the flaws in hordes, the security in crowds · 2017-10-20 · the flaws in hordes, the security in...

35
Join the conversation #DevSecCon The Flaws in Hordes, The Security in Crowds MIKE SHEMA [email protected]

Upload: others

Post on 27-May-2020

5 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Join the conversation #DevSecCon

The Flaws in Hordes,The Security in CrowdsMIKE [email protected]

Page 2: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

– Clint Eastwood, The Good, the Bad, and the Ugly.

“You see, in this world there’s two kinds of people, my friend: Those with loaded guns and

those who dig. You dig.”

Page 3: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

– Eli Wallach, The Good, the Bad, and the Ugly.

“There are two kinds of spurs, my friend. Those that come in

by the door; those that come in by the window.”

Page 4: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Uneasy Alliances“What’s the price for this vuln?”

— Bounties “What’s the cost to fix this vuln?”

— DevOps “What’s the value of finding vulns?”

— CSOs

Page 5: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Disclosure Happens

Page 6: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

The Royal Society is collaborating with JSTOR to digitize, preserve, and extend access toPhilosophical Transactions (1665-1678).

www.jstor.org®

on April 28, 2017http://rstl.royalsocietypublishing.org/Downloaded from

Some Observations of Swarms of Strange Insects, and the Mischiefs done by them.

Page 7: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Bounties are an imperfect proxy for risk, where price implies impact.

$0 — $15K

~$800 avg.

$50XSS self, no auth

$10,000XSS any auth’d user,access sensitive info

Page 8: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Bounties are an imperfect proxy for work, where earnings often diverge from effort.

Page 9: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the
Page 10: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Noise increases cost of discovery and reduces efficiency.

Page 11: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Volume— Reports/day Percent valid

Triage— Time/report People/report +

[Baseline]

Page 12: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the
Page 13: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the
Page 14: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

-cost +time

-cost-time

+cost+time

+cost-time

Page 15: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Scanners

Overlaps, gaps, and ceilings in capabilities. Fixed-cost, typically efficient, but still require triage and maintenance.

Page 16: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Days Since Valid (Any) Report

2016 7 (4) 16 (8) 33 (14)2015 4 (1) 10 (5) 23 (11)

50% 80% 95%

Days since any report: 2, 5, 11

Page 17: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Public, Private Bounties

Page 18: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Pen Tests

Page 19: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

– Mike’s Axiom of AppSec

“We’ll always have bugs. Eyes are shallow.”

Page 20: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

BugOps vs. DevOpsChasing bugs isn’t a strategy.

Page 21: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

As we move to security as code, code moves to inevitable legacy.

Page 22: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Threat Modeling

DevOps exercise guided by security. Influences design. Informs implementation. Increases security awareness.

Page 23: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Risk Reduction

Page 24: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

“You’re not using HTTPS.”

“Use HTTPS.”

“Seriously. Please use HTTPS.”

Let’s Encrypt.

Page 25: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the
Page 26: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the
Page 27: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Bounty ranges as a proxy for SDL, where price implies maturity.

$ 1 Experimenting$ 1,000 Enumerating$ 10,000 Exterminating$ 100,000 Extinct-ifying

Page 28: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Security from InventoryEnumerate your apps. Generate their dependency graphs. Identify ownership.

Page 29: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Security from CrowdsProvide reasonable threat models. Report via issue trackers. Automate reproduction steps.

Page 30: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Measure vuln discovery effort Monitor risk for trends Illuminate brittle design

Security from DevSecOps

Page 31: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Join the conversation #DevSecCon

Thank You!

Page 32: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

Join the conversation #DevSecCon

Questions?@CodexWebSecurum

Page 33: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

The Royal Society is collaborating with JSTOR to digitize, preserve, and extend access toPhilosophical Transactions (1665-1678).

www.jstor.org®

on April 6, 2017http://rstl.royalsocietypublishing.org/Downloaded from

deadliestwebattacks.comblog.cobalt.io

Page 34: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

R — www.r-project.org

RStudio — www.rstudio.com

data.table

ggplot

Page 35: The Flaws in Hordes, The Security in Crowds · 2017-10-20 · The Flaws in Hordes, The Security in Crowds MIKE SHEMA MIKE@COBALT.IO – Clint Eastwood, The Good, the Bad, and the

A cacophony of hordes.

A scrutiny of crowds.