SlideShare une entreprise Scribd logo

Risk-based Security Technical Debt Reduction: When everything’s important, nothing gets done

L
laurieannwilliams

While engineers are increasingly aware of security requirements, in many organizations security remains the responsibility of “those security people” and is not tightly integrated into the development cycle. Productivity and feature goals can result in engineers focusing on deployment rather than on fixing non-critical security issues or on building security into a product, resulting in an increase of security technical debt. Attackers eagerly exploit the vulnerabilities lying in the security technical debt pile. Organizations can benefit from risk-based practices for shrinking this debt. This talk will present two research projects in which risk is being used to prioritize security mitigations. The first project is focused on reducing secrets and credentials that have been checked into a code base. The second project relates to the prioritization of patching the continuous onslaught of vulnerable components and libraries that comprise a product.

Ingénierie
1  sur  30
Télécharger pour lire hors ligne
Risk-based Security Technical Debt Reduction: When everything’s important, nothing gets done Laurie Williams laurie_williams@ncsu.edu Real People – Real Projects – Real Impact 1
Short(er) term focus Evolvability Maintainability Security Risk
Think Like a Thief • Put yourself in the mind of a thief … Plan a robbery! • Choose a scenario that would have a high chance of success, lay out the details … • How long do you think it would take to plan & execute the theft? How much would you hope to gain in terms of value ($ or otherwise)? What would be the effect of the theft on the victim? 4 minutes … be ready to share
Malicious Intent! Value Ease Enables Oops! I didn’t mean to do that!
Value Ease
http://xkcd.com/1698 Theft Quadrants Value Ease
Evolvability Maintainability Security Risk
Computing Security Risk Exposure Traditional Risk Exposure probability of occurrence X impact of loss NIST Security Risk Exposure likelihood of threat- source exercising vulnerability X impact of adverse event on organization Proposed Security Risk Exposure ease of attack X value of asset
? David the Detected Edwin the Exploitable Adam the Attack-prone ? 9 Shift efforts right Larry the Latent
10
11 Many thanks!
With the very best of intentions … when everything’s important, nothing gets done. Vulnerable components Checked in Secrets
State of Vulnerable Components 13 * Snyk: State of Open Source Dependencies 2019 Vulnerable components Checked in Secrets
Value Ease Increases over timeSeverity (e.g. CVSS) Depth in dependency tree? Popularity of package Vulnerable components Checked in Secrets
Developer actions •Git Notified*: • 262K GitHub projects; Jan 2017 – Dec 2018 • 13% of vulnerable components fixed after GitHub notification • Pretty lame … but it can get worse .. • 9% of vulnerable components fixed after CVE notification but before GitHub notification • Tools are needed! • 40% fixed if notified at time of vulnerability-introducing commit • Shift left! • No difference in fix rate when considering severity • What’s up with that? 15 *Git Notified: Characterizing Vulnerable Dependency Alerts on GitHub ??? Vulnerable components Checked in Secrets
16 Don’t actually use the vulnerable part of the dependency Don’t actually use the dependency CVE / NVD Dependency is in non- production code. Advisories 13% are fixed – from the white or grey? Some obscure package it’s unlikely an attacker write an exploit for Vulnerable components Checked in Secrets
Tools help … and are beginning to focus on risk and more…. Vulnerable components Checked in Secrets
With the very best of intentions … when everything’s important, nothing gets done. Vulnerable components Checked in secrets
Value Ease Varies wildly! All code matters Varies wildly! Decreases over time p(password/key works) p(asset is still there) Vulnerable components Checked in secrets
Infrastructure as Code Security Smells Admin by default Empty password Hard-coded secret Invalid IP address binding Suspicious comment Use of HTTP without TLS Use of weak cryptography algorithm $power_username=‘admin’ password=>‘’ $power_password=‘admin’ $bind_host=‘0.0.0.0’ #FIXME(bogdando) remove these hacks after switched to systemd service.units $quantum_auth_url = ‘http://127.0.0.1:35357/v2.0’ password => ht_md5($power_password) 20 * Gang of Eight: A Defect Taxonomy for Infrastructure as CodeScripts Vulnerable components Checked in secrets
