Paraso&    ©  2014   1  

12/12/14  

Arthur  Hicken  –  Paraso&  December  2014  

Paraso&    ©  2014   2  2  

Open and hide your control panel Join audio: •  Choose “Mic & Speakers” to use

VoIP •  Choose “Telephone” and dial

using the information provided Submit questions and comments via the Questions panel

Note: Today’s presentation is being recorded and will be provided within a week.

Your  Par=cipa=on  

GoToWebinar  Housekeeping  

Paraso&    ©  2014   3  3  

Agenda  

§  Street  Santas  everywhere  §  AIack  surfaces  growing  § Which  should  I  allow  §  Can’t  I  just  shut  the  chimney?  

§  Imprac=cal  in  today’s  cloud  world  

§  Security  Best  Prac=ces  

Paraso&    ©  2014   4  4  

SantaQL  Injec=on  

Common  

Easy  to  exploit  

Easy  to  prevent  

Data  valida=on  

Stored  procedures  

Paraso&    ©  2014   5  5  

Access  Control  

Paraso&    ©  2014   6  6  

What  are  you  geXng?  

§ What  about  all  that  stuff  Santa  brings?    

§ What’s  in  your  open  source?  

Paraso&    ©  2014   7  7  

I  am  Santa  Claus!  

Paraso&    ©  2014   8  8  

Authen=ca=on  and  authoriza=on  

§  Right  password  §  Right  person  (not  the  same)  §  Right  privileges  §  hIps  §  cer=ficates  

Paraso&    ©  2014   9  9  

Protect  Sensi=ve  Informa=on  

Sensi=ve  data  should  be  encrypted  

Sending  

Storing  

Enforce  reasonable  passwords  

Paraso&    ©  2014   10  10  

Malicious  Insiders  

§ Who  is  working  for  you  §  Controlled  access  §  Appropriate  access  § Monitoring  

Paraso&    ©  2014   11  11  

Training  

§  Secure  Coding  §  Tes=ng  for  security  §  Proper  Valida=on  §  Anatomy  of  aIacks  §  Healthy  paranoia  

Paraso&    ©  2014   12  12  

Tools  

§  Pen  test  §  Regression  test  §  Flow  analysis  §  PaIern-­‐based  analysis  §  Coding  standards  §  Virtualiza=on  

Paraso&    ©  2014   13  13  

Use  Source  Control  Management  

§  For  everything  associated  with  product  

Paraso&    ©  2014   14  14  

Avoid  High-­‐Risk  Tech  

Paraso&    ©  2014   15  15  

Preven=on  

Paraso&    ©  2014   16  16  

Simple  UI  for  Safety  Func=ons  

Paraso&    ©  2014   17  17  

Compliance  

§  PCI-­‐DSS  §  CWE  Top  25  §  CERT  §  …  

Paraso&    ©  2014   18  18  

Peer  Code  Review  

Paraso&    ©  2014   19  19  

Educate  Yourself  

§  Know  your  business  §  Know  the  technology  § What  are  the  risks?  § What  are  the  threats?  §  How  can  I  mi=gate  them?  

Paraso&    ©  2014   20  20  

Eliminate  the  unnecessary  

Paraso&    ©  2014   21  21  

Separate  the  data  

Paraso&    ©  2014   22  22  

Threat  Modeling  

Paraso&    ©  2014   23  23  

Santa  uses  the  SwAMP  

Paraso&    ©  2014   24  24  

Security  Resources  

CWE  –  Common  Weakness  Enumera=on    • hIp://cwe.mitre.org  

So&ware  Assurance  Marketplace  (SwAMp)  • hIps://con=nuousassurance.org  

OWASP  -­‐  Open  Web  Applica=on  Security  Project    • hIp://www.owasp.org  

PCI  –  Payment  Card  Industry  Security  Standards    • hIps://www.pcisecuritystandards.org  

Hack.me  –  Community  based  security  learning  project  • hIps://hack.me  

SAMATE  -­‐  So&ware  Assurance  Metrics  And  Tool  Evalua=on  • hIp://samate.nist.gov  

Build  Security  In  –  Collabora=ve  security  effort    • hIps://buildsecurityin.us-­‐cert.gov  

Paraso&    ©  2014   25  25  

Q&A  

§  Web  §  hIp://www.paraso&.com/jsp/resources  

§  Blog  §  hIp://alm.paraso&.com  

§ Social  § Facebook:  hIps://www.facebook.com/paraso&corpora=on  

§ TwiIer:  @Paraso&  @MustRead4Dev    

§ LinkedIn:  hIp://www.linkedin.com/company/paraso&  

§ Google+  Community:  Sta=c  Analysis  for  Fun  and  Profit