Applications - The New Cybersecurity Frontier - India's Largest...
Transcript of Applications - The New Cybersecurity Frontier - India's Largest...
Applications ::The new Cybersecurity frontier
Securitybyte & OWASP Confidential
The new Cybersecurity frontier
Mano PaulCSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA
CEO, SecuRisk SolutionsMano.Paul(at)SecuRiskSolutions(dot)com
Who am I?
� (ISC)2’s Software Assurance Advisor
� Founder - SecuRisk Solutions, Express Certifications & AppSentinel
� ISSA – Industry Representative
� Invited Speaker @ OWASP, CSI, Catalyst, SC World Congress, …
� Information Security Program Manager – Dell Inc.
� Author
Securitybyte & OWASP Confidential 2Securitybyte & OWASP AppSec Conference 2009
� Author
– Official (ISC)2 Guide to the CSSLP
– Information Security Management Handbook
� Shark Biologist, Bahamas
� SharkTalk podcaster
� On LinkedIn/Facebook/Twitter
Who I am NOT!
Securitybyte & OWASP Confidential 3Securitybyte & OWASP AppSec Conference 2009
NOT
ME
☺☺☺☺
What are we here to talk about?
� Cybersecurity
� Applications
� Applications and Cybersecurity
Securitybyte & OWASP Confidential 4Securitybyte & OWASP AppSec Conference 2009
Live Free or Die Hard
� Matt Farrell: Jesus Christ. It's a fire sale.
� John McClane: What?
� Matt Farrell: It's a fire sale.
� Deputy Director Miguel Bowman: Hey! We don't know that yet.
� Taylor: Yeah, it's a myth anyway. It can't be done.
� Matt Farrell: Oh, it's a myth? Really? <censored>
Securitybyte & OWASP Confidential 5Securitybyte & OWASP AppSec Conference 2009
� Matt Farrell: Oh, it's a myth? Really? <censored>
� John McClane: Hey, what's a fire sale?
� Matt Farrell: It's a three-step... it's a three-step systematic attack on the entire national infrastructure. Okay, step one: take out all the transportation. Step two: the financial base and telecoms. Step three: You get rid of all the utilities. Gas, water, electric, nuclear. Pretty much anything that's run by computers which... which today is almost everything. So that's why they call it a fire sale, because everything must go.
Hollywood – not too far from reality
� 2007 : Estonia hacked
– Government Ministry & Political parties (Defense)
– Newspapers (Communications)
– Banking and Private Companies (Financial/Utilities)
� 2008 : Nation State Georgia – First Cyberwar
Securitybyte & OWASP Confidential 6Securitybyte & OWASP AppSec Conference 2009
� 2008 : Nation State Georgia – First Cyberwar
� 2009 : The Shadow of the Gaza Conflict –Cyberwar against Israel
� 2009 : Brazil Broken (Nov 6th, 2009)
� 2010 : Digital Hackistan ?
Cybersecurity
� Pronounciation: sai-ber-si-kyur-a-te
� Securing Cyberspace
� Kinetic (physical) using Non-kinetic (electronic)
� Definition: Measures taken to protect a computer or computer system (as on the
Securitybyte & OWASP Confidential 7Securitybyte & OWASP AppSec Conference 2009
computer or computer system (as on the Internet) against unauthorized access of attack.
Merriam-Webster’s
“Protecting pretty much anything that runs by computers – which is everything
today!” – Die Hard Definition
Why are we where we are?
� Army secures land space
� Airforce secures air space
� Navy secures sea space
But what about space that
Securitybyte & OWASP Confidential 8Securitybyte & OWASP AppSec Conference 2009
� But what about space that is not land, not air, nor sea?
– Cyber
Why are we where we are? – Contd.
� Seconomics ( a new term coined! )
– Cost of insecure software - $180,000,000,000,000
� Wars are won by bits and bytes
– Cyber-chess with an invisible enemy
– Whoever controls the Information can deal the
Securitybyte & OWASP Confidential 9Securitybyte & OWASP AppSec Conference 2009
– Whoever controls the Information can deal the checkmate
� IT - Internet Terrorism?
