So, we are back from RSAC 2015! Our heads full with new information, our sales teams loaded with new connections to follow up with and our bags full of useless giveaways :). Other than achieving absolute culinary success with some quite impressive restaurants and enjoying an impressive Faith No More concert at the San Francisco Warfield we also did some work.
As usual it was an interesting and fruitful RSA Conference. Concentrating on Application Security, which had its own dedicated track, we decided to summarize a few of the more interesting talks. Among those, our own one and only, Maty Siman.
A Case Study in Building an application security program – Robb Reck – VP, CISO – Pulte Financial Services
Robb provided an insider’s view of the process required to implement an application security program. Initially Robb described challenges such as the fact that huge organizations are yet to be educated about how important Appsec is. In addition, there is a common feeling that Security solutions are roadblocks for development and it is our (Appsec industry) job to prove how frictionless security can be implemented as part of the application development process. Management and employees buy-in allows the Appsec program process to move ahead. This can be done by assigning tasks which create motivation for the different personas. Employees can be assigned security champion roles and receive responsibility over implementation and enforcement of the program. Junior employees can see this as a way to move forward while senior employees can see this as an option to learn something new. Middle management can see this as an option to define clear and effective goals for the assigned champions. The Appsec program must be prioritized. You will not be able to do it all at once. Implementation has to be gradual. In addition, clear measurement showcasing the effectiveness of the program should be put in place. Show that security incidents are reducing and organization reputation is improving (use marketing to spread the word about how security aware the organization is, and use that as a business differentiator) integration of SAST into the company’s SDLC and use DAST tools as a last line of defense. Common hurdles include the fact that there is a perception that security always affects the infrastructure, bad experience with previous technology, no accountability for compliance and the fact that a long process lies ahead.
Key take aways:
1. Achieve buy-in of management and employees – provide opportunities for teams and clear advantages for company.
2. Take application security one step at a time – allow the organization to grow into the process rather than dropping it on the teams all at once.
3. Adopt the right partners to deliver training and solutions – these have to be flexible and scalable
4. Recruit the smart guys and girls of the teams to act as champions – senior developers with a need to learn something new or Juniors with the motivation to move ahead within the organization.
The full slide deck is available here: https://www.rsaconference.com/writable/presentations/file_upload/asd-ro2-a-case-study-in-building-an-appsec-program-0-60-in-12-months.pdf
Game of Hacks: The mother of all Honey Pots – Maty Siman – CTO and Founder – Checkmarx
Checkmarx’s (checkmarx.com) Founder and CTO Maty Siman, went on stage to talk about one of the most important aspects of application security. DEVELOPER EDUCATION. An educational game called Game of Hacks (www.gameofhacks.com) published online by Checkmarx allowing developers and application security professionals to test their vulnerability detection skills.
During the talk, Maty presented the process used by Checkmarx to achieve a few goals in one shot:
i. Creating a tool which would attract developers. Using Gamification, Checkmarx managed to get 35K users within the first 24 hours to play at different levels either against themselves or challenging their friends
ii. Learning more about hacking techniques. “When building Game of Hacks (GoH), we knew that hackers would be first to rise to the challenge. We also knew that they would try to hack us so we left the door open for them to come in. We created our own honeypot” Said Maty Siman. Maty Shared examples of the hacking techniques used by the attackers and for each technique the audience got a clear understanding how to correctly address these during development stage both theoretically and practically.
iii. Gaining understanding of developer’s secure coding awareness and familiarity. Using statistics of almost 100K participants, Checkmarx could generate statistical data indicating the level of secure coding awareness and the need for the industry’s education. ( Maty also described Chekmarx’s use of node.js when developing the game and how to make sure you are avoiding exposing yourself to vulnerabilities in the code.
The full slide deck is available here: http://www.rsaconference.com/writable/presentations/file_upload/asd-w03-game-of-hacks-the-mother-of-all-honeypots_final.pdf
Key take aways:
