8/8/2019 Applications - The New Cyber Security Frontier
1/36
Applications ::The new C bersecurit frontier
Securitybyte & OWASP Confidential
Mano PaulCSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA
CEO, SecuRisk SolutionsMano.Paul(at)SecuRiskSolutions(dot)com
8/8/2019 Applications - The New Cyber Security Frontier
2/36
Who am I?
(ISC)2s Software Assurance Advisor
Founder - SecuRisk Solutions, Express Certifications & AppSentinel
ISSA Industry Representative Invited Speaker @ OWASP, CSI, Catalyst, SC World Congress,
Information Security Program Manager Dell Inc.
Securitybyte & OWASP Confidential 2Securitybyte & OWASP AppSec Conference 2009
Official (ISC)2 Guide to the CSSLP
Information Security Management Handbook
Shark Biologist, Bahamas
SharkTalk podcaster On LinkedIn/Facebook/Twitter
8/8/2019 Applications - The New Cyber Security Frontier
3/36
Who I am NOT!
Securitybyte & OWASP Confidential 3Securitybyte & OWASP AppSec Conference 2009
NOTME
8/8/2019 Applications - The New Cyber Security Frontier
4/36
What are we here to talk about?
Cybersecurity
Applications
Applications and Cybersecurity
Securitybyte & OWASP Confidential 4Securitybyte & OWASP AppSec Conference 2009
8/8/2019 Applications - The New Cyber Security Frontier
5/36
Live Free or Die Hard
Matt Farrell: Jesus Christ. It's a fire sale.
John McClane: What?
Matt Farrell: It's a fire sale.
Deputy Director Miguel Bowman: Hey! We don'tknow that yet.
Taylor: Yeah, it's a myth anyway. It can't be done.
'
Securitybyte & OWASP Confidential 5Securitybyte & OWASP AppSec Conference 2009
,
John McClane: Hey, what's a fire sale?
Matt Farrell: It's a three-step... it's a three-stepsystematic attack on the entire nationalinfrastructure. Okay, step one: take out all the
transportation. Step two: the financial base andtelecoms. Step three: You get rid of all theutilities. Gas, water, electric, nuclear. Pretty muchanything that's run by computers which... whichtoday is almost everything. So that's why they call
it a fire sale, because everything must go.
8/8/2019 Applications - The New Cyber Security Frontier
6/36
Hollywood not too far from reality
2007 : Estonia hacked
Government Ministry & Political parties (Defense)
Newspapers (Communications)
Banking and Private Companies (Financial/Utilities)
Securitybyte & OWASP Confidential 6Securitybyte & OWASP AppSec Conference 2009
2009 : The Shadow of the Gaza Conflict Cyberwar against Israel
2009 : Brazil Broken (Nov 6
th
, 2009) 2010 : Digital Hackistan ?
8/8/2019 Applications - The New Cyber Security Frontier
7/36
Cybersecurity
Pronounciation: sai-ber-si-kyur-a-te
Securing Cyberspace Kinetic (physical) using Non-kinetic (electronic)
Definition: Measures taken to protect a
Securitybyte & OWASP Confidential 7Securitybyte & OWASP AppSec Conference 2009
computer or computer system as on t eInternet) against unauthorized access of attack.
Merriam-Websters
Protecting pretty much anything thatruns by computers which is everything
today! Die Hard Definition
8/8/2019 Applications - The New Cyber Security Frontier
8/36
Why are we where we are?
Army secures land space
Airforce secures air space Navy secures sea space
Securitybyte & OWASP Confidential 8Securitybyte & OWASP AppSec Conference 2009
But what about space thatis not land, not air, norsea?
Cyber
8/8/2019 Applications - The New Cyber Security Frontier
9/36
Why are we where we are? Contd.
Seconomics ( a new term coined! )
Cost of insecure software - $180,000,000,000,000
Wars are won by bits and bytes
Cyber-chess with an invisible enemy
Securitybyte & OWASP Confidential 9Securitybyte & OWASP AppSec Conference 2009
checkmate
IT - Internet Terrorism?
Cyberbullies
8/8/2019 Applications - The New Cyber Security Frontier
10/36
Securing Cyberspace Easily said than done!
