Tuesday, January 20, 2015

How real is it?


We're really bad in the software world at recognizing and taking action against real threats. We fail to see and fully grok the threats that are bearing down on us, and as a result, our software all too often contains security defects that are well understood by our adversaries. When that happens, things only get worse.

One of my passions is to show software developers the myriad ways in which software can fail to deliberate attacks. I do that in my hands-on lab sessions. One of my biggest motivators is when I notice one or two software developers "get it". We talk about common problems like SQL injection or cross-site scripting (XSS) and they all nod, but when they actually see it work when they enter poisonous data into a real app, a light goes on. It's those "ah ha!" moments that keep me doing what I do.

But even when we do that, I'm often asked by those same developers just how real the attacks are. How common are they? How much time and effort should they put into protecting their applications? It's one thing to understand a software security defect and even deeply grok how it works, but how does that translate into their world? How much testing is enough? How much code review is enough? What problems should they spend the most time on remediating?

Security folks want to tell those developers to fix all the problems. We want to tell them to scan every line of code and test their software rigorously. But when they hear that, they get overwhelmed and they realize that we're prescribing far too much for them to realistically accomplish.

How should those developers then budget their effort?

Of course, that's a hugely difficult question to answer in a general sense. There's no one size fits all solution. It depends... And so on.

Does that mean you should simply throw your hand up in the air and give up? Of course not.

One thing you might try to do is to seek out your security company's security folks, especially the incident response team. If your company has one, you might well find that they hold a treasure trove of real world data on how your company's systems come under fire in their production environments every single day. You might well find out the kind of tools and techniques your attackers are using right now. I personally spent many years working incident response operations myself, and I can say with confidence that these are the folks who most closely get to see real attacks and real security failures first-hand.

That, in turn, might help you better understand where you need to spend time in your software security efforts.

Sounds simple, right? You might even call this "common sense". And yet, in my own experiences at hundreds of companies, I've all too often encountered software developers who fail to seek out their own companies' security personnel.

At one client, I was working with a group of software developers and I asked them if they knew their own computer security incident response team (CSIRT). They didn't. However, when I walked around their office a bit, I found their CSIRT security operations center (SOC) right down the hall from where the software developers were sitting. They were right down the hall and yet they'd never met each other!

Don't let this happen to you and your company. I'm speaking here of a concept that I like to refer to as "confluence". Software development simply must involve not just the software developers and business owners, but also the various security stakeholders in a company. Seek them out and talk to them.

I provide various actionable tips on how to do this in my latest book, "Software Security: A Confluence of Disciplines". But even if you're not inclined to buy a book, I hope some of you reading this will join me at SecAppDev and try some of these hands-on lessons first hand.

Posted by at No comments:

Monday, January 19, 2015

Reflections on Software Security




Reflection on Secure Software
My name is Jim Manico. I'm a member of the software security research community. One of my greatest professional passions is understanding and investigating the creation of secure software. As a traveling software security educator, I have spent the last 4 years of my life teaching developers about software security in over 70 countries throughout the world.


talking-small.jpg

Although I live in Kauai, Hawaii (one of the greatest islands in the world) I tend to only spend about 2 months there a year. The rest of year is spent traveling, teaching or going to developer conferences. My wife is often on the road with me when the location is to her liking.


Looking left from my office chair at home on Kauai.

Here are my 2014 travel records for only one airline and one hotel chain. These are quite ridiculous for someone who is supposed to live in Hawaii!  
YTD premier qualifying miles with @united in 2014 : 180,493


Total days staying at a @starwood hotel in 2014: 78. Total cities visited via @starwood in 2014: 22.

I am also fortunate to have been elected to one of the global board positions at the OWASP Foundation. OWASP is the Open Web Application Security Project, a non profit foundation dedicated to spreading application security awareness. Driving the strategic vision of a non profit foundation full of web hackers is no easy task, but is something that brings me great joy. Like SecAppDev, I fully believe in the mission of the OWASP foundation and similar organizations such as BSides.

From the left: Tom Brennan (OWASP), Jim Manico (OWASP), Jack Daniels (BSides), Eoin Keary (OWASP) and Michael Coates (OWASP) at an award ceremony where the OWASP Foundation was awarded for their charitable efforts.
I never would have thought that my favorite professional travel destination would be Leuven, Belgium in February where the week-long SecAppDev developer security training course takes place. SecAppDev is more dedicated to teaching developers to write secure code than any other conference or organization that I've been a part of. I'm proud to be one of the many educators who participate in this special week-long secure coding course. While I am a teacher, I am also a student when I attend SecAppDev. SecAppDev is where I go to enhance my skills around secure coding and prep for a new year of developer education. One of the highlights at SecAppDev for me is cryptography education because the professors who teach the crypto classes at SecAppDev are world class!

"SecAppDev courses are run by secappdev.org,
a non-profit organization that aims to broaden security
awareness in the development community and advance
secure software engineering practices." - SecAppDev.org

I always make a point to attend the sessions lead by Dr. Bart Preneel (Prof. dr. ir. Bart Preneel heads COSIC, the renowned crypto lab), Professor Frank Piessens (Prof. dr. ir. Frank Piessens pioneered application security teaching at university level), Ken Van Wyk (Ken van Wyk is co-founder of the CERT® Coordination Center and a widely acclaimed author and lecturer) and others.
One of the highlights at SecAppDev is our daily group lunch. Fine dining is almost unheard of on the conference circuit, but it's the standard at SecAppDev. 

The next SecAppDev course will be held at the Faculty Club in Leuven, Belgium this February 23rd through 27th 2015. I hope to see you there!

Aloha,
Jim Manico
jim@manico.net
@manicode


Posted by at No comments:
Subscribe to: Posts (Atom)