5. Plan your application development ahead of timeand make sure your design is secure
6. Educate your developers and get them writing secure coding
7. Use gamification to achieve adoption?
8. Don’t take for granted that new coding language frameworks are secure
Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project – Daniel Miessler, practice principal at Hewlett-Packard
Daniel started the talk by presenting a very futuristic view of IoT. The term he used was “Universal Daemonization” which actually means that every daily tool we use will have some kind of API running on top of it. Discussion was revolving around shaping and configuring the environment around us by both receiving and transmitting data to devices (things). Example: Your watch will detect your body is shivering and will instruct the A/C to increase the heating. However the problem, as Daniel says is that as futuristic as it is, we still fail to consider the security concerns of the past 20 years. “We’ve had network security, application security, mobile security, and cloud security leading up to IoT, and unfortunately we tend to start over when we move into new spaces,”. The problem with IoT is that these products have every one of these security concerns however the industry that is now implementing these products are not the experts in security but rather new comers to this industry. Daniel mentioned tests they ran on tools from within the IoT industry such as home appliances, TV’s, Thermostats and others. The results were alarming. In some cases 100% of devices tested had no basic security measures implemented. For example 10 out of 10 home security systems had the default password of 123456 set with no requirement to change it. In other cases, there were no account lock out setting configured and brute force was a simple task. Software updates, when available, were accessible over an in-secure FTP connection with no signing of updates. Daniel and his team are now working on creating an OWASP top 10 list for IoT as they were not able to find any other standards in the industry (https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project).The full slide deck is available here: https://www.rsaconference.com/writable/presentations/file_upload/asd-t10-securing-the-internet-of-things-mapping-iot-attack-surface-areas-with-the-owasp-iot-top-10-project.pdf
Key take aways
9. IoT is going to grow dramatically in the short term and will have an impact on all industries
10. We haven’t learnt from past experience – companies are doing the same mistakes due to lack of industry security experience
11. No current security standard for IoT provides a fertile ground for basic security flaws
A CISO’s Perspective on Talking to the Board about Cybersecurity – Chris Wysopal, co-founder and CTO of Veracode
CISOs are no longer just a security guru for the company. They have a responsibility which covers all aspects of the organization. Therefore its time that the techie security guru now known as the CISO learns how to communicate with management executives and board members. Management is becoming more aware of the potential business impact security incidents have on the organizations success or even their own personal professional future. They want and need to be part of the decision making process for security aspects however they lack the experience and knowledge. The CISO has to start thinking like a business leader. SaaS applications have introduced new lines of business which require sensitive security approaches while at the same time compliance, legal and PR concerns are also to be considered. Chris states that a CISO will not have more than 15 minutes to present the organizations security state and needs. Data presented has to be clear cut and simple. No technical talk or multitude of graphs, no acronyms (XSS, DDoS etc), use numbers and TCO/ROI figures. Have the board members pitch in on their expectations from an infosec program and make sure the board knows that 100% security is not a feasible goal. An additional important point that was mentioned was to present similar organizations which have been breached and how it affected them. This will lead the board members to understand what they risk by not supporting the program.
Key take aways:
12. CISOs position has changed following the outbreak in company losses due to security breaches
13. CISOs now have to build security strategies and not only solve specific issues
14. Good communication with board members is key for a CISOs success. This is achieved by less technical data and more financial and business impact data.
Practical Advice for Embracing RASP – A New Kind of Defense
Jason Schmitt VP and General Manager HP Fortify,
Tyler Shields Senior analyst Forrester,
Steve Dyer Chief Technologist Head of Research HP Enterprise security products,
Joe Sechman, Director, Software Security Research, HP Security Research
Runtime Application Self-protection (RASP) promises protection for production applications – without changing code. The forum discussed why and how enterprises will adopt this new capability. The problem is that while most (84%) of breaches occur on the application level, current solutions protect the perimeter only. Moreover, the number of applications and applications types is constantly growing in numbers and complexity.
Application Security is critical to avoid exposing your apps to attacks however remediation is not always possible in short time frames and in some cases organizations might choose to prioritize release before vulnerability mitigation. RASP (Run-Time Application Protectio n) completes the SDLC by allowing protection on top of the detection. This allows development teams to release applications with a peace of mind that the vulnerabilities which have not been prioritized high enough or the fixes which have just not made it into the version are still monitored and exploits are blocked in production.
KEY take aways:
15. Network security cannot prevent application breaches on its own.
16. Web application Firewalls (WAF) are dying and being re-born as RASP – RASP can provide better detection accuracy.
17. Adoption of RASP is still at early stages and definitions vary between vendors
18. RASP provides protection for vulnerabilities which have not been resolved during development however it has to be able to point the developer’s where to fix the vulnerability within the code.
19. Static analysis should still be performed at earlier development stages and RASP should be used as a temporary band aid for non-treated vulnerabilities
The Full Slide Deck is available here:http://www.rsaconference.com/writable/presentations/file_upload/spo1-w04-practical-advice-for-embracing-rasp-a-new-kind-of-defense.pdf