No borders Big Firewall
Highly interconnected
Short arm of the law
Privacy invasion
Securitybyte & OWASP Confidential 10Securitybyte & OWASP AppSec Conference 2009
Polymorphic threats
8/8/2019 Applications - The New Cyber Security Frontier
11/36
Human
Non Human
Malicious Software
Technology
Cybersecurity Threat agents
Securitybyte & OWASP Confidential 11Securitybyte & OWASP AppSec Conference 2009
Pervasive computing
Web 2.0wned - Social Netmares
8/8/2019 Applications - The New Cyber Security Frontier
12/36
Malicious Software a.k.a. Malware
Malware
Securitybyte & OWASP Confidential 12Securitybyte & OWASP AppSec Conference 2009
Proliferative
Viruses &Worms(Web Worms)
Stealthware
Spyware &Adware
Trojans Rootkits
8/8/2019 Applications - The New Cyber Security Frontier
13/36
Slap in the face-book
I had to recently open the Rootkits book
I sent my wife a link on facebook and then ithappened
Command and control
Tax Refund
An Oxymoron Is IRS.gov and
Tax.gov the same?
The IRS is pleased?
Hmmm
What currency
is this?$ with ,
Securitybyte & OWASP Confidential 13Securitybyte & OWASP AppSec Conference 2009
s ng oo s
Should this not bethe usual
3-5 business days?
And ofcoursethe legitimate
security warning!
8/8/2019 Applications - The New Cyber Security Frontier
14/36
Whats in common with these threats?
Are Applications
Run Applications
Exploit Applications
Applications
Securitybyte & OWASP Confidential 14Securitybyte & OWASP AppSec Conference 2009
The Weakest Link?
8/8/2019 Applications - The New Cyber Security Frontier
15/36
Whats wiring this evolving world?
In the 80s we wired the world with cables
and in the 90s we wired the world with
computer networks. Today we are wiring theworld with applications using web servicesand mashu s. Havin skilled ro essionals
Securitybyte & OWASP Confidential 15Securitybyte & OWASP AppSec Conference 2009
capable of designing and developing securesoftware is now critical to this evolvingworld.
Mark CurpheyDirector & Product Unit Manager, Microsoft
Founder of OWASP
8/8/2019 Applications - The New Cyber Security Frontier
16/36
Application a.k.a. Software a.k.a. System
Abstracted business functionality
Standalone or SaaS
Conduits to data
Securitybyte & OWASP Confidential 16Securitybyte & OWASP AppSec Conference 2009
8/8/2019 Applications - The New Cyber Security Frontier
17/36
Dude, wheres my data?
Data will continue to be the primary motivebehind future cyber crime - whether targeting
traditional fixed computing or mobileapplications. Data will drive cyber attacksforears to come. The data motive is woven
Securitybyte & OWASP Confidential 17Securitybyte & OWASP AppSec Conference 2009
through all emerging cybersecurity threats,whether botnets, malware, blended threats,
mobile threats or cyber warfare attacks.
Emerging Cyber Threats Report for 2009
8/8/2019 Applications - The New Cyber Security Frontier
18/36
Agar poolis ko mila tho?
Sachin: Hey Zara, lag gaya hai, laggaya hai; Oot oot sab kuch chod kar
bhag
(Zara, we have been caught; get up,get up, leave everything and run)
Securitybyte & OWASP Confidential 18Securitybyte & OWASP AppSec Conference 2009
ac n: e ya ar ra a a t u
(What are you doing?)
Zara: Data hai yis mai hi hai!(All the data are in these!)
Zara:Agar poolis ko mila tho?
(What if the police get a hold of it?)
8/8/2019 Applications - The New Cyber Security Frontier
19/36
DAD against CIA Data issues
Disclosure - Attack against Confidentiality
Alteration - Attack against Integrity
Destruction - Attack against Availability
Securitybyte & OWASP Confidential 19Securitybyte & OWASP AppSec Conference 2009
8/8/2019 Applications - The New Cyber Security Frontier
20/36
Application vulnerabilities Opening the door to Cybercrime
- Injection
- Script
- Overflow
- Disclosure
Securitybyte & OWASP Confidential 20Securitybyte & OWASP AppSec Conference 2009
- Session- Cryptographic Source: OWASP Top 10 2007
8/8/2019 Applications - The New Cyber Security Frontier
21/36
What we need First Steps - Holistic Security!
