a scientific approach to software security dennis fisher may 15, 2012 the kaspersky lab security...
TRANSCRIPT
![Page 1: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/1.jpg)
A Scientific Approach to Software SecurityDennis FisherMay 15, 2012
The Kaspersky Lab Security News Service
![Page 2: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/2.jpg)
Software security pre-history
![Page 3: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/3.jpg)
In the beginning, things were OK• Defenders had the advantage• Computers were rare, code was
impenetrable• Few people understood how to break
software• Computers were isolated• Not accessible to outside attackers• Physically secured• Software was written by professionals• Purpose-built applications• No Web to worry about
Software security pre-history
![Page 4: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/4.jpg)
Software security pre-history
![Page 5: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/5.jpg)
Software security pre-history
Source: Wikipedia
![Page 6: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/6.jpg)
Bugs were kind of cute• Seen as problems to be solved• Bugs were studied as oddities, artifacts of
the development process• Defects rather than vulnerabilities• Developers learned actual lessons from
mistakes• Information was shared• Mostly unreachable by attackers• Needed local access, intimate knowledge
of the software• Writing exploits was really hard
Software security pre-history
![Page 7: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/7.jpg)
And then this happened
![Page 8: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/8.jpg)
Microsoft ruled the world• Windows was ubiquitous• Software monoculture that gave attackers
an advantage• Write once, hit many• Vulnerabilities abounded • Buffer overflows• Memory corruption• Security was an afterthought at best
The game changed completely
![Page 9: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/9.jpg)
![Page 10: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/10.jpg)
The Trustworthy Computing era• Focus on security over features• Development of SDLC process• Becomes a model for the industry and
financial services companies
Pain begets change
![Page 11: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/11.jpg)
Microsoft’s SDLC
Source: Microsoft
![Page 12: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/12.jpg)
The emergence of BSIMM• Comprehensive maturity model for
software security programs• Developed through study of dozens of organizations’ programs• Describes 109 discrete activities across
four domains
Software security matures
![Page 13: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/13.jpg)
13
Intel
+ elevenunnamedfirms
![Page 14: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/14.jpg)
A framework for success
Source: BSIMM
![Page 15: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/15.jpg)
Case study: Adobe
![Page 16: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/16.jpg)
Adobe was the new Microsoft• Huge installed base of vulnerable users• Old development practices with no
rigorous approach to threat modeling or code quality
• Common set of vulnerabilities and weaknesses across applications
Starting from zero (day)
![Page 17: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/17.jpg)
Pain begets change
FIGURE . Adobe Reader exploits by month in 2008, indexed to the monthly average for 2H08
July through December 2008
![Page 18: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/18.jpg)
The importance of the SDL• Reader 9 was developed without the
current SDL or security as a priority• Reader 9 was the target of a high volume
of malware • Helped spur a company wide change in practices and priorities
Reader 9 vs. Reader X
![Page 19: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/19.jpg)
The importance of the SDL• Adobe implemented a rigorous software security program beginning in early 2009• Included training and threat modeling and lessons learned from Microsoft’s SDL
experience• Reader X developed with SDL in place, implementation of a sandbox and anti-
exploit technologies
Reader 9 vs. Reader X
![Page 20: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/20.jpg)
Results• Reader 9 had nine publicly disclosed zero
day vulnerabilities• Reader X has NO zero days to date• Attackers have largely moved on to other products as main targets
Reader 9 vs. Reader X
![Page 21: A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service](https://reader031.vdocuments.site/reader031/viewer/2022032605/56649e705503460f94b6e3fc/html5/thumbnails/21.jpg)
Better software through science• Software security is gradually becoming a
priority • Mature, formalized programs are having a measurable effect on defects and attacks• Internal development organizations can
watch and learn from successes of vendors
Conclusions