Frequency of Security Smells 0 5 10 15 20 25 30 GitHub Mozilla Openstack Wikimedia ProportionofScript(%) AdminByDefault EmptyPassword HardCodedSecret InvalidIPAddressBinding SuspiciousComments HTTPWithoutTLS WeakCryptoAlgorithm 21 Vulnerable components Checked in secrets
GitHub Analysis • “billions of files” • Private key files • 11 high-impact platforms with distinctive API key formats • Secret leakage in 100,000 repositories … thousands of new, unique secrets are leaked every day. • Committing cryptographic key files and API keys embedded directly in code are the main causes of leakage. 22 How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories Vulnerable components Checked in secrets
Protection Poker Secret Ease Points Value Points Security Risk Ranking Secret 1 1 100 100 3 Secret 2 5 0 0 6 Secret 3 5 0 0 6 Secret 4 20 5 100 3 Secret 5 13 13 169 2 Secret 6 1 40 40 5 Secret 7 40 60 2400 1 Vulnerable components Checked in secrets
Tools can help 24 STATICALLY IDENTIFY SECRETS MACHINE LEARNING TO REDUCE FALSE POSITIVES NOTIFY UPON CHECK IN (SHIFT LEFT) BUT, ALL SECRETS ARE ”EQUAL” … Tools can help 25 STATICALLY IDENTIFY SECRETS MACHINE LEARNING TO REDUCE FALSE POSITIVES NOTIFY UPON CHECK IN (SHIFT LEFT) BUT, ALL SECRETS ARE ”EQUAL” … Vulnerable components Checked in secrets
Technical Debt: 3D Evolvability Maintainability Security Risk Value Ease
Be compassionate …. For the good of the product and the engineer … be driven by risk Edwin the Exploitable Adam the Attack-prone
Images • https://www.growthsourcecoaching.com/blog/when-everything-is-a-priority-nothing-is-important • http://blog.aclipse.net/teach-in-korea/classroom-tips-wh-questions-and-cold-calling • https://blog.frontiersin.org/2020/04/17/dance-with-your-grandma-after-covid-19-of-course/ • https://keydifferences.com/difference-between-data-and-information.html • https://resources.infosecinstitute.com/attack-surface-reduction/#gref • http://www.keytothekingdom.com/ • http://www.rmmagazine.com/2016/12/12/the-cost-of-complexity/ • https://www.cio.com.au/article/569270/internet-designed-security-warns-international-expert/ • https://ayehu.com/5-cyber-security-incident-response-risks-and-how-to-avoid-them-using-automation/ • https://medium.com/swlh/on-urgent-important-and-immediate-5eb318f99d1e • https://www.cio.com.au/article/569270/internet-designed-security-warns-international-expert/ 27
Images • https://dementiacarebooks.com/how-to-become-a-dementia-behavior-detective/ • https://pixabay.com/vectors/fish-hook-fishing-hook-recreation-2027781/ • https://prosportstickers.219signs.com/index.php?route=product/product&product_id=37152 • http://www.brianbarber.com/illustration/ • https://prosportstickers.219signs.com/index.php?route=product/product&product_id=37152 • https://drawception.com/game/HM8CfM7pHD/sleepy-fish/ • Vectorstock.com/9961574 • https://requestreduce.org/categories/fish-trap-clipart.html#overlayGallery9_post_17509_fish- trap-clipart-17.png • http://www.e2studysolution.com/news/How-can-I-become-a-Cybersecurity-Expert • https://www.zazzle.com/red_star_1st_prize_round_sticker_red-217743138139492519 • https://www.datanami.com/2016/09/23/past-present-future-finance/ • https://easydrawingguides.com/how-to-draw-a-whale/ • https://achievingbeautifuldreams.files.wordpress.com/2015/09/50-50.jpg • https://www.merchantmaverick.com/best-high-risk-merchant-account-providers/ • https://digest.bps.org.uk/2018/03/21/is-the-future-ahead-not-for-those-born-blind/ 28
Images • https://www.monitis.com/blog/why-your-small-business-needs-penetration- testing/ • https://www.foolishbricks.com/day-276-the-needle-in-the-haystack/ • https://betanews.com/2016/06/30/solve-shortage-data-scientists/ • https://www.playstation.com/en-gb/games/need-for-speed-ps4/ • https://www.bizcatalyst360.com/casting-a-wide-net-while-innovating/ • https://simpleprogrammer.com/get-programming-job-no-experience/ • https://towardsdatascience.com/organizing-your-first-text-analytics-project- ce350dea3a4a • https://www.mnn.com/green-tech/research-innovations/quiz/can-you-pass- governments-10-simple-science-question-quiz • https://marketeer.kapost.com/programming-for-marketers/ • http://www.devsanon.com/page/4/ 29
30 Vulnerabilities in indirect dependencies account for 78% of overall vulnerabilities. Risk of a vulnerability in a dependency of a dependency of a dependency of a dependency? (Unknown) * Snyk: State of Open Source Dependencies 2019 Vulnerable components Checked in Secrets

