solve a security problem instead
play

Solve a Security Problem Instead By Ivan Ristic 1 / 35 Stop - PowerPoint PPT Presentation

Jan 21, 2023 •358 likes •722 views

Stop complaining and solve a security problem instead Stop complaining and Solve a Security Problem Instead By Ivan Ristic 1 / 35 Stop complaining and solve a security problem instead uilder 1) ModSecurity I am a compulsive b I am a

  1. Stop complaining and solve a security problem instead Stop complaining and… Solve a Security Problem Instead By Ivan Ristic 1 / 35

  2. Stop complaining and solve a security problem instead uilder 1) ModSecurity I am a compulsive b I am a compulsiv e builder (open source web application firewall), 2) Apache Security (O’Reilly, 2005), 3) SSL Labs (research and assessment platform), 4) ModSecurity Handbook (Feisty Duck, 2010) 2 / 33 2 / 33 2 / 35

  3. Stop complaining and solve a security problem instead Message for today Software is 3 / 33 3 / 33 universally insecure, and we are not doing enough to make things right. 3 / 35

  4. Stop complaining and solve a security problem instead Morris Morris Worm orm In November 1998, the first computer worm infected about 10% of the Internet 4 / 33 4 / 33 (about 6,000 servers). e worm was written by Robert T. Morris. (e worm source code is available from www.foo.be/docs-free/morris-worm/.) 4 / 35

  5. Stop complaining and solve a security problem instead e Morris Worm spread using password cracking , server 5 / 33 5 / 33 misconfiguration , buffer overflows , and remote code execution . 5 / 35

  6. Stop complaining and solve a security problem instead Same as today, eh? We haven’t seen 6 / 33 6 / 33 an improvement in computer security in the 22 years since the first worm. 6 / 35

  7. Stop complaining and solve a security problem instead In fact, the situation has become much 7 / 33 7 / 33 worse because of the wide adoption of computers and the Internet. 7 / 35

  8. Stop complaining and solve a security problem instead Why? Four reasons: 1) ignorance , 2) convenience , 8 / 33 8 / 33 3) economics , and 4) no single point of control , but ultimately because security is not important to us . 8 / 35

  9. Stop complaining and solve a security problem instead 9 / 33 9 / 33 Software is a market for lemons . 9 / 35

  10. Stop complaining and solve a security problem instead George A. Akerlof e Market for “Lemons”: 10 / 33 10 / 33 Quality Uncertainty and the Market Mechanism 10 / 35

  11. Stop complaining and solve a security problem instead “[…] the presence of people who wish 11 / 33 11 / 33 to pawn bad wares as good wares tends to drive out the legitimate business ”. 11 / 35

  12. Stop complaining and solve a security problem instead Security comes from making sensible decisions, thinking things trough, 12 / 33 12 / 33 taking your time… It is boring and it doesn’t make anyone rich . 12 / 35

  13. Stop complaining and solve a security problem instead Open source projects just want to succeed, companies want to make 13 / 33 13 / 33 profit, people want to get things done. Security is standing in everyone’s way. 13 / 35

  14. Stop complaining and solve a security problem instead Only one solution long-term: make the 14 / 33 14 / 33 parties involved accountable for the quality. But we are probably not ready yet. 14 / 35

  15. Stop complaining and solve a security problem instead Self-certi Self-certifi fication cation Could help us focus on those who really should be liable. 15 / 33 15 / 33 ( e Software Facts label taken from Jeff Williams’s talk at AppSec Europe 2005. ) 15 / 35

  16. Stop complaining and solve a security problem instead How to… really fix security issues Design platforms, libraries, and 16 / 33 16 / 33 components in such a way that vulnerabilities cannot exist. en use them. 16 / 35

  17. Stop complaining and solve a security problem instead Start small Do one thing, no 17 / 33 17 / 33 matter how small. Repeat. 17 / 35

  18. Stop complaining and solve a security problem instead Kaizen Philosophy of 18 / 33 18 / 33 continuous improvement. 18 / 35

  19. Stop complaining and solve a security problem instead Kaizen Continuous small 19 / 33 19 / 33 improvements will yield large compound improvement over time . 19 / 35