– Cyberbullies
Securing Cyberspace – Easily said than done!
� No borders – Big Firewall
� Highly interconnected
� Short arm of the law
� Privacy invasion
Polymorphic threats
Securitybyte & OWASP Confidential 10Securitybyte & OWASP AppSec Conference 2009
� Polymorphic threats
� Human
� Non Human
– Malicious Software
– Technology • VoIP
Cybersecurity Threat agents
Securitybyte & OWASP Confidential 11Securitybyte & OWASP AppSec Conference 2009
• VoIP
• Pervasive computing
• Web 2.0wned - Social Netmares
Malicious Software a.k.a. Malware
Malware
Securitybyte & OWASP Confidential 12Securitybyte & OWASP AppSec Conference 2009
Proliferative
Viruses & Worms
(Web Worms)
Stealthware
Spyware & Adware
Trojans Rootkits
Slap in the face-book
� I had to recently open the ‘Rootkits’ book
� I sent my wife a link on facebook and then it happened …
� Command and control
� Phishing Hooks
Tax Refund An Oxymoron Is IRS.gov and
Tax.gov the same?
The IRS is pleased? Hmmm
What currency is this? $ with ,
Securitybyte & OWASP Confidential 13Securitybyte & OWASP AppSec Conference 2009
� Phishing Hooks
Should this not be the usual
3-5 business days?
And ofcoursethe legitimate
security warning!
What’s in common with these threats?
� Are Applications
� Run Applications
� Exploit Applications
� Applications
– The Weakest Link?
Securitybyte & OWASP Confidential 14Securitybyte & OWASP AppSec Conference 2009
– The Weakest Link?
What’s wiring this evolving world?
� “In the 80’s we wired the world with cables
and in the 90’s we wired the world with
computer networks. Today we are wiring the world with applications using web services
and mashups. Having skilled professionals
Securitybyte & OWASP Confidential 15Securitybyte & OWASP AppSec Conference 2009
and mashups. Having skilled professionals capable of designing and developing secure software is now critical to this evolving world.”
Mark Curphey
Director & Product Unit Manager, Microsoft
Founder of OWASP
Application a.k.a. Software a.k.a. System
� Abstracted business functionality
� Standalone or SaaS
� Conduits to data
Securitybyte & OWASP Confidential 16Securitybyte & OWASP AppSec Conference 2009
Dude, where’s my data?
� Data will continue to be the primary motive behind future cyber crime - whether targeting
traditional fixed computing or mobile
applications. Data will drive cyber attacks for years to come. The data motive is woven
Securitybyte & OWASP Confidential 17Securitybyte & OWASP AppSec Conference 2009
years to come. The data motive is woven
through all emerging cybersecurity threats,
whether botnets, malware, blended threats,
mobile threats or cyber warfare attacks.
Emerging Cyber Threats Report for 2009
Agar poolis ko mila tho?
� Sachin: Hey Zara, lag gaya hai, lag
gaya hai; Oot oot sab kuch chod kar
bhag
(Zara, we have been caught; get up, get up, leave everything and run)
� Sachin: Yeh kya kar raha hai thu?
Securitybyte & OWASP Confidential 18Securitybyte & OWASP AppSec Conference 2009
� Sachin: Yeh kya kar raha hai thu?
(What are you doing?)
� Zara: Data hai yis mai hi hai!
(All the data are in these!)
� Zara: Agar poolis ko mila tho?
(What if the police get a hold of it?)
DAD against CIA – Data issues
� Disclosure - Attack against Confidentiality
� Alteration - Attack against Integrity
� Destruction - Attack against Availability
Securitybyte & OWASP Confidential 19Securitybyte & OWASP AppSec Conference 2009
Application vulnerabilities – Opening the door to Cybercrime
- Injection
- Script
- Overflow
- Disclosure
- Session
Securitybyte & OWASP Confidential 20Securitybyte & OWASP AppSec Conference 2009
- Session
- Cryptographic Source: OWASP Top 10 2007
What we need – First Steps - Holistic Security!
