Applications - The New Cyber Security Frontier

8/8/2019 Applications - The New Cyber Security Frontier

1/36

Applications ::The new C bersecurit frontier

Securitybyte & OWASP Confidential

Mano PaulCSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA

CEO, SecuRisk SolutionsMano.Paul(at)SecuRiskSolutions(dot)com


2/36

Who am I?

(ISC)2s Software Assurance Advisor

Founder - SecuRisk Solutions, Express Certifications & AppSentinel

ISSA Industry Representative Invited Speaker @ OWASP, CSI, Catalyst, SC World Congress,

Information Security Program Manager Dell Inc.

Securitybyte & OWASP Confidential 2Securitybyte & OWASP AppSec Conference 2009

Official (ISC)2 Guide to the CSSLP

Information Security Management Handbook

Shark Biologist, Bahamas

SharkTalk podcaster On LinkedIn/Facebook/Twitter


3/36

Who I am NOT!


NOTME


4/36

What are we here to talk about?

Cybersecurity

Applications

Applications and Cybersecurity



5/36

Live Free or Die Hard

Matt Farrell: Jesus Christ. It's a fire sale.

John McClane: What?

Matt Farrell: It's a fire sale.

Deputy Director Miguel Bowman: Hey! We don'tknow that yet.

Taylor: Yeah, it's a myth anyway. It can't be done.

'


,

John McClane: Hey, what's a fire sale?

Matt Farrell: It's a three-step... it's a three-stepsystematic attack on the entire nationalinfrastructure. Okay, step one: take out all the

transportation. Step two: the financial base andtelecoms. Step three: You get rid of all theutilities. Gas, water, electric, nuclear. Pretty muchanything that's run by computers which... whichtoday is almost everything. So that's why they call

it a fire sale, because everything must go.


6/36

Hollywood not too far from reality

2007 : Estonia hacked

Government Ministry & Political parties (Defense)

Newspapers (Communications)

Banking and Private Companies (Financial/Utilities)


2009 : The Shadow of the Gaza Conflict Cyberwar against Israel

2009 : Brazil Broken (Nov 6

th

, 2009) 2010 : Digital Hackistan ?


7/36

Cybersecurity

Pronounciation: sai-ber-si-kyur-a-te

Securing Cyberspace Kinetic (physical) using Non-kinetic (electronic)

Definition: Measures taken to protect a


computer or computer system as on t eInternet) against unauthorized access of attack.

Merriam-Websters

Protecting pretty much anything thatruns by computers which is everything

today! Die Hard Definition


8/36

Why are we where we are?

Army secures land space

Airforce secures air space Navy secures sea space


But what about space thatis not land, not air, norsea?

Cyber


9/36

Why are we where we are? Contd.

Seconomics ( a new term coined! )

Cost of insecure software - $180,000,000,000,000

Wars are won by bits and bytes

Cyber-chess with an invisible enemy


checkmate

IT - Internet Terrorism?

Cyberbullies


10/36

Securing Cyberspace Easily said than done!

No borders Big Firewall

Highly interconnected

Short arm of the law

Privacy invasion


Polymorphic threats


11/36

Human

Non Human

Malicious Software

Technology

Cybersecurity Threat agents


Pervasive computing

Web 2.0wned - Social Netmares


12/36

Malicious Software a.k.a. Malware

Malware


Proliferative

Viruses &Worms(Web Worms)

Stealthware

Spyware &Adware

Trojans Rootkits


13/36

Slap in the face-book

I had to recently open the Rootkits book

I sent my wife a link on facebook and then ithappened

Command and control

Tax Refund

An Oxymoron Is IRS.gov and

Tax.gov the same?

The IRS is pleased?

Hmmm

What currency

is this?$ with ,


s ng oo s

facebook

Should this not bethe usual

3-5 business days?

And ofcoursethe legitimate

security warning!


14/36

Whats in common with these threats?

Are Applications

Run Applications

Exploit Applications

Applications


The Weakest Link?


15/36

Whats wiring this evolving world?