  20. Stop complaining and solve a security problem instead Start small In your current 20 / 33 20 / 33 project, make all new work secure. 20 / 35

  21. Stop complaining and solve a security problem instead Start small In your next project, 21 / 33 21 / 33 replace as many insecure components and practices as possible. 21 / 35

  22. Stop complaining and solve a security problem instead Start small ink about how to 22 / 33 22 / 33 solve a known security problem. ink some more next week. Help solve it. 22 / 35

  23. Stop complaining and solve a security problem instead Start small Reach out and inspire 23 / 33 23 / 33 someone else to do start small. 23 / 35

  24. Stop complaining and solve a security problem instead Start small Find an influential 24 / 33 24 / 33 person. Inspire her. 24 / 35

  25. Stop complaining and solve a security problem instead Start small Become an influential person. Join a popular open source 25 / 33 25 / 33 project, or an important company. Change the world. 25 / 35

  26. Stop complaining and solve a security problem instead Summary What we can do: 1) change ourselves, 2) contribute to 26 / 33 26 / 33 the body of knowledge, 3) inspire others, and 4) make a difference. 26 / 35

  27. Stop complaining and solve a security problem instead Example We need to transition to 27 / 33 27 / 33 a world without plain-text protocols. How? Start by fixing SSL. 27 / 35

  28. Stop complaining and solve a security problem instead Example: Fixing SSL (1) Perf erformance ormance 1) Improve protocols to address latency 28 / 33 28 / 33 issues, 2) major sites support improvements, 3) one browser gets a performance edge, 4) o ther browsers follow. Google is already doing this, and we should help them. 28 / 35

  29. Stop complaining and solve a security problem instead Example: Fixing SSL (2) No support f No supp ort for modern or modern TLS features TLS features 1) Realise that 29 / 33 29 / 33 the underlying libraries are lacking, 2) understand why, 3) fund development, and 4) continue funding development . 29 / 35

  30. Stop complaining and solve a security problem instead Example: Fixing SSL (3) Bad con Bad confi figuration guration 1) Raise awareness (but that won’t 30 / 33 30 / 33 work) , 2) target library developers to drop obsolete features, 3) target vendors to ship with secure defaults 30 / 35

  31. Stop complaining and solve a security problem instead Example: Fixing SSL (4) Virtual SSL hosting Virtual SSL hosting 1) Realise that we won’t get virtual SSL hosting until Windows XP is retired, 2) put pressure on 31 / 33 31 / 33 Microsoft to change their mind, 3) find one person at Microsoft who can change things. 31 / 35

  32. Stop complaining and solve a security problem instead Example: Fixing SSL (5) Certi Certifi ficate authority trust issues cate authority trust issues 1) Wait for a wide 32 / 33 32 / 33 adoption of DNSSEC, 2) put certificates into DNS, and 3) improve browser user interfaces. 32 / 35

  33. Stop complaining and solve a security problem instead Example: Fixing SSL (6) Plain-te Plain-text supp xt support issues ort issues 1) Use SRV records to enable sites to opt-out from supporting HTTP, then 33 / 33 33 / 33 2) support SRV records in web browsers, and 3) use Strict Transport Security in the meantime. 33 / 35

  34. Stop complaining and solve a security problem instead Message for today Do one 34 / 33 34 / 33 thing, no matter how small. Repeat. 34 / 35

  35. Stop complaining and solve a security problem instead Thank y ou! The slides will be available for download from http://blog.iv http://blog.ivanristic.com anristic.com 35 / 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Approximation Algorithms Q. Suppose I need to solve an NP-hard problem. What should I do? A.

Approximation Algorithms Q. Suppose I need to solve an NP-hard problem. What should I do? A.

