centre for cyber security - gotocon.comgotocon.com/dl/goto-cph-2015/slides/thomaskristmar... ·...

Post on 15-Jul-2020

10 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Centre for Cyber Security Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence Service

05-10-2015

05-10-2015

Who are we?

Centre for Cyber Security

In respect of the Rule of Law and Privacy – Cyber is a priority (Gov. Declaration, Oct 2011)

National Centre of excellence in Cyber Security

DK Defence Intelligence Service

5. oktober 2015

4

SDLC - Theory

Actual SDLC

Requirements Too costly /too late

Ship & Fix in future release

5. oktober 2015 7

Example– SSL certificates

05-10-2015

Example Directory Traversal

05-10-2015

“Those who don't know history are doomed to repeat it.”

05-10-2015

Societal Impact

05-10-2015

Risk

Know your code

http://qz.com/501073/the-top-100-passwords-on-ashley-madison/

XcodeGhost http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/

Password Number of users 123456 120511 12345 48452 password 39448 DEFAULT 34275 123456789 26620 qwerty 20778

05-10-2015

Risk

Don’t implement your own crypto

Pixie Dust Attacks (flaw in three implementations of WPS)

https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit?pli=1#gid=2048815923

And pls. don’t hardcode passwords

CVE-2014-0329 :DSL routers contain hardcoded password

05-10-2015

Risk

Open source isn’t secure by default

CVE-2014-0160

CVE-2014-6271

05-10-2015

Lessons Learned

Know your code AND be able to update

Don’t implement your own crypto

Open source isn’t secure by default

Read OWASP / SDLC AND do threat modeling

05-10-2015

Thank you for your attention

05-10-2015

05-10-2015

top related