Hacker vs. ToolsGeoffrey VaughanSecurity Engineer

@mrvaughan

Why this talk?• Our goal is to build secure software• What does an SDLC that considers security throughout

look like?• Where can you automate security controls in your

SDLC?• What are the implications of building 1 application vs.

managing hundreds?• Learn to think more like a hacker

Whoami• Geoffrey Vaughan @MrVaughan• Security Engineer @SecurityInnovation• Appsec pentesting/advisory at all areas of SDLC• Former High School/Prison/University Teacher• Occasionally I’m let out of my basement• Travelled from Toronto to be here with you today

Disclaimer• Vendor/tool agnostic• I provide services in all areas of SDLC• Hacker Biased (I am one)

QualitiesQualities of a Hacker• Develops creative

solutions to complex problems• Researches and deeply

understands the problem• May leverage tools in the

pursuit of a solution

Qualities of a (Security) Tool• Helps solve problems fast• Automates the mundane• Can use signatures,

behaviors, or analytics• Great for high volume

testing (large problems and large number of test cases)

Securing your SDLC• At various points in your SDLC,

you may want to use a hacker and/or a tool to help secure your product• Hackers are great at thinking

about problems from a different perspective• Great for finding design flaws

• Tools can be very thorough at finding/preventing defined known issues• Great for doing tedious things

Security RequirementsHave you thought of everything?

• How do you confidently know from an early stage that you have thought of every possible thing that could go wrong with your application?• It is a lot cheaper && easier && faster to fix security

issues in the Requirements phase than in Production• Like 30 to 100X less expensive!

• (Depends who you ask)

Security RequirementsHave you thought of everything?

Hacker• Probably will find things

the tools miss• Will think of some really

interesting edge cases• Might not think of

everything

Tool• Checklists • Threat Modeling• Processes

Design/ArchitectureMost architecture designs consist of:• Use cases • User stories• Data Flow Diagrams• Server/Stack layouts

Design/ArchitectureHacker

• Hacker + Developer in a room with a flow diagram can often find many issues in a very short amount of time• This approach doesn’t scale

well when the application becomes infinitely large or when there is a huge list of applications to test

Tool

• Threat modeling

• There are not a lot of tools out there that provide meaningful value in this space

DevelopmentHacker

• Training• Manual Code Review• Can find more complex

vulnerabilities• Doesn’t scale well• Peer Code reviews

Tool

• In IDE plugins (code assisted development)• Static analysis tools• Limited vulnerability classes

detectable • Lots of false positives

(thousands)• Good coverage for large

applications• Secure Coding Guidelines

What can you find with static analysis?Good at finding

• Source Sink issues, tracking where malicious input is executed (XSS, SQLi, and URL Redirects)• Security misconfigurations• Insecure randomness• Some session management

issues• False Positives!!!!

Not good at finding

• Authorization issues• Some authentication

issues (password resets, password brute force)• Abuse of business rules• Memory corruption issues

(some)• Design flaws

QA/Testing• Ideally, it’s best to try to find issues as early in the SDLC

as possible• In QA, finding and fixing issues is more difficult

• More costly, could introduce delays, sometimes under strict time constraints

• Some issues could require redesign or architecture changes• First chance to do runtime analysis

QA/TestingHacker

• Can consider the whole picture of the application• Limited by time/best

effort• If combined with source

code, can give best perspective into finding vulnerabilities• Hard to cover all

pages/parameters

Tool

• Fuzzing high volume of test cases• Crawl/test large applications

with good coverage• Can do Authenticated vs.

Unauthenticated testing• Crash analysis, runtime

debugging• Still has trouble with business

rules

ProductionHacker

• Can leverage external resources (Social Engineering, Social media, Google)• Can leverage

weak/vulnerable users• May invest significant

time/energy

Tool

• Signature based detection• Heuristic threat

intelligence• Abnormality detection• Continuous runtime

scanning

So What About Agile?Security Tasks:1. Every Feature/Story Requirements2. Every Sprint/Release Requirements3. Regular Maintenance

With Every New Feature / User Story:• Do the feature requirements consider the security

implications of this feature?• How will this feature affect the overall threat model

Every Sprint / New Release• Ensure overall security requirements continue to apply

across every new sprint (checklist?)• Impact on application architecture• Threat modelling for all new features• Automated code review• Manual/Peer code review• Security Testing of new features

Regular Maintenance• Periodic security testing and scanning to ensure no new

issues arise. The result is a snapshot of current your security posture• Regular security training for all members of the team• Takes a big picture look at results from all security

testing and look for areas where issues could have been prevented sooner.

Secrets to Doing Agile Security Well• It takes the whole team thinking about security all the

time• Perform regular checks to identify, address issues, and

improve processes• Systems and processes are necessary to implement

security controls throughout.

Hacker vs. Tool?• An informed hacker will know to use each tool and when

to rely on their hacker mindset/instincts • Learn to think more like a hacker to…• Make better tools• Attack your application as a hacker might

• Learn the trade, not the tool

More Talks today:I’m also presenting 2 other talks today on completely unrelated subjects:Catching IMSI Catchers: Hunting the hunter, can you tell if your phone’s being captured by a rogue cell phone tower/ IMSI catcher/ Stingray? Security Best Practices for Regular Users - What's in your personal threat model? What assets are you trying to protect? Learn how to improve your personal security and privacy online through best practices and security tips.

Thank youGeoffrey Vaughan@mrvaughan@SecurityInnovation