In the 80s we wired the world with cables

and in the 90s we wired the world with

computer networks. Today we are wiring theworld with applications using web servicesand mashu s. Havin skilled ro essionals


capable of designing and developing securesoftware is now critical to this evolvingworld.

Mark CurpheyDirector & Product Unit Manager, Microsoft

Founder of OWASP


16/36

Application a.k.a. Software a.k.a. System

Abstracted business functionality

Standalone or SaaS

Conduits to data



17/36

Dude, wheres my data?

Data will continue to be the primary motivebehind future cyber crime - whether targeting

traditional fixed computing or mobileapplications. Data will drive cyber attacksforears to come. The data motive is woven


through all emerging cybersecurity threats,whether botnets, malware, blended threats,

mobile threats or cyber warfare attacks.

Emerging Cyber Threats Report for 2009


18/36

Agar poolis ko mila tho?

Sachin: Hey Zara, lag gaya hai, laggaya hai; Oot oot sab kuch chod kar

bhag

(Zara, we have been caught; get up,get up, leave everything and run)


ac n: e ya ar ra a a t u

(What are you doing?)

Zara: Data hai yis mai hi hai!(All the data are in these!)

Zara:Agar poolis ko mila tho?

(What if the police get a hold of it?)


19/36

DAD against CIA Data issues

Disclosure - Attack against Confidentiality

Alteration - Attack against Integrity

Destruction - Attack against Availability



20/36

Application vulnerabilities Opening the door to Cybercrime

- Injection

- Script

- Overflow

- Disclosure


- Session- Cryptographic Source: OWASP Top 10 2007


21/36

What we need First Steps - Holistic Security!

People, Process and Technology

Network, Hosts and Applications



22/36

Securing the Weak Link - People

SecuriTRAINED

Aware

Trained

Educated


(CSSLP)

Its the People


23/36

Securing the Weak Link - Process


Source: (ISC)2

CSSLP Coursework

The CSSLP Training

will cover each area

in more depth.

For the first time inIndia 2 day

CSSLP training atthis conference.

Dont miss out!


24/36

Process Secure Design!



25/36

Process Writing Secure Code



26/36

Secure the Weak Link - Technology

Tools and Checklists caveat

Validation & Verification (V&V)

Certification & Accreditation (C&A)



27/36

Defense in Depth

Software SecurityInput validation Session managementAuthentication Parameter manipulationAuthorization CryptographySensitive data protection Exception management

Configuration management Auditing / Logging

all

all

Web Server Database Server


Host Security

Patches Accounts PortsServices Files / directories RegistryProtocols Auditing / logging Shares

Fi

re

Fire

Network SecurityRouters

FirewallsSwitches

Host

Network


28/36

Detained in Brazil/Brasil!

Let me tell you what happened to me when Iwas returning to the USA from Brazil (as the

Americans spell it) / Brasil (as the English spellit)



29/36

What Next?

Security in the Skies

Cloud computing S2aaS

Virtualization

Smart Grids


Digital ants

Cybersecure Applications

Reliable

Resilient Recoverable

Software seatbelts


30/36

If history is any predictor of the future


Thank you!

2008 2009 2010


31/36

Applications ::The new C bersecurit frontier

Securitybyte & OWASP Confidential

Mano PaulCSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA

CEO, SecuRisk Solutions

Mano.Paul(at)SecuRiskSolutions(dot)com


32/36

Backup Slides



33/36


CSSLP Certified Secure Software Lifecycle


34/36

CSSLP - Certified Secure Software LifecycleProfessional

(ISC)2 newestcertification

Base credential

Professional

7 Key Areas

Concepts

Requirements

Design


Caters to variousstakeholders

Testing Acceptance

Deployment,

Operations,Maintenance andDisposal

D t P t ti t A li ti S it !


35/36

Data Protection warrants Application Security!

In transit

In storage

In archives


Wh t C b it i N t?


36/36

What Cybersecurity is Not?


Applications - The New Cyber Security Frontier

Documents