People, Process and Technology
Network, Hosts and Applications
Securitybyte & OWASP Confidential 21Securitybyte & OWASP AppSec Conference 2009
8/8/2019 Applications - The New Cyber Security Frontier
22/36
Securing the Weak Link - People
SecuriTRAINED
Aware
Trained
Educated
Securitybyte & OWASP Confidential 22Securitybyte & OWASP AppSec Conference 2009
(CSSLP)
Its the People
8/8/2019 Applications - The New Cyber Security Frontier
23/36
Securing the Weak Link - Process
Securitybyte & OWASP Confidential 23Securitybyte & OWASP AppSec Conference 2009
Source: (ISC)2
CSSLP Coursework
The CSSLP Training
will cover each area
in more depth.
For the first time inIndia 2 day
CSSLP training atthis conference.
Dont miss out!
8/8/2019 Applications - The New Cyber Security Frontier
24/36
Process Secure Design!
Securitybyte & OWASP Confidential 24Securitybyte & OWASP AppSec Conference 2009
8/8/2019 Applications - The New Cyber Security Frontier
25/36
Process Writing Secure Code
Securitybyte & OWASP Confidential 25Securitybyte & OWASP AppSec Conference 2009
8/8/2019 Applications - The New Cyber Security Frontier
26/36
Secure the Weak Link - Technology
Tools and Checklists caveat
Validation & Verification (V&V)
Certification & Accreditation (C&A)
Securitybyte & OWASP Confidential 26Securitybyte & OWASP AppSec Conference 2009
8/8/2019 Applications - The New Cyber Security Frontier
27/36
Defense in Depth
Software SecurityInput validation Session managementAuthentication Parameter manipulationAuthorization CryptographySensitive data protection Exception management
Configuration management Auditing / Logging
all
all
Web Server Database Server
Securitybyte & OWASP Confidential 27Securitybyte & OWASP AppSec Conference 2009
Host Security
Patches Accounts PortsServices Files / directories RegistryProtocols Auditing / logging Shares
Fi
re
Fire
Network SecurityRouters
FirewallsSwitches
Host
Network
8/8/2019 Applications - The New Cyber Security Frontier
28/36
Detained in Brazil/Brasil!
Let me tell you what happened to me when Iwas returning to the USA from Brazil (as the
Americans spell it) / Brasil (as the English spellit)
Securitybyte & OWASP Confidential 28Securitybyte & OWASP AppSec Conference 2009
8/8/2019 Applications - The New Cyber Security Frontier
29/36
What Next?
Security in the Skies
Cloud computing S2aaS
Virtualization
Smart Grids
Securitybyte & OWASP Confidential 29Securitybyte & OWASP AppSec Conference 2009
Digital ants
Cybersecure Applications
Reliable
Resilient Recoverable
Software seatbelts
8/8/2019 Applications - The New Cyber Security Frontier
30/36
If history is any predictor of the future
Securitybyte & OWASP Confidential 30Securitybyte & OWASP AppSec Conference 2009
Thank you!
2008 2009 2010
8/8/2019 Applications - The New Cyber Security Frontier
31/36
Applications ::The new C bersecurit frontier
Securitybyte & OWASP Confidential
Mano PaulCSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA
CEO, SecuRisk Solutions
Mano.Paul(at)SecuRiskSolutions(dot)com
8/8/2019 Applications - The New Cyber Security Frontier
32/36
Backup Slides
Securitybyte & OWASP Confidential 32Securitybyte & OWASP AppSec Conference 2009
8/8/2019 Applications - The New Cyber Security Frontier
33/36
Securitybyte & OWASP Confidential 33Securitybyte & OWASP AppSec Conference 2009
CSSLP Certified Secure Software Lifecycle
8/8/2019 Applications - The New Cyber Security Frontier
34/36
CSSLP - Certified Secure Software LifecycleProfessional
(ISC)2 newestcertification
Base credential
Professional
7 Key Areas
Concepts
Requirements
Design
Securitybyte & OWASP Confidential 34Securitybyte & OWASP AppSec Conference 2009
Caters to variousstakeholders
Testing Acceptance
Deployment,
Operations,Maintenance andDisposal
D t P t ti t A li ti S it !
8/8/2019 Applications - The New Cyber Security Frontier
35/36
Data Protection warrants Application Security!
In transit
In storage
In archives
Securitybyte & OWASP Confidential 35Securitybyte & OWASP AppSec Conference 2009
Wh t C b it i N t?
8/8/2019 Applications - The New Cyber Security Frontier
36/36
What Cybersecurity is Not?
Securitybyte & OWASP Confidential 36Securitybyte & OWASP AppSec Conference 2009