Recommandé

Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 
Exploring the Real-World Application Security Top 10
Exploring the Real-World Application Security Top 10Exploring the Real-World Application Security Top 10
Exploring the Real-World Application Security Top 10
Priyanka Aash
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
Priyanka Aash
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 

Recommandé

Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
grecsl
 
Exploring the Real-World Application Security Top 10
Exploring the Real-World Application Security Top 10Exploring the Real-World Application Security Top 10
Exploring the Real-World Application Security Top 10
Priyanka Aash
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
EC-Council
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
Priyanka Aash
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
FRSecure
 
Scot Secure 2016
Scot Secure 2016Scot Secure 2016
Scot Secure 2016
Ray Bugg
 
Berkarir di Cyber Security
Berkarir di Cyber SecurityBerkarir di Cyber Security
Berkarir di Cyber Security
Satria Ady Pradana
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
2018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 22018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 2
FRSecure
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
Tim Mackey
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
Frode Hommedal
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
EC-Council
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
HITCON GIRLS
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
John Bambenek
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
FRSecure
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
Digital Transformation EXPO Event Series
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response Program
Morphick
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Keith Brooks
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
Adrian Sanabria
 

Contenu connexe

Tendances

Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 

Tendances (20)

2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
 
Scot Secure 2016
Scot Secure 2016Scot Secure 2016
Scot Secure 2016
 
Berkarir di Cyber Security
Berkarir di Cyber SecurityBerkarir di Cyber Security
Berkarir di Cyber Security
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
2018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 22018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 2
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response Program
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
 

Similaire à Risk-based Security Technical Debt Reduction: When everything’s important, nothing gets done

So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Lancope, Inc.
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
CODE BLUE
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
DefconRussia
 
cyber security presentation (1).pdf
cyber security presentation (1).pdfcyber security presentation (1).pdf
cyber security presentation (1).pdf
w4tgrgdyryfh
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 

Similaire à Risk-based Security Technical Debt Reduction: When everything’s important, nothing gets done (20)

Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Hacker-powered Software Development
Hacker-powered Software Development Hacker-powered Software Development
Hacker-powered Software Development
 
Fun with Application Security
Fun with Application SecurityFun with Application Security
Fun with Application Security
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...
 
APrIGF 2015: Security and the Internet of Things
APrIGF 2015: Security and the Internet of ThingsAPrIGF 2015: Security and the Internet of Things
APrIGF 2015: Security and the Internet of Things
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
cyber security presentation (1).pdf
cyber security presentation (1).pdfcyber security presentation (1).pdf
cyber security presentation (1).pdf
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 

Dernier

Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Dr.Costas Sachpazis
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
roncy bisnoi
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Christo Ananth
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Call Girls in Nagpur High Profile
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Call Girls in Nagpur High Profile
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
rknatarajan
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 

Dernier (20)

Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
Vivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design SpainVivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design Spain
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 

Risk-based Security Technical Debt Reduction: When everything’s important, nothing gets done

