Was I Supposed to Mix the Security in Before I Baked It?
Security Beyond the Cliché
W. Brandon Martin
- Thank you to 49'th Cyber division and CarolinaCon for the opportunity the sponsor and attendees for offering the meeting space
- Conversational invitation
- Inspiration for the cliché
- Baked-in vs. Bolt-on
- Better is not the enemy of perfect.
- Push security left.
- Complexity is the enemy of security.
- DOD Grade security
- The only secure system is a powered-down system
- Brief introduction to set the stage for the rest of the conversation.
01 - Introduction
- Dad (x3)
- Independent Security Consultant
- Raised in a barn
- OSCP, OSWP, GPEN
- CISSP, CRISC
- 6 Sigma Black Belt
All opinions are my
own and do not necessarily represent any one else's view.
- Raised in a barn - cliché that doesn't make a whole lot of sense
- Brace yourself for memes. - A couple reasons
- If you're bored, you'll hopefully get a chuckle every 3 or 4 slides and wake yourself up.
- Memes are a way to communicate with a diverse audience
- Memes teach us about ourselves.
- After all, this is a talk about security beyond the cliché.
The Next 45 Minutes
- Background and Overview
- Security v. Business
- Security Balance
- Architectural Solutions
- Security Practitioners
- Wave your had with questions any time, I want this to be conversational.
02 - Background & Overview
- Good security requires planning and preparation.
- Security requirements delay projects.
- Businesses need projects to stay in business.
- Business and security goals conflict.
- What Problem are we trying to solve.
- Meme credit: https://knowyourmeme.com/memes/well-theres-your-problem
- Explore the tension between security and business objectives.
- Review real-world outcomes of balance failures.
- Review architectures that worked and failed.
- Re-define the security practitioner's role.
- To really tackle the problem, we have to understand the motivations of each stakeholder.
- Sometimes we get it right, sometimes we don't
- Engineers vs. architects and why security has to start moving left (earlier) in our project inception.
- Confession Time - accountability and redemption
- Not to late to bounce and not hurt my feelings
- Meme Credit: https://www.mememaker.net/meme/get-ready-for-these-super-sweet-dance-moves
03 - Security v. Business
- Many business people struggle with security requirements.
- Many technical people struggle with security requirements.
- Many security people struggle with business and technical requirements.
- Immovable object meets an unstoppable force
- Meme Credit: https://www.memecenter.com/fun/537920/epic-battle
- Keep the hackers out.
- Maintain compliance and/or regulator satisfaction.
- Keep penetration testers out.
- Sanitize untrusted input.
- Train developers on secure coding practices.
- Implement CIS benchmarks.
- Business people are focused on planned functionality.
- Security people are worried about unplanned functionality.
- Requirements can be difficult because it's so obvious to the visionary.
- Meme Credit https://imgflip.com/i/1a6k84
- Calculate interest on a loan.
- Send a purchase order electronically.
- Automate the disbursement process.
- Complete the first sprint by Feb 28.
- Business people and planned functionality
- Meme Credit: https://memegenerator.net/instance/75439838/roll-safe-hd2-cant-fail-to-meet-requirements-if-there-are-no-requirements
- Response latency < 2 seconds.
- Application must be testable.
- Application must run on Microsoft Windows, Android, iOS.
- Network throughput SLA must be 2Mb/s.
- No plan to dwell on technical requirements
- Illustrate the challenges technical stakeholders have to address
- Meme Credit: https://makeameme.org/meme/yes-these-requirements
- CFO wants results yesterday.
- CTO wants to be meet the SLA.
- CISO wants to dot the "i" and cross the "t."
- It took me 4 slides to get there, but here is the problem in business terms.
- Chief Scape Goat
Security Overpowers Business
- A German pro basketball team was relegated to a lower division due to a Windows update (2015)
- User can't create a valid password at change time (2019)
- GrooveShark (2015)
- Countless failed startups you never heard mentioned
- I didn't know Germany had professional basketball teams...
- Scoreboard laptop was due for patching
- Imagine a security consultant sits down with a new account
- GrooveShark is a sideways example - security, more specifically compliance, overpowered the business objects later than it should have.
- Meme Credit: https://www.blackhillsinfosec.com/five-signs-organization-failing-security/
Business Overpowers Security
- Mirai Botnet
- Target's Heating and Cooling System Breach (~$202M)
- Yahoo lost 500M Passwords; Linkedin 117M
- Hillary Clinton's Email Server
- Thanks to insecure IoT, routers, etc, we now have this looming threat of botnets
- Target http://fortune.com/2017/05/23/target-settlement-data-breach-lawsuits/
- I'm usually not interested in politics, but this scandal fit too well.
- Meme Credit: https://memegenerator.net/instance/66630633/the-godfather-its-not-personal-its-business
Balance is Key
- Risk perspective is missing.
- Context is under-appreciated.
- Healthy discourse is difficult.
- These are the fundamental problems I see in my practice
- Microsoft deems patching so important everything else must stop
- A CIO deems something else more important and does not prioritize patching on public facing servers
- We live in a polarizing time. Political and social issues force us to one side or the other and social media has encouraged us to fight for our right to think and oppress anyone who thinks differently.
- We also see technology and security evolving so rapidly that anyone outside the space struggles to stay informed.
