software security austerity - 44con 2012
DESCRIPTION
Ollie Whitehouse presents Software Security Austerity at 44CON 2012 in London, September 2012.TRANSCRIPT
Software Security Austerity Security Debt in Modern Software Development Ollie Whitehouse, Associate Director, NCC Group
Agenda
• Introduction •Software Security Debt •Debt Management •Conclusions
Before we begin…
metaphor abuse warning!
… before we begin part 2…
there is a white paper available
Security debt
Technical debt
"Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite. The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt."
Security debt…
• Present in all software • Analogous to development and bugs
• security is just a type of bug • Analogous to development and tech debt • The trade off between
• fix everything and ship nothing -versus- • fix only the critical -versus- • real world business
Security debt…
• You get good… • .. you get a new problem • Too many vulnerabilities!
• You focus on just the critical / serious
• … the low / medium mountain grows
Security debt – types?
• Known – identified, but yet to be addressed
• Unknown – latent issues yet to be discovered
Security debt – source?
• Self my development
• Supply chain my outsourced development
• Dependency COTS component use without formal support
Security debt and SDLs
• SDL does not mean 0 debt • SDL means known security debt
• with a repayment plan • No SDL means latent security debt
• with no repayment plan • SDL means more bugs than resources
• quite quickly / in the short to medium term • SDL means accelerated discovery
• you get too good
Security debt and SDLs
• Why accelerated discovery? • requirements reviews • static code analysis • manual code analysis • automated testing (fuzzing) • increased awareness and knowledge • root cause analysis and variations
Accruing debt based on risk
• Financial cost versus • Revenue • Cost of a response incident • Brand impact • Liability
• Time cost versus • Resources • Time to market • Financial costs
Accruing debt based on risk
• Impact versus • Discovery • Mitigations • Complexity and
prerequisite conditions • Access requirements • Marker expectation
Latent debt resilience
• Latent debt will always exist • through own activities • through suppliers • through dependencies
• The need to feed upstream • The need to build resilient software
Debt Management
Why we care
• Client expectation • Regulatory requirements • Increasing cost of debt • Attacker capability evolution • Increased external focus
Why we care
Why we care
Assigning interest rates to security debt
• Interest rate = Priority • Priority = risk • Risk = informed
Assigning interest rates to security debt
Threat = f (Motivation, Capability, Opportunity, Impact)
Assigning interest rates to security debt
DREAD
Assigning interest rates to security debt
CVSS
Assigning interest rates to security debt
• Impact • Distribution • Disclosure • Likelihood of discovery • Presence of mitigations • Complexity of exploitation • Access requirements • Customer expectation
Repayment – New version requirements
Repayment – Severity prioritization
• Next release (any type) • Next release (major version) • Next release +1 (any type) • Next release +2 (any type) • Next release +3 (any type)
Repayment – Percentage reduction
Severity Percentage to be resolved
Critical 100%
Serious 50%
Moderate 30%
Low 20%
Other 0 to 5 %
Repayment – Forced
Debt Expiry
Debt Overhang
• Stuart Myers paper (1977)
‘Determinants of Corporate Borrowing’
• Debt mountain equals death by a thousand cuts
• Leading to inability to accrue more security debt
• Leading to slower innovation
Strategic Debt Restructuring
Bankruptcy
Non Repayment – Consequence Planning
"We may be at the point of diminishing returns by trying to buy down vulnerability," the general observed. Instead, he added, "maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can "self-heal" or "self-limit“ the damages inflicted upon them. "
Conclusions
• Zero debt is not good business practice • SDLs enable debt discovery and repayment • A pure risk approach allows the mountain to grow • Outsourcing carries risk of larger latent debt • A mature model is to understand and plan payment • … while educating upstream • … while paying down the mountain • … while still using risk
UK Offices Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices San Francisco
Atlanta
New York
Seattle
Australian Offices Sydney
European Offices Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Thanks! Questions?
Ollie Whitehouse [email protected]