Solve a Security Problem Instead By Ivan Ristic 1 / 35 Stop - - PowerPoint PPT Presentation

1 / 35 Stop complaining and solve a security problem instead

Stop complaining and…

Solve a Security Problem Instead

By Ivan Ristic

Stop complaining and solve a security problem instead 2 / 35 2 / 33 2 / 33

I am a compulsiv I am a compulsive b e builder uilder 1) ModSecurity

(open source web application firewall), 2) Apache Security (O’Reilly, 2005), 3) SSL Labs (research and assessment platform), 4) ModSecurity Handbook (Feisty Duck, 2010)

Stop complaining and solve a security problem instead 3 / 35 3 / 33 3 / 33

Message for today Software is universally insecure, and we are not doing enough to make things right.

Stop complaining and solve a security problem instead 4 / 35 4 / 33 4 / 33

Morris

Morris Worm

• rm

In November 1998, the first computer worm infected about 10% of the Internet (about 6,000 servers). e worm was written by Robert T. Morris.

(e worm source code is available from www.foo.be/docs-free/morris-worm/.)

Stop complaining and solve a security problem instead 5 / 35 5 / 33 5 / 33

e Morris Worm spread using password cracking, server misconfiguration, buffer overflows, and remote code execution.

Stop complaining and solve a security problem instead 6 / 35 6 / 33 6 / 33

Same as today, eh? We haven’t seen an improvement in computer security in the 22 years since the first worm.

Stop complaining and solve a security problem instead 7 / 35 7 / 33 7 / 33

In fact, the situation has become much worse because of the wide adoption of computers and the Internet.

Stop complaining and solve a security problem instead 8 / 35 8 / 33 8 / 33

Why? Four reasons: 1) ignorance, 2) convenience,

3) economics, and 4) no single point of

control, but ultimately because security is not important to us.

Stop complaining and solve a security problem instead 9 / 35 9 / 33 9 / 33

Software is a market for lemons.

Stop complaining and solve a security problem instead 10 / 35 10 / 33 10 / 33

George A. Akerlof

e Market for “Lemons”: Quality Uncertainty and the Market Mechanism

Stop complaining and solve a security problem instead 11 / 35 11 / 33 11 / 33

“[…] the presence of people who wish to pawn bad wares as good wares tends to drive out the legitimate business”.

Stop complaining and solve a security problem instead 12 / 35 12 / 33 12 / 33

Security comes from making sensible decisions, thinking things trough, taking your time… It is boring and it doesn’t make anyone rich.

Stop complaining and solve a security problem instead 13 / 35 13 / 33 13 / 33

Open source projects just want to succeed, companies want to make profit, people want to get things done. Security is standing in everyone’s way.

Stop complaining and solve a security problem instead 14 / 35 14 / 33 14 / 33

Only one solution long-term: make the parties involved accountable for the quality. But we are probably not ready yet.

Stop complaining and solve a security problem instead 15 / 35 15 / 33 15 / 33

Self-certi Self-certifi fication cation

Could help us focus on those who really should be liable.

(e Software Facts label taken from Jeff Williams’s talk at AppSec Europe 2005.)

Stop complaining and solve a security problem instead 16 / 35 16 / 33 16 / 33

How to… really fix security issues Design platforms, libraries, and components in such a way that vulnerabilities cannot exist. en use them.

Stop complaining and solve a security problem instead 17 / 35 17 / 33 17 / 33

Start small Do one thing, no matter how small. Repeat.

Stop complaining and solve a security problem instead 18 / 35 18 / 33 18 / 33

Kaizen Philosophy of continuous improvement.

Stop complaining and solve a security problem instead 19 / 35 19 / 33 19 / 33

Kaizen Continuous small improvements will yield large compound improvement over time.

Stop complaining and solve a security problem instead 20 / 35 20 / 33 20 / 33

Start small In your current project, make all new work secure.

Stop complaining and solve a security problem instead 21 / 35 21 / 33 21 / 33

Start small In your next project, replace as many insecure components and practices as possible.

Stop complaining and solve a security problem instead 22 / 35 22 / 33 22 / 33

Start small ink about how to solve a known security problem. ink some more next week. Help solve it.

Stop complaining and solve a security problem instead 23 / 35 23 / 33 23 / 33

Start small Reach out and inspire someone else to do start small.

Stop complaining and solve a security problem instead 24 / 35 24 / 33 24 / 33

Start small Find an influential

• person. Inspire her.

Stop complaining and solve a security problem instead 25 / 35 25 / 33 25 / 33

Start small Become an influential

• person. Join a popular open source

project, or an important company. Change the world.

Stop complaining and solve a security problem instead 26 / 35 26 / 33 26 / 33

Summary What we can do: 1) change ourselves, 2) contribute to the body of knowledge, 3) inspire

• thers, and 4) make a difference.

Stop complaining and solve a security problem instead 27 / 35 27 / 33 27 / 33

Example We need to transition to a world without plain-text protocols. How? Start by fixing SSL.

Stop complaining and solve a security problem instead 28 / 35 28 / 33 28 / 33

Example: Fixing SSL (1)

Perf erformance

• rmance 1) Improve protocols to address latency

issues, 2) major sites support improvements, 3) one browser

gets a performance edge, 4) other browsers follow.

Google is already doing this, and we should help them.

Stop complaining and solve a security problem instead 29 / 35 29 / 33 29 / 33

Example: Fixing SSL (2)

No supp No support f

• rt for modern
• r modern TLS features

TLS features 1) Realise that

the underlying libraries are lacking, 2) understand why,

3) fund development, and 4) continue funding development.

Stop complaining and solve a security problem instead 30 / 35 30 / 33 30 / 33

Example: Fixing SSL (3)

Bad con Bad confi figuration guration 1) Raise awareness (but that won’t

work), 2) target library developers to drop obsolete features, 3) target vendors to ship with secure defaults

Stop complaining and solve a security problem instead 31 / 35 31 / 33 31 / 33

Example: Fixing SSL (4)

Virtual SSL hosting Virtual SSL hosting 1) Realise that we won’t get virtual

SSL hosting until Windows XP is retired, 2) put pressure on Microsoft to change their mind, 3) find one person at Microsoft who can change things.

Stop complaining and solve a security problem instead 32 / 35 32 / 33 32 / 33

Example: Fixing SSL (5)

Certi Certifi ficate authority trust issues cate authority trust issues 1) Wait for a wide

adoption of DNSSEC, 2) put certificates into DNS, and 3) improve browser user interfaces.

Stop complaining and solve a security problem instead 33 / 35 33 / 33 33 / 33

Example: Fixing SSL (6)

Plain-te Plain-text supp xt support issues

• rt issues 1) Use SRV records to

enable sites to opt-out from supporting HTTP, then

2) support SRV records in web browsers, and 3) use Strict

Transport Security in the meantime.

Stop complaining and solve a security problem instead 34 / 35 34 / 33 34 / 33

Message for today Do one thing, no matter how small. Repeat.

35 / 35 Stop complaining and solve a security problem instead

Thank you!

The slides will be available for download from http://blog.iv http://blog.ivanristic.com anristic.com