- Meme Credit: https://memegenerator.net/instance/55533851/mr-miyagi-miyagi-say-balance-is-key
04 - Architectural Solutions
Architecting the Internet - TCP/IP
- Designed in the 1970's
- Adopted in the 1980's
- Secured in the 1990's
- Online Banking and Paris Hilton widely adopted in the 2000's
- Walk through an architectural success
- Remember, when Al Gore architected the internetÍ IT was about information sharing between universities.
The problem to solve was not how do we keep people out, the problem they were solving was how to include
more brainpower for the other problems facing academia and society.
- Secured in the 90's TLS - Transport layer security.
Lot's of challenges and improvements over the years,
but Netscape enabled confidentiality and integrity over the
World Wide Web in 1994.
- The point I want to make is that Robert Kahn and Vinton Cerf
somehow architected a solution that not only solved their immediate
problem, but provided a framework that solved 40 years of problems.
Architecting the Internet - DNS
- Proposed in 1983; essential since 1985
- Designed for 50M addresses, currently 271M
- DNSSEC introduced in 1997
- Dan Kaminsky's bug 2008
- DNSpionage 2019; 25% US Adoption of DNSSEC
- Walkthrough an architectural fail
- No slight to Paul Mockapetris, DNS is an amazing solutions verified by our continued use and support
- Designed for a smaller, less hostile internet and networks.
- VERY Fast. Doesn't have time for authentication. So the engineers had to bolt-on security after the solution was fully rolled-out.
- Elegant solution designed, but not adopted. Still leaves local race attacks.
- Some controls are difficult to "bolt on" after rollout.
- Security can take years.
- Forecasting use case changes is hard.
- Consumers don't always prioritize security.
- The architecture must leave "bolt holes" for security.
- Don't patch, rebuild
- Infrastructure as code (i.e. version tracking)
- DevSecOps - Integrating Security Testing In Development
- Static Application Security Testing
- Dynamic Application Security Testing.
- Software Frameworks
- Most of us are not solving problems at Internet scale like
TCP/IP and DNS
- Want to highlight several technologies and approaches that
SHOULD be changing the way we build solutions.
- Containers are the next evolutionary step of Virtualization to
- They provide a new layer in the stack that we can secure.
- They also create a new layer that has to be secured.
- Tool to improve security and simultaneously reminds us that we
need to be careful when we pick up a loaded gun.
- Changes the way we apply security patches.
- Changes the way we build systems, which leads us to DevSecOps
- DevSecOps is consolidation of three distinct views that have to
- Model for addressing security, development and Operations
concerns throughout the life cycle.
- The tools in this space are providing assurance to technology
managers that at least some form of security review occurred at
the source code and running application level.
- Great example of using software frameworks - Cross Site Request Forgery fell off the OWASP top 10
- Developers are writing less code to solve problems. Hopefully copy/pasting fewer snippets and relying on a reviewed and wholistic solution.
- Meme Credit https://memegenerator.net/instance/56153570/yo-dawg-yo-dawg-i-heard-you-like-containers-so-i-put-a-container-in-your-container
05 - Security Practitioners
- Just say no.
- Abuse fear, uncertainty, & doubt (FUD).
- Overstate risk.
- Don't understand the technology's built-in controls.
- Slow down and delay projects.
- Only understand [Insert Background]
- Meme Credit: https://weheartit.com/entry/64669958
- "Yes, and Í"
- Trust, Assurance & Confidence (TAC).
- Paint accurate risk pictures.
- Understand technical controls.
- Connect silos and accelerate projects.
- Understand enough background to be helpful.
- Don't accept risk.
- Transition: As security practitioners, the perception is clear, the ideals are clear, what's the problem
- Meme Credit: https://www.nelsenbiomedical.com/2015/09/08/say-yes-and-how-the-rules-of-improv-improve-your-success-in-business/
Hard to find good help
- We can't all be the best.
- Can't educate a practitioner to full competence.
- Industry trend - full stacking
- Information Security
- Risk Analysis
- Networking, Servers, Clients, Mobile, Users
- Full stacking Reference - https://itnext.io/the-cloud-skills-shortage-and-the-unemployed-army-of-the-certified-bd405784cef1
- Meme Credit: https://me.me/i/there-is-always-someone-willing-to-do-it-cheaper-21853204
Addressing the Talent Gap
- Security Associate Programs (OJT)
- Job rotation
- Cybersecurity Education Reform
- Sales and Presentation Skills
- This is not a new problem. But our fast paced technology and
extreme division of labor blinds us to the solution.
- We want to send someone to a boot camp and have them return a
- We want to send someone a 4-year college to earn a bachelor's
degree in cybersecurity.
- Maybe we just need a consultant that says they understand the
security problem. And now, feed our retention monster.
- Steel Industry early 2000's - unable to find high caliber
engineersÍ we may have to invest in new talent again.
- Cybersecurity Education
- Meet very few Cybersecurity bachelors degrees that are fluent
- Cybersecurity degrees need to become the liberal arts of
- And this is my lesson learned over the last 30 years.
We need to equip people to sell ideas. The amazing technical
resources that I meet often have trouble conveying their ideas.
- Meme Credit: http://www.quickmeme.com/meme/3totnk
06 - Questions