  • 1. Risk-based Security Technical Debt Reduction: When everything’s important, nothing gets done Laurie Williams laurie_williams@ncsu.edu Real People – Real Projects – Real Impact 1
  • 3. Think Like a Thief • Put yourself in the mind of a thief … Plan a robbery! • Choose a scenario that would have a high chance of success, lay out the details … • How long do you think it would take to plan & execute the theft? How much would you hope to gain in terms of value ($ or otherwise)? What would be the effect of the theft on the victim? 4 minutes … be ready to share
  • 4. Malicious Intent! Value Ease Enables Oops! I didn’t mean to do that!
  • 8. Computing Security Risk Exposure Traditional Risk Exposure probability of occurrence X impact of loss NIST Security Risk Exposure likelihood of threat- source exercising vulnerability X impact of adverse event on organization Proposed Security Risk Exposure ease of attack X value of asset
  • 10. 10
  • 12. With the very best of intentions … when everything’s important, nothing gets done. Vulnerable components Checked in Secrets
  • 13. State of Vulnerable Components 13 * Snyk: State of Open Source Dependencies 2019 Vulnerable components Checked in Secrets
  • 14. Value Ease Increases over timeSeverity (e.g. CVSS) Depth in dependency tree? Popularity of package Vulnerable components Checked in Secrets
  • 15. Developer actions •Git Notified*: • 262K GitHub projects; Jan 2017 – Dec 2018 • 13% of vulnerable components fixed after GitHub notification • Pretty lame … but it can get worse .. • 9% of vulnerable components fixed after CVE notification but before GitHub notification • Tools are needed! • 40% fixed if notified at time of vulnerability-introducing commit • Shift left! • No difference in fix rate when considering severity • What’s up with that? 15 *Git Notified: Characterizing Vulnerable Dependency Alerts on GitHub ??? Vulnerable components Checked in Secrets
  • 16. 16 Don’t actually use the vulnerable part of the dependency Don’t actually use the dependency CVE / NVD Dependency is in non- production code. Advisories 13% are fixed – from the white or grey? Some obscure package it’s unlikely an attacker write an exploit for Vulnerable components Checked in Secrets
  • 17. Tools help … and are beginning to focus on risk and more…. Vulnerable components Checked in Secrets
  • 18. With the very best of intentions … when everything’s important, nothing gets done. Vulnerable components Checked in secrets
  • 19. Value Ease Varies wildly! All code matters Varies wildly! Decreases over time p(password/key works) p(asset is still there) Vulnerable components Checked in secrets
  • 20. Infrastructure as Code Security Smells Admin by default Empty password Hard-coded secret Invalid IP address binding Suspicious comment Use of HTTP without TLS Use of weak cryptography algorithm $power_username=‘admin’ password=>‘’ $power_password=‘admin’ $bind_host=‘0.0.0.0’ #FIXME(bogdando) remove these hacks after switched to systemd service.units $quantum_auth_url = ‘http://127.0.0.1:35357/v2.0’ password => ht_md5($power_password) 20 * Gang of Eight: A Defect Taxonomy for Infrastructure as CodeScripts Vulnerable components Checked in secrets
  • 21. Frequency of Security Smells 0 5 10 15 20 25 30 GitHub Mozilla Openstack Wikimedia ProportionofScript(%) AdminByDefault EmptyPassword HardCodedSecret InvalidIPAddressBinding SuspiciousComments HTTPWithoutTLS WeakCryptoAlgorithm 21 Vulnerable components Checked in secrets
  • 22. GitHub Analysis • “billions of files” • Private key files • 11 high-impact platforms with distinctive API key formats • Secret leakage in 100,000 repositories … thousands of new, unique secrets are leaked every day. • Committing cryptographic key files and API keys embedded directly in code are the main causes of leakage. 22 How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories Vulnerable components Checked in secrets