� People, Process and Technology
� Network, Hosts and Applications
Securitybyte & OWASP Confidential 21Securitybyte & OWASP AppSec Conference 2009
Securing the Weak Link - People
� SecuriTRAINED
– Aware
– Trained
– Educated
� Certified Secure Software Lifecycle Professional
Securitybyte & OWASP Confidential 22Securitybyte & OWASP AppSec Conference 2009
� Certified Secure Software Lifecycle Professional (CSSLP)
� It’s the People
Securing the Weak Link - Process
Securitybyte & OWASP Confidential 23Securitybyte & OWASP AppSec Conference 2009
Source: (ISC)2
CSSLP Coursework
“The CSSLP Training
will cover each area
in more depth.”
For the first time in India – 2 day
CSSLP training at this conference.
Don’t miss out!
Process – Secure Design!
Securitybyte & OWASP Confidential 24Securitybyte & OWASP AppSec Conference 2009
Process – Writing Secure Code
Securitybyte & OWASP Confidential 25Securitybyte & OWASP AppSec Conference 2009
Secure the Weak Link - Technology
� Tools and Checklists caveat
� Validation & Verification (V&V)
� Certification & Accreditation (C&A)
Securitybyte & OWASP Confidential 26Securitybyte & OWASP AppSec Conference 2009
Defense in Depth
Configuration management Auditing / Logging
Software SecurityInput validation Session managementAuthentication Parameter manipulationAuthorization CryptographySensitive data protection Exception managementConfiguration management Auditing / Logging
Firewall
Firewall
Web Server Database Server
Securitybyte & OWASP Confidential 27Securitybyte & OWASP AppSec Conference 2009
Host Security
Patches Accounts Ports
Services Files / directories RegistryProtocols Auditing / logging Shares
Firewall
Firewall
Network Security
RoutersFirewallsSwitches
Host
Network
Detained in Brazil/Brasil!
� Let me tell you what happened to me when I was returning to the USA from Brazil (as the Americans spell it) / Brasil (as the English spell it)
Securitybyte & OWASP Confidential 28Securitybyte & OWASP AppSec Conference 2009
What Next?
� Security in the Skies
– Cloud computing � S2aaS
� Virtualization
� Smart Grids
� Digital ants
Securitybyte & OWASP Confidential 29Securitybyte & OWASP AppSec Conference 2009
� Digital ants
� Cybersecure Applications
– Reliable
– Resilient
– Recoverable
– Software seatbelts
If history is any predictor of the future …
Securitybyte & OWASP Confidential 30Securitybyte & OWASP AppSec Conference 2009
Thank you!
2008 2009 2010
Applications ::The new Cybersecurity frontier
Securitybyte & OWASP Confidential
The new Cybersecurity frontier
Mano PaulCSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA
CEO, SecuRisk SolutionsMano.Paul(at)SecuRiskSolutions(dot)com
� Backup Slides
Securitybyte & OWASP Confidential 32Securitybyte & OWASP AppSec Conference 2009
Securitybyte & OWASP Confidential 33Securitybyte & OWASP AppSec Conference 2009
CSSLP™ - Certified Secure Software Lifecycle Professional
� (ISC)2 newest certification
� Base credential
� Professional certification program
� 7 Key Areas
– Concepts
– Requirements
– Design
– Implementation
Securitybyte & OWASP Confidential 34Securitybyte & OWASP AppSec Conference 2009
certification program
� Caters to various stakeholders
– Implementation
– Testing
– Acceptance
– Deployment, Operations, Maintenance and Disposal
Data Protection warrants Application Security!
� In transit
� In storage
� In archives
Securitybyte & OWASP Confidential 35Securitybyte & OWASP AppSec Conference 2009
What Cybersecurity is Not?
Securitybyte & OWASP Confidential 36Securitybyte & OWASP AppSec Conference 2009