Creating Developer Security Awareness
-
Upload
david-klassen -
Category
Design
-
view
560 -
download
0
description
Transcript of Creating Developer Security Awareness
CREATING DEVELOPER SECURITY AWARENESS: USING ATTACKSDavid Klassen
TL;DR
INTRODUCTION
• Evolving methods of communicating security problems to developers:• OWASP AppSec Tutorial Series : Shock value, easily demonstrates
risk/prevention• I have noticed that web developers really take-to powerful/short introductions
• Michael Howard @ OWASP AppSecUSA in 2012 : • won't work if its too long or overloads the listeners (retention?)• best done in short presentations that can quickly explain (ie. Zest/Punch)• Have a whole website(book?) available for people looking for more
clarification
• It is hard to find good information that couples vulns with attacks, and fixes
• You can tell them to fix, but if you don’t W5 the issues, things get dropped
• Somehow security groups need to model to others what is at risk in an attack
• Remind them why we want to prevent attacks, and cite reputation issues
ENCHILADA
FOG OF SECURITY RE-ENGINEERING
• Some bugs get fixed… but the pen-testers continually report issues that are not fixed and probably won’t get fixed.
• Flaw is buried in the most popular feature
• You’ve performed or reviewed the millionth assessment with bug X.
• You’ve had that 24th meeting…
• Burn out is here and even you need relief
• Its time to take an issue with Awareness, somehow blow them out of the water!
• Pick your darkest bug set and detail what exploitation might look like…
PILE IT HIGH
• After working in software security you might start thinking like a philosopher:• While an XSS might divulge a user's session cookie, and even that is a really
really critical issue to fix, certain individuals might rightly state, well a login provided to such and such a feature has no access to anything important.
• So you see what this XSS provides to an attacker doesn't really mean anything, because that webapp has no access to critical information assets???
• What such a response glosses over, is that exposing a User's session cookie is only just one issue of a plethora of other possible attack vectors (via. RCE)
• Everyone knows that SecBug X is bad ass however, “they don’t know how…”
• Actually you don’t really know, lets start to build some kind of integrity here
• By debunking the arguments and rebuttals provided, we bring people closer
RAISE THE BOO-YAH
• Use attacks that have been used in reality, and discussed in the news.
• See if you can’t pair common bug X with this real attack payload, so they can later look up and learn about it.
• Don’t allow yourself to make a boring communication. Make it with pizazz!
• Get yourself excited about the problems, by taking the training.
• There are lots of security training groups out there (get up-to-date).
• Don’t cheap-out telling yourself I can learn this on my own (time == $$$).
FILTER THE BS
• YouTube is great and I have seen great videos there, but its nothing you can show your company usually
• The is a certain way of being cool cat that really isn’t that cool. In a year or two its not cool
• If you want the audience for your video to actually be people who develop software you are going to need to adapt to meet their needs
• If we don’t take developers all the way to s-hell, then were not really taking them anywhere
• Is making it simple not your job? Then stay solo
• Look at the experts in communication do they skirt around the issues, or aim for the heart?
GET OVER THE AWARENESS BUSINESS
• The executives talked about raising awareness
• However when it came to meeting the expectations of your common developer…
• When I started making presentations and videos to summarize, everything just felt better.
• After creating this video I noticed the executives subscribed to an official set of security awareness material
• As I look at what was out there though, I realized I am a party of one, and really the only one with an incentive to learn more.
• There are many hats you can wear in this business, but which one will have an effect?
KEEP IT ORGANIC• If you create a company directed security
promotional like this, which you can post links to it everywhere:• Wiki• Bug Pages• e-mails• chat• etc.
• There are more chances for people to run across it in their everyday work
• By peaking people’s interest, we are exposing the worst of issues and trying to steer people towards real risks.
• Helping the company to build integrity.
GET THE FACTS
• I spent time, effort, and money to chase down exploitation beyond session cookies, because it seemed interesting to me, and I didn’t remember seeing this anywhere:• Research the topic• Listen to podcasts/conference talks• Speak to others (hardest)• Take the training
• Can we find it in our own code anywhere? (Do it.)
• If we consider it APT-possible, what things can happen?
• By trying to attempt to understand what is attackable, we have a better awareness of what is probable
• We will also learn about the protection others believe is there
DREAM BIG
• Focus on your attacks first. Your story.