Approximation Algorithms Q. Suppose I need to solve an NP-hard problem. What should I do? A. Theory says you're unlikely to find a poly-time algorithm. Must sacrifice one of three desired features. Solve problem to optimality. Solve

247 views • 20 slides
Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to

Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to

Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to the problem? What do you need in the language to represent the problem? How can you map from the informal problem description to a

569 views • 7 slides
Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to

Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to

Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to the problem? What do you need in the language to represent the problem? How can you map from the informal problem description to a

128 views • 12 slides
The Four Steps 1 Solve the problem. 2 Write the app. 3 Compile the app. 4 Run the app. CSE 1020

The Four Steps 1 Solve the problem. 2 Write the app. 3 Compile the app. 4 Run the app. CSE 1020

The Four Steps 1 Solve the problem. 2 Write the app. 3 Compile the app. 4 Run the app. CSE 1020 moodle.yorku.ca Phases 1 Analysis (define the problem) 2 Design (solve the problem) 3 Implementation (write and compile the app) 4 Testing (run the

444 views • 22 slides
Module 5 19/05/2015 2 Agenda 1. When and how to solve a problem 2. Praise, criticism and

Module 5 19/05/2015 2 Agenda 1. When and how to solve a problem 2. Praise, criticism and

PROBLEM SOLVING Module 5 19/05/2015 2 Agenda 1. When and how to solve a problem 2. Praise, criticism and feedback 3. The four steps When and how to solve 3 a problem Top Tips: There are four steps in problem solving: Remain calm and

540 views • 7 slides
The eight queens problem Let us now use Prolog to solve a more difficult kind of problem. One of

The eight queens problem Let us now use Prolog to solve a more difficult kind of problem. One of

The eight queens problem Let us now use Prolog to solve a more difficult kind of problem. One of these famous problems is the eight queens problem . It consists in placing on a (European) chess board eight queens such that they do not attack each

215 views • 8 slides
Persuasive Communication Sweet Spot Relate to the audience Solve a problem Tell a story

Persuasive Communication Sweet Spot Relate to the audience Solve a problem Tell a story

Persuasive Communication Sweet Spot Relate to the audience Solve a problem Tell a story Relate to the audience Ethos, Logos, Pathos (Credibility, Logic, Emotion) Solve a Problem Halitosis Tell a Story 5. The Solution 4. The Real

221 views • 5 slides
Problem Solving & Algorithm Design 01-1 Problem solving The act of finding a solution

Problem Solving & Algorithm Design 01-1 Problem solving The act of finding a solution

Problem Solving & Algorithm Design 01-1 Problem solving The act of finding a solution to a perplexing, distressing, vexing, or unsettled question 01-2 How to Solve it Written by George Polya in 1945 01-3 How to Solve it

907 views • 31 slides
Using Game Theory To Solve Network Security A brief survey by Willie Cohen Network Security

Using Game Theory To Solve Network Security A brief survey by Willie Cohen Network Security

Using Game Theory To Solve Network Security A brief survey by Willie Cohen Network Security Overview By default networks are very insecure Connected to the open internet There are a number of well known methods for securing a

659 views • 21 slides
Solve a Constraint Problem Without Modeling It Chris'an

Solve a Constraint Problem Without Modeling It Chris'an

1 /20 Solve a Constraint Problem Without Modeling It Chris'an Bessiere, Remi Cole1a, Nadjib Lazaar CNRS, University of Montpellier COCONUT Team

229 views • 20 slides
Why Standards are Not Enough to Solve Healthcare's Interoperability Problem (And How RDF Can

Why Standards are Not Enough to Solve Healthcare's Interoperability Problem (And How RDF Can

- DRAFT - Why Standards are Not Enough to Solve Healthcare's Interoperability Problem (And How RDF Can Help) David Booth, Ph.D. Latest version of these slides: http://dbooth.org/2014/standards/ See also associated paper Definition Semantic

632 views • 23 slides
Exercises What problem did Tim Berners-Lee t hink he could solve using t he Web? What is t

Exercises What problem did Tim Berners-Lee t hink he could solve using t he Web? What is t

Exercises What problem did Tim Berners-Lee t hink he could solve using t he Web? What is t he difference bet ween a firewall and proxy? Name t wo ways t hat bias could be int roduced int o search result s Exercises Which of the

280 views • 3 slides
Project Overview The problem we were trying to solve and how we will measure success The P e

Project Overview The problem we were trying to solve and how we will measure success The P e

Project Overview The problem we were trying to solve and how we will measure success The P e Prob oblem em Attendance at ET Davis and ED Nixon Elementary Schools is lower on rainy days because students who walk to school do not have the

301 views • 16 slides
VT VT-x Deepayan Bhattacharjee VT-x : Motivation To solve the problem that the x86

VT VT-x Deepayan Bhattacharjee VT-x : Motivation To solve the problem that the x86

MMU virtualization in In Intel VT VT-x Deepayan Bhattacharjee VT-x : Motivation To solve the problem that the x86 instructions architecture cannot be virtualized. Simplify VMM software by closing virtualization holes by design of Ring

507 views • 14 slides
Choosing a Representation Language You need to represent a problem to solve it on a computer.

