLs • Why accelerated discovery? • requirements reviews • static code analysis • manual code analysis • automated testing (fuzzing) • increased awareness and knowledge • root cause analysis and variations
Accruing debt based on risk • Financial cost versus • Revenue • Cost of a response incident • Brand impact • Liability • Time cost versus • Resources • Time to market • Financial costs
Accruing debt based on risk • Impact versus • Discovery • Mitigations • Complexity and prerequisite conditions • Access requirements • Marker expectation
Latent debt resilience • Latent debt will always exist • through own activities • through suppliers • through dependencies • The need to feed upstream • The need to build resilient software
Debt Management
Why we care • Client expectation • Regulatory requirements • Increasing cost of debt • Attacker capability evolution • Increased external focus
Why we care
Why we care
Assigning interest rates to security debt • Interest rate = Priority • Priority = risk • Risk = informed
Assigning interest rates to security debt Threat = f (Motivation, Capability, Opportunity, Impact)
Assigning interest rates to security debt DREAD
Assigning interest rates to security debt CVSS
Assigning interest rates to security debt • Impact • Distribution • Disclosure • Likelihood of discovery • Presence of mitigations • Complexity of exploitation • Access requirements • Customer expectation
Repayment – New version requirements
Repayment – Severity prioritization • Next release (any type) • Next release (major version) • Next release +1 (any type) • Next release +2 (any type) • Next release +3 (any type)
Repayment – Percentage reduction Severity Percentage to be resolved Critical 100% Serious 50% Moderate 30% Low 20% Other 0 to 5 %
Repayment – Forced
Debt Expiry
Debt Overhang • Stuart Myers paper (1977) ‘Determinants of Corporate Borrowing’ • Debt mountain equals death by a thousand cuts • Leading to inability to accrue more security debt • Leading to slower innovation
Strategic Debt Restructuring
Bankruptcy
Non Repayment – Consequence Planning "We may be at the point of diminishing returns by trying to buy down vulnerability," the general observed. Instead, he added, "maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can "self-heal" or "self-limit“ the damages inflicted upon them. "
Conclusions • Zero debt is not good business practice • SDLs enable debt discovery and repayment • A pure risk approach allows the mountain to grow • Outsourcing carries risk of larger latent debt • A mature model is to understand and plan payment • … while educating upstream • … while paying down the mountain • … while still using risk
Thanks! Questions? UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Ollie Whitehouse Munich – Germany Zurich - Switzerland ollie.whitehouse@nccgroup.com

Recommandé

Ann Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsAnn Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsSocial Media for Nonprofits
 
Crisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaCrisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaAtlantic Training, LLC.
 
Decision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintyDecision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintysapna moodautia
 
Crisis management
Crisis managementCrisis management
Crisis managementahmadsanadsalim
 
Crisis management plan presentation
Crisis management plan presentationCrisis management plan presentation
Crisis management plan presentationSandra Eblevi
 
Crisis management
Crisis managementCrisis management
Crisis managementAtindya K Ghosh
 
Environmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementEnvironmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementThis account is closed
 
Crisis management
Crisis managementCrisis management
Crisis managementBusiness Management
 

Recommandé

Ann Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsAnn Shanklin: Risk Management Basics
Ann Shanklin: Risk Management BasicsSocial Media for Nonprofits
 
Crisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaCrisis & Risk Management for Companies Training by University of Alexandria
Crisis & Risk Management for Companies Training by University of AlexandriaAtlantic Training, LLC.
 
Decision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintyDecision making under condition of risk and uncertainty
Decision making under condition of risk and uncertaintysapna moodautia
 
Crisis management
Crisis managementCrisis management
Crisis managementahmadsanadsalim
 
Crisis management plan presentation
Crisis management plan presentationCrisis management plan presentation
Crisis management plan presentationSandra Eblevi
 
Crisis management
Crisis managementCrisis management
Crisis managementAtindya K Ghosh
 
Environmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementEnvironmental Law for Business Seminar: Disaster Management
Environmental Law for Business Seminar: Disaster ManagementThis account is closed
 
Crisis management
Crisis managementCrisis management
Crisis managementBusiness Management
 
Crisis And Risk
Crisis And RiskCrisis And Risk
Crisis And Riskkktv
 
Crisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster StrikesCrisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster StrikesThe Windsdor Consulting Group, Inc.
 
Chapter 2 (crisis management)
Chapter 2 (crisis management)Chapter 2 (crisis management)
Chapter 2 (crisis management)Abdul Jawad Chaudhry
 
Crisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCrisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCORE Consulting
 
SoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumSoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumPeadar Duffy
 
Adw
AdwAdw
Adwbigj686
 
Crisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSCrisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSAtlantic Training, LLC.
 
Crisis management
Crisis managementCrisis management
Crisis managementRajat Ghosh
 
Crisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityCrisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityAtlantic Training, LLC.
 
Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Atlantic Training, LLC.
 
Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Alaa Abdallah
 
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011gajananh999
 
Crisis Management
Crisis ManagementCrisis Management
Crisis ManagementRalph Bateman
 
Crisis management
Crisis management Crisis management
Crisis management Tribhuvan University,
 
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityDavid Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityAssociation for Project Management
 
risk management
risk managementrisk management
risk managementQue Tomeyz
 
Crisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINCrisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINTaha ABULAYNIN
 
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)Devin DeCiantis
 
Risk transfer strategy.
Risk transfer strategy.Risk transfer strategy.
Risk transfer strategy.Ignacio Reclusa
 
Crisis management final
Crisis management finalCrisis management final
Crisis management finalGeeg geeh
 
Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?easy2comply
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 

Contenu connexe

Tendances

Crisis And Risk
Crisis And RiskCrisis And Risk
Crisis And Riskkktv
 
Crisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCrisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCORE Consulting
 
SoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumSoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumPeadar Duffy
 
Crisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSCrisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSAtlantic Training, LLC.
 
Crisis management
Crisis managementCrisis management
Crisis managementRajat Ghosh
 
Crisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityCrisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityAtlantic Training, LLC.
 
Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Atlantic Training, LLC.
 
Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Alaa Abdallah
 
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011gajananh999
 
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityDavid Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityAssociation for Project Management
 
risk management
risk managementrisk management
risk managementQue Tomeyz
 
Crisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINCrisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINTaha ABULAYNIN
 
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)Devin DeCiantis
 
Crisis management final
Crisis management finalCrisis management final
Crisis management finalGeeg geeh
 

Tendances (20)

Crisis And Risk
Crisis And RiskCrisis And Risk
Crisis And Risk
 
Crisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster StrikesCrisis Management Strategies When Disaster Strikes
Crisis Management Strategies When Disaster Strikes
 
Chapter 2 (crisis management)
Chapter 2 (crisis management)Chapter 2 (crisis management)
Chapter 2 (crisis management)
 
Crisis Management Webinar - Core Consulting
Crisis Management Webinar - Core ConsultingCrisis Management Webinar - Core Consulting
Crisis Management Webinar - Core Consulting
 
SoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty ContinuumSoluxR- The Uncertainty Continuum
SoluxR- The Uncertainty Continuum
 
Adw
AdwAdw
Adw
 
Crisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMSCrisis Management Training Strategies by RIMS
Crisis Management Training Strategies by RIMS
 
Crisis management
Crisis managementCrisis management
Crisis management
 
Crisis Management Training by Iowa State University
Crisis Management Training by Iowa State UniversityCrisis Management Training by Iowa State University
Crisis Management Training by Iowa State University
 
Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...Crisis Management in Organization Development by The College of Saint Scholas...
Crisis Management in Organization Development by The College of Saint Scholas...
 
Crisis Management and Crisis Communication
Crisis Management and Crisis Communication Crisis Management and Crisis Communication
Crisis Management and Crisis Communication
 
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011Financial decision making by anil kumar a cfo mantri developers 24 march 2011
Financial decision making by anil kumar a cfo mantri developers 24 march 2011
 
Crisis Management
Crisis ManagementCrisis Management
Crisis Management
 
Crisis management
Crisis management Crisis management
Crisis management
 
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and AmbiguityDavid Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
David Hancock - Risk Leadership in a world of Uncertainty and Ambiguity
 
risk management
risk managementrisk management
risk management
 
Crisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNINCrisis management for non crisis managers Taha ABULAYNIN
Crisis management for non crisis managers Taha ABULAYNIN
 
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
COVID-19 Crisis Management Toolkit for Family Business (Executive Summary)
 
Risk transfer strategy.
Risk transfer strategy.Risk transfer strategy.
Risk transfer strategy.
 
Crisis management final
Crisis management finalCrisis management final
Crisis management final
 

Similaire à Software Security Austerity - 44CON 2012

Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?easy2comply
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Understanding credit risk : mint2save
Understanding credit risk : mint2saveUnderstanding credit risk : mint2save
Understanding credit risk : mint2saveMint2Save
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision makingDennis Stevens
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision makingdrewz lin
 
Getting down to business with security
Getting down to business with securityGetting down to business with security
Getting down to business with securityGerhard de Klerk
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testingrrice2000
 
Risk management automation
Risk management automationRisk management automation
Risk management automationsheyam selvaraj
 
Rims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliencyRims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliencyLootok, Ltd
 
Risk Management in Financial Institutions
Risk Management in Financial InstitutionsRisk Management in Financial Institutions
Risk Management in Financial InstitutionsArchanaKamble18
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSaraPia5
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
 
Risk managemet made easy
Risk managemet made easyRisk managemet made easy
Risk managemet made easysheyam selvaraj
 
Introduction to credit risk management
Introduction to credit risk managementIntroduction to credit risk management
Introduction to credit risk managementTOSHI STATS Co.,Ltd.
 
Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"Alert Logic
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...CODE BLUE
 

Similaire à Software Security Austerity - 44CON 2012 (20)

Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?Webinar - Risk Methodologies - Why are there so many?
Webinar - Risk Methodologies - Why are there so many?
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Understanding credit risk : mint2save
Understanding credit risk : mint2saveUnderstanding credit risk : mint2save
Understanding credit risk : mint2save
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision making
 
Presentation on credit risk
Presentation on credit risk Presentation on credit risk
Presentation on credit risk
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision making
 
DRIDeckFinalMar3
DRIDeckFinalMar3DRIDeckFinalMar3
DRIDeckFinalMar3
 
Getting down to business with security
Getting down to business with securityGetting down to business with security
Getting down to business with security
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
 
Risk management automation
Risk management automationRisk management automation
Risk management automation
 
Rims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliencyRims 2016 Global supply chain risk and resiliency
Rims 2016 Global supply chain risk and resiliency
 
Risk Management in Financial Institutions
Risk Management in Financial InstitutionsRisk Management in Financial Institutions
Risk Management in Financial Institutions
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor Hersom
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
 
Risk managemet made easy
Risk managemet made easyRisk managemet made easy
Risk managemet made easy
 
Managing Risk
Managing RiskManaging Risk
Managing Risk
 
Introduction to credit risk management
Introduction to credit risk managementIntroduction to credit risk management
Introduction to credit risk management
 
Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"Digital Marketing in the "Secure Age"
Digital Marketing in the "Secure Age"
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
 
PCG Presentation
PCG PresentationPCG Presentation
PCG Presentation
 

Plus de 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 

Plus de 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 

Dernier

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Dernier (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Software Security Austerity - 44CON 2012

  • 1. Software Security Austerity Security Debt in Modern Software Development Ollie Whitehouse, Associate Director, NCC Group
  • 3. Before we begin… metaphor abuse warning!
  • 4. … before we begin part 2… there is a white paper available
  • 6. Technical debt "Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt."
  • 7. Security debt… • Present in all software • Analogous to development and bugs • security is just a type of bug • Analogous to development and tech debt • The trade off between • fix everything and ship nothing -versus- • fix only the critical -versus- • real world business
  • 8. Security debt… • You get good… • .. you get a new problem • Too many vulnerabilities! • You focus on just the critical / serious • … the low / medium mountain grows
  • 9. Security debt – types? • Known – identified, but yet to be addressed • Unknown – latent issues yet to be discovered
  • 10. Security debt – source? • Self my development • Supply chain my outsourced development • Dependency COTS component use without formal support
  • 11. Security debt and SDLs • SDL does not mean 0 debt • SDL means known security debt • with a repayment plan • No SDL means latent security debt • with no repayment plan • SDL means more bugs than resources • quite quickly / in the short to medium term • SDL means accelerated discovery • you get too good
  • 12. Security debt and SDLs • Why accelerated discovery? • requirements reviews • static code analysis • manual code analysis • automated testing (fuzzing) • increased awareness and knowledge • root cause analysis and variations
  • 13. Accruing debt based on risk • Financial cost versus • Revenue • Cost of a response incident • Brand impact • Liability • Time cost versus • Resources • Time to market • Financial costs
  • 14. Accruing debt based on risk • Impact versus • Discovery • Mitigations • Complexity and prerequisite conditions • Access requirements • Marker expectation
  • 15. Latent debt resilience • Latent debt will always exist • through own activities • through suppliers • through dependencies • The need to feed upstream • The need to build resilient software
  • 17. Why we care • Client expectation • Regulatory requirements • Increasing cost of debt • Attacker capability evolution • Increased external focus
  • 20. Assigning interest rates to security debt • Interest rate = Priority • Priority = risk • Risk = informed
  • 21. Assigning interest rates to security debt Threat = f (Motivation, Capability, Opportunity, Impact)
  • 22. Assigning interest rates to security debt DREAD
  • 23. Assigning interest rates to security debt CVSS
  • 24. Assigning interest rates to security debt • Impact • Distribution • Disclosure • Likelihood of discovery • Presence of mitigations • Complexity of exploitation • Access requirements • Customer expectation
  • 25. Repayment – New version requirements
  • 26. Repayment – Severity prioritization • Next release (any type) • Next release (major version) • Next release +1 (any type) • Next release +2 (any type) • Next release +3 (any type)
  • 27. Repayment – Percentage reduction Severity Percentage to be resolved Critical 100% Serious 50% Moderate 30% Low 20% Other 0 to 5 %
  • 30. Debt Overhang • Stuart Myers paper (1977) ‘Determinants of Corporate Borrowing’ • Debt mountain equals death by a thousand cuts • Leading to inability to accrue more security debt • Leading to slower innovation
  • 33. Non Repayment – Consequence Planning "We may be at the point of diminishing returns by trying to buy down vulnerability," the general observed. Instead, he added, "maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can "self-heal" or "self-limit“ the damages inflicted upon them. "
  • 34. Conclusions • Zero debt is not good business practice • SDLs enable debt discovery and repayment • A pure risk approach allows the mountain to grow • Outsourcing carries risk of larger latent debt • A mature model is to understand and plan payment • … while educating upstream • … while paying down the mountain • … while still using risk
  • 35. Thanks! Questions? UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Ollie Whitehouse Munich – Germany Zurich - Switzerland ollie.whitehouse@nccgroup.com