1 / 39

Bringing nothing to the party

Bringing nothing to the party. Vincenzo Iozzo. Director of Security Engineering Trail of Bits, Inc. It’s about time we make AppSec understandable to the lay person (read: your executives). There’s no real accountability at company-wide level for AppSec , this has to change.

davina
Download Presentation

Bringing nothing to the party

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Bringing nothing to the party Vincenzo Iozzo Director of Security Engineering Trail of Bits, Inc

  2. It’s about time we make AppSec understandable to the lay person (read: your executives)

  3. There’s no real accountability at company-wide level for AppSec, this has to change

  4. Games we play these days..

  5. Fail to separate threats

  6. Compare and contrast

  7. And this..

  8. With this

  9. Forget the good ol’weak links

  10. Macro-level example

  11. Eco101

  12. The market for lemons • Improper threat analysis and quality control leads to a market for lemons scenario

  13. Free riders! • The careless employee/company is free-riding on somebody else’s security investment

  14. Externality • Both internally and externally security is far too often an (good|bad) externality

  15. What has any of this to do with AppSec?

  16. A lot of AppSec is “miracle work”

  17. Bounties • They don’t attract “professionals” • They attract weak automation (fuzzers) • They don’t solve the big-picture problem • They are taxing for developers and security people alike

  18. Do somebody else’s work

  19. “Reactive security” • iOSjailbreaking saga has a primary example

  20. Lack of devsaccountability

  21. Stuff that works today

  22. Bug hunting • HAVOC/HAVOC-LITE (JulienVanegue et al) • Bochspwn (Jurczyk et al)

  23. BlueHat prize/Pwnium/Pwn2Own • Bugs • Techniques

  24. Some tools • EMET • … • ? • ? • ?

  25. Let’s talk about tomorrow

  26. Meditation interlude • Please pause for a second and contemplate what it means from a technical and sophistication POV for someone to backdoor NIST standards

  27. A line in the sand • If you want to fight this… • This has to go…

  28. Warning

  29. Proposal 1 • Make AppSec risk understandable by non-infosec people/investors

  30. You can start from this

  31. And this

  32. Proposal 2 • Make bug-hunting a commodity by creating appropriate tools. Focus on the errors your developers make

  33. Proposal 3 • Engage researchers/firms in DARPA CFT-like ways

  34. Proposal 4 • Talk to your CFO and make security an integral factor in M&A activities

  35. Proposal 5 • Do your own internal offensive research, it builds intuition and it makes for great ‘pro-active’ mitigations

  36. Conclusions

  37. AppSec can and should become a profit-center • If we don’t do anything policy-makers will and we’re not going to like it • Insane amount of money is being poured in InfoSec, let’s not ruin this by fostering lemons • Freeriding is why we can’t have nice things

  38. Final quote • "Mass markets demand security, along with safety and reliability, only after the product becomes commoditized." • - Alex Gantman

  39. vincenzo@trailofbits.com Thanks!Questions?

More Related