  • 23. Protection Poker Secret Ease Points Value Points Security Risk Ranking Secret 1 1 100 100 3 Secret 2 5 0 0 6 Secret 3 5 0 0 6 Secret 4 20 5 100 3 Secret 5 13 13 169 2 Secret 6 1 40 40 5 Secret 7 40 60 2400 1 Vulnerable components Checked in secrets
  • 24. Tools can help 24 STATICALLY IDENTIFY SECRETS MACHINE LEARNING TO REDUCE FALSE POSITIVES NOTIFY UPON CHECK IN (SHIFT LEFT) BUT, ALL SECRETS ARE ”EQUAL” … Tools can help 25 STATICALLY IDENTIFY SECRETS MACHINE LEARNING TO REDUCE FALSE POSITIVES NOTIFY UPON CHECK IN (SHIFT LEFT) BUT, ALL SECRETS ARE ”EQUAL” … Vulnerable components Checked in secrets
  • 26. Be compassionate …. For the good of the product and the engineer … be driven by risk Edwin the Exploitable Adam the Attack-prone
  • 27. Images • https://www.growthsourcecoaching.com/blog/when-everything-is-a-priority-nothing-is-important • http://blog.aclipse.net/teach-in-korea/classroom-tips-wh-questions-and-cold-calling • https://blog.frontiersin.org/2020/04/17/dance-with-your-grandma-after-covid-19-of-course/ • https://keydifferences.com/difference-between-data-and-information.html • https://resources.infosecinstitute.com/attack-surface-reduction/#gref • http://www.keytothekingdom.com/ • http://www.rmmagazine.com/2016/12/12/the-cost-of-complexity/ • https://www.cio.com.au/article/569270/internet-designed-security-warns-international-expert/ • https://ayehu.com/5-cyber-security-incident-response-risks-and-how-to-avoid-them-using-automation/ • https://medium.com/swlh/on-urgent-important-and-immediate-5eb318f99d1e • https://www.cio.com.au/article/569270/internet-designed-security-warns-international-expert/ 27
  • 28. Images • https://dementiacarebooks.com/how-to-become-a-dementia-behavior-detective/ • https://pixabay.com/vectors/fish-hook-fishing-hook-recreation-2027781/ • https://prosportstickers.219signs.com/index.php?route=product/product&product_id=37152 • http://www.brianbarber.com/illustration/ • https://prosportstickers.219signs.com/index.php?route=product/product&product_id=37152 • https://drawception.com/game/HM8CfM7pHD/sleepy-fish/ • Vectorstock.com/9961574 • https://requestreduce.org/categories/fish-trap-clipart.html#overlayGallery9_post_17509_fish- trap-clipart-17.png • http://www.e2studysolution.com/news/How-can-I-become-a-Cybersecurity-Expert • https://www.zazzle.com/red_star_1st_prize_round_sticker_red-217743138139492519 • https://www.datanami.com/2016/09/23/past-present-future-finance/ • https://easydrawingguides.com/how-to-draw-a-whale/ • https://achievingbeautifuldreams.files.wordpress.com/2015/09/50-50.jpg • https://www.merchantmaverick.com/best-high-risk-merchant-account-providers/ • https://digest.bps.org.uk/2018/03/21/is-the-future-ahead-not-for-those-born-blind/ 28
  • 29. Images • https://www.monitis.com/blog/why-your-small-business-needs-penetration- testing/ • https://www.foolishbricks.com/day-276-the-needle-in-the-haystack/ • https://betanews.com/2016/06/30/solve-shortage-data-scientists/ • https://www.playstation.com/en-gb/games/need-for-speed-ps4/ • https://www.bizcatalyst360.com/casting-a-wide-net-while-innovating/ • https://simpleprogrammer.com/get-programming-job-no-experience/ • https://towardsdatascience.com/organizing-your-first-text-analytics-project- ce350dea3a4a • https://www.mnn.com/green-tech/research-innovations/quiz/can-you-pass- governments-10-simple-science-question-quiz • https://marketeer.kapost.com/programming-for-marketers/ • http://www.devsanon.com/page/4/ 29
  • 30. 30 Vulnerabilities in indirect dependencies account for 78% of overall vulnerabilities. Risk of a vulnerability in a dependency of a dependency of a dependency of a dependency? (Unknown) * Snyk: State of Open Source Dependencies 2019 Vulnerable components Checked in Secrets