Download - Bringing nothing to the party
![Page 1: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/1.jpg)
Bringing nothing to the party
Vincenzo IozzoDirector of Security Engineering
Trail of Bits, Inc
![Page 2: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/2.jpg)
It’s about time we make AppSec understandable to the lay person (read: your executives)
![Page 3: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/3.jpg)
There’s no real accountability at company-wide level for AppSec, this has to change
![Page 4: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/4.jpg)
Games we play these days..
![Page 5: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/5.jpg)
Fail to separate threats
![Page 6: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/6.jpg)
Compare and contrast
![Page 7: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/7.jpg)
And this..
![Page 8: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/8.jpg)
With this
![Page 9: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/9.jpg)
Forget the good ol’weak links
![Page 10: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/10.jpg)
Macro-level example
![Page 11: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/11.jpg)
Eco101
![Page 12: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/12.jpg)
The market for lemons
Improper threat analysis and quality control leads to a market for lemons scenario
![Page 13: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/13.jpg)
Free riders!
The careless employee/company is free-riding on somebody else’s security investment
![Page 14: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/14.jpg)
Externality
Both internally and externally security is far too often an (good|bad) externality
![Page 15: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/15.jpg)
What has any of this to do with AppSec?
![Page 16: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/16.jpg)
A lot of AppSec is “miracle work”
![Page 17: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/17.jpg)
Bounties
They don’t attract “professionals”
They attract weak automation (fuzzers)
They don’t solve the big-picture problem
They are taxing for developers and security people alike
![Page 18: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/18.jpg)
Do somebody else’s work
![Page 19: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/19.jpg)
“Reactive security”
iOS jailbreaking saga has a primary example
![Page 20: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/20.jpg)
Lack of devs accountability
![Page 21: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/21.jpg)
Stuff that works today
![Page 22: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/22.jpg)
Bug hunting
HAVOC/HAVOC-LITE (Julien Vanegue et al)
Bochspwn (Jurczyk et al)
![Page 23: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/23.jpg)
BlueHat prize/Pwnium/Pwn2Own
Bugs Techniques
![Page 24: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/24.jpg)
Some tools
EMET… ? ? ?
![Page 25: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/25.jpg)
Let’s talk about tomorrow
![Page 26: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/26.jpg)
Meditation interlude
Please pause for a second and contemplate what it means from a technical and sophistication POV for someone to backdoor NIST standards
![Page 27: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/27.jpg)
A line in the sand
If you want to fight this…
This has to go…
![Page 28: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/28.jpg)
Warning
![Page 29: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/29.jpg)
Proposal 1
Make AppSec risk understandable by non-infosec people/investors
![Page 30: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/30.jpg)
You can start from this
Elderwood NYU-Poly Davis
Plugins Required
Flash, Office, Java
.NET None
Version Support
IE8 / Win XP IE8 / Win7 IE9 / Win7
Reliability ~50% ~95% ~99%
Features Hardcoded ROP Hardcoded ROP
Dynamic ROP
Time to Develop
? (probably 8 hrs)
~5 days ~10 days
Experience Professional Amateur Amateur
![Page 31: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/31.jpg)
And this
![Page 32: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/32.jpg)
Proposal 2
Make bug-hunting a commodity by creating appropriate tools. Focus on the errors your developers make
![Page 33: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/33.jpg)
Proposal 3
Engage researchers/firms in DARPA CFT-like ways
![Page 34: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/34.jpg)
Proposal 4
Talk to your CFO and make security an integral factor in M&A activities
![Page 35: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/35.jpg)
Proposal 5
Do your own internal offensive research, it builds intuition and it makes for great ‘pro-active’ mitigations
![Page 36: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/36.jpg)
Conclusions
![Page 37: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/37.jpg)
AppSec can and should become a profit-center
If we don’t do anything policy-makers will and we’re not going to like it
Insane amount of money is being poured in InfoSec, let’s not ruin this by fostering lemons
Freeriding is why we can’t have nice things
![Page 38: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/38.jpg)
Final quote
"Mass markets demand security, along with safety and reliability, only after the product becomes commoditized."
- Alex Gantman
![Page 39: Bringing nothing to the party](https://reader034.vdocuments.mx/reader034/viewer/2022051402/56816564550346895dd7eb50/html5/thumbnails/39.jpg)
Thanks! Questions? [email protected]