Choosing a Representation Language You need to represent a problem to solve it on a computer.

Choosing a Representation Language You need to represent a problem to solve it on a computer. problem specification of problem appropriate computation Example representations: C++,

269 views • 7 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
Algebra and Proof Theory for a logic of propositions, actions, and adjoint modalities Joint work

Algebra and Proof Theory for a logic of propositions, actions, and adjoint modalities Joint work

Algebra and Proof Theory for a logic of propositions, actions, and adjoint modalities Joint work with Roy and Julian Truffault Mehrnoosh Sadrzadeh EPSRC Career Acceleration Research Fellow Oxford University, Department of CS The muddy

828 views • 47 slides
JOEY Q QUENGA Island Block Radio Joey was born in Long Beach, CA to a young couple from

JOEY Q QUENGA Island Block Radio Joey was born in Long Beach, CA to a young couple from

JOEY Q QUENGA Island Block Radio Joey was born in Long Beach, CA to a young couple from Guam. He is the first in both sides of his family to attend and college received his degree in Communications from San Francisco State

577 views • 44 slides
Title IX as a change strategy for S&E: Isnt a millennium of affirmative action for white

Title IX as a change strategy for S&E: Isnt a millennium of affirmative action for white

Title IX as a change strategy for S&E: Isnt a millennium of affirmative action for white men sufficient? Debra R. Rolison Surface Chemistry Branch U.S. Naval Research Laboratory Washington, DC USA rolison@nrl.navy.mil ** The views

441 views • 42 slides
The Phase Problem: A Mathematical Tour from Norbert Wiener to Random Matrices and Convex

The Phase Problem: A Mathematical Tour from Norbert Wiener to Random Matrices and Convex

The Phase Problem: A Mathematical Tour from Norbert Wiener to Random Matrices and Convex Optimization Thomas Strohmer Department of Mathematics University of California, Davis Norbert Wiener Colloquium University of Maryland February 22,

803 views • 53 slides
Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with Vipul Goyal, Raghu Meka, and Amit Sahai Secret Sharing secret s n s 1 s i Correctness: Any out of parties can

1.72k views • 144 slides
N OT A SINGLE PROOF ASSISTANT FOR ALL BUT PROOF ASSISTANTS FOR EVERYONE N ICOLAS T ABAREAU Not

N OT A SINGLE PROOF ASSISTANT FOR ALL BUT PROOF ASSISTANTS FOR EVERYONE N ICOLAS T ABAREAU Not

N OT A SINGLE PROOF ASSISTANT FOR ALL BUT PROOF ASSISTANTS FOR EVERYONE N ICOLAS T ABAREAU Not the Work of a Single Man Not a single proof assistant for all but proof assistants for everyone Coq: a success but ... Based on the

1.39k views • 100 slides
Michel Steuwer http://homepages.inf.ed.ac.uk/msteuwer/ S KEL CL:

Michel Steuwer http://homepages.inf.ed.ac.uk/msteuwer/ S KEL CL:

Michel Steuwer http://homepages.inf.ed.ac.uk/msteuwer/ S KEL CL: Algorithmic Skeletons for GPUs X a i b i = reduce (+) 0 (zip ( ) A B) i #include <SkelCL/SkelCL.h> #include <SkelCL/Zip.h> #include

437 views • 22 slides
Early Visual Processing: Receptive Fields & Retinal Processing (Chapter 2, part 2) Lecture 5

Early Visual Processing: Receptive Fields & Retinal Processing (Chapter 2, part 2) Lecture 5

Early Visual Processing: Receptive Fields & Retinal Processing (Chapter 2, part 2) Lecture 5 Jonathan Pillow Sensation & Perception (PSY 345 / NEU 325) Princeton University, Spring 2015 1 Summary of last time: light,

900 views • 41 slides

More recommend