• Everyone has heard about hacking
• We mix in legalities and $kirt the field
• I wanted to work in software devel
• I didn’t want to be a QA any more
• I ended up finding quite a few vulns
• I knew the vulns were bad but not how
• As paid employee legally this info is?
• Enlighten on these scary predicaments
PERFECTING YOUR ATTACKS
• To be honest I hate the spy concept
• But considering our industry it works
• Ensure you exhaust all your resources
• When you find that last morcel Boom!
• Aurora video I found online did it
• If I didn’t search long enough?
• After its starts rolling for you, perfect it
• Legitimate attack scenario is not easy
• Task of explaining to others is hard
PERFECTING THE EXPLANATION• No exploitation, no explanation
• Tell the whole story and real risks
• Yes it is a bad subject, but its also work
• Practiced attack gives you domain info
• Record your video as if for strangers
• Use all the VMs/tools, and cut it out later
• Explanations demand more video/story
• After you have perfected attack and explanations video, create a script
• Working back from this you will find introduction tie-ins and more.
DO THE POST-MORTEM• Mastered attack -> easier explanations
• Tie it back to reality in the simple or hard
• Show the proof of what happened
• Relate to other attacks: CJ of FB login
• In some way all attacks are the same
• Good place for lead-ins to other vulns
• Emphasize the attack line if important
• Doing this well, leads to a good intro
• I wanted to jump into the fix, but it didn’t make sense quite yet to do that
• Make it as detailed as necessary
A STORY BUILDS IT UP• A video that displays real compromise
should be easy to create a story for
• It also might mix with real life (A/V)
• If you get better ideas just go for it
• Redo’s are common with a new script
• Video editing software is so buggy!
• New ideas will come, weigh the value
• It is best to at least cover these:1. Something everyone has heard/seen2. A full exploit that hits fast and deep3. A fast automated attack
• People should start to think differently
WHY DO WE CARE?• They are not going to get it… So!
• Make a laughing stock of yourself
• Phishing intro: the first thing in my mind
• Later it felt sarcastic, and a good vice
• It made the problem more plain to see
• I was hoping someone would laugh, and then run smack into realization
• That’s just it! A real XSS exploit appears to be just like any other web page
• It is important to realize that a website can be made to do anything and developers are in charge of appearance
HOW DID WE FIND THE BUG?
• Are we ever asked to fix the bugs?
• Do Devs become security conscious because they know how to program?
• Show Devs how to consider STDD
• This might lead to something else, like the discovery of problematic ThirdParty code
• Let them know about SAST/DAST
• Detection knowledge leads to prevention
• Attempt to include your product or company in the video
• Bring up reputation and liability issues
REMEDIATE• Go beyond insults to engineering
• No one is perfect. We need a common ground for discussion make one.
• Some bugs might be simple to fix
• RCE bugs are anything but simple because the fault is in the genetics
• When dealing with RCEs go deep
• Try to use the best sources/definitions
• Provide them framework suggestions
• Map the entire issue lifecycle + fix
• RCE preventions and counter-measures
SOCIAL
EXPLAIN THE EQUIPMENT• Are we fighting this battle bare handed?
• Explaining prevention can be simple…
• For RCE it is hard, so go as far as required
• OWASP XSS Prevention was thorough, but I had to bow out and exit stage left (time)
• Don’t go so deep that no one is listening
• If they don’t watch it, they can’t mock
• Make it fun, but try not to waste time
• Aim to gain the respect of your groups
• Use a Dev-possible mindset for awareness
• Create wiki page detailing equipment
JU$TFICATION
• Who? Me? If not you who else can/will?
• There is lots of philosophy in business, but try not to get caught up in the rat race
• Be prepared to justify your videos/cause
• Make your video respect worthy
• Put your own time into it, or just go home
• Having security training is good, but an in person explanation can be specific
• Be prepared to poke holes in the other strategies presented by management
• There is no fail in attempting to help…
• If you think your failing, speak to others!
IDENTIFYING WITH MANAGEMENT
• Accountability: is another word for this
• Luckily you are not alone. People have been selling security to other people, since before we had democracies…
• Look-up some of these people. Metricon
• Many reports out there to reference/facts
• Statistics not there? Use news headlines
• Make friends with the management team.
• If you’re an employee don’t shame us…
• The reason you start with report citations, is to make it a business issue; not personal
• Everyone should admit their shit, even you
THE GOLDEN BLUEBERRY
• Here is my magic word slide (Secret Sauce)
• Rethink the video so you sell it to the group
• Not management heavy? Your lucky!
• A report will help to bring it to the business
• Introduce the issue typical way (atypical?)
• Start where they are at, but carve the path
• I used vulnerability finding to put it in scope, something that DEV might have seen before
• Every “Seminar” has a magic sales slide
• You can do it, feel the magic, believe it
• Don’t forget everyone is special… in that they have a chance in this life (in some way)
GIVE IT A GOOD HOME• Ask others where the best place to
showcase it is. Find usual locations.
• Some place that has high visibility where people look all the time
• I recommend an internal location
• Don’t post it on youtube, if it is any good it will contains privileged info
• If awareness doesn’t make people question things, what is it doing?
• If your company is small or lean enough, perhaps other methods will work better. Are they listening?
• Perhaps a general video that describes key industry issues.
COMMUNICATE IT
• If you have created something new
• If you are really interested in it
• Make it a big deal
• Invite the dev teams you work with, and anyone else interested
• Send them an introduction e-mail with a good link to your video.
• Ask them to watch the video, and consider coming out to discuss it
• Ask everyone when they want to meet
• Plan Lunch and Learn for small groups
• If you have a large group have an open forum, and invite discussions…
IN PERSON DISCUSSIONS
• Book a good time for everyone, or plan to have multiple meetings
• Create a slide deck that covers all the issues they might need to know.
• We can answer questions, but if no one has any questions, have it ALL
• From recent issues to academic
• Ask the audience questions (reflect)• Attack – history, variations, and risk• Exploitation – how far does it go?• Detection – perform tests to check• Prevention – library features etc.• Monitoring – is it in the logs? OODA• Protection – Policies/Controls
available
TALKING SHOP
• These slides can be a bit boring, but the topic isn’t boring, try to keep it exciting
• The talk is going to reflect your wiki and aim to completely cover the issue
• Engage with the audience
• Make sure they understand the depth of the problems. Ask for their opinion
• What did XSS allow us to do to victim?• Steal their cookie jar?• Or insert a key logger?
• We want to highlight their knowledge
• If no one is answering questions, ask them why, learn to communicate
RESULTS• From my experience, not sure if they are
listening
• Its like you are working with silence, not people
• The important part is that they have been told
• If they understand this… watering hole, malverts?
• We are trying to get them to think about it
• Developers who get it are really rare
• However those who do can really help you out
• Reach horizontally and vertically in your corp.
• HR can help with spreading some messages
• Alter corporate processes and remove oversights
• The whole goal here is to help the team work well
HERE’S WHAT I THINK WORKS
• If you think you have covered it all, have you managed to cover:• Monitor• Attack• Prevention• Protection• Exploitation / Explanation• Detection
• In other words, is the issue MAPPED?
• We often spew vulns not explanations
• We need to gain engineering buy-in, where money is king, security has a cost
• There are so many experts who say this
GET THE PEOPLE LISTENING
• AS: Learn more about why developers don’t want to fix the problems, instead of debating probability of attack
• We need to be creative about how we get Development into the discussion
• JW: We need to remember Software Priorities According to Developers are:
1. Expected functions and features2. Performance3. Usability4. Uptime5. Maintainability6. Security
• If we can do 1-5, then probably Security
ISSUE IMMERSION
• Ideally you have researched: • the exploitation topics• the corporate vulnerability history
• Stayed aware for your company:• full-disclosure, bugtraq etc.• or out there through other sources
• Participated in:• penetration tests on assets• leading the bug triaging process• assessment/reviews on your group
• Good sources for a starting point
MAD SKILLS
• If you have been at this for a while, you might be a bit bitter for who knows why
• I suggest you spread the venom in a creative way with much fore-sight
• You are the eyes and ears for your place of work, replaceable but +++
• If you can’t work with management to make it work, it probably won’t
• “You set the goals, its your mission”
• Apply your own individual style
• If your committed to this it might change your career (don’t blame me)
SEE THE SLIDE NOTES FOR MORE !!!