Applications - The New Cybersecurity Frontier - India's Largest …securitybyte.org/2009/schedule/Day1_Tulip_II_and_III... · 2009-12-04 · Who am I? (ISC)2’s Software Assurance

Applications ::The new Cybersecurity frontier

Securitybyte & OWASP Confidential

The new Cybersecurity frontier

Mano PaulCSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA

CEO, SecuRisk SolutionsMano.Paul(at)SecuRiskSolutions(dot)com

Who am I?

� (ISC)2’s Software Assurance Advisor

� Founder - SecuRisk Solutions, Express Certifications & AppSentinel

� ISSA – Industry Representative

� Invited Speaker @ OWASP, CSI, Catalyst, SC World Congress, …

� Information Security Program Manager – Dell Inc.

� Author

Securitybyte & OWASP Confidential 2Securitybyte & OWASP AppSec Conference 2009

� Author

– Official (ISC)2 Guide to the CSSLP

– Information Security Management Handbook

� Shark Biologist, Bahamas

� SharkTalk podcaster

� On LinkedIn/Facebook/Twitter

Who I am NOT!


NOT

ME

☺☺☺☺

What are we here to talk about?

� Cybersecurity

� Applications

� Applications and Cybersecurity


Live Free or Die Hard

� Matt Farrell: Jesus Christ. It's a fire sale.

� John McClane: What?

� Matt Farrell: It's a fire sale.

� Deputy Director Miguel Bowman: Hey! We don't know that yet.

� Taylor: Yeah, it's a myth anyway. It can't be done.

� Matt Farrell: Oh, it's a myth? Really? <censored>


� Matt Farrell: Oh, it's a myth? Really? <censored>

� John McClane: Hey, what's a fire sale?

� Matt Farrell: It's a three-step... it's a three-step systematic attack on the entire national infrastructure. Okay, step one: take out all the transportation. Step two: the financial base and telecoms. Step three: You get rid of all the utilities. Gas, water, electric, nuclear. Pretty much anything that's run by computers which... which today is almost everything. So that's why they call it a fire sale, because everything must go.

Hollywood – not too far from reality

� 2007 : Estonia hacked

– Government Ministry & Political parties (Defense)

– Newspapers (Communications)

– Banking and Private Companies (Financial/Utilities)

� 2008 : Nation State Georgia – First Cyberwar


� 2008 : Nation State Georgia – First Cyberwar

� 2009 : The Shadow of the Gaza Conflict –Cyberwar against Israel

� 2009 : Brazil Broken (Nov 6th, 2009)

� 2010 : Digital Hackistan ?

Cybersecurity

� Pronounciation: sai-ber-si-kyur-a-te

� Securing Cyberspace

� Kinetic (physical) using Non-kinetic (electronic)

� Definition: Measures taken to protect a computer or computer system (as on the


computer or computer system (as on the Internet) against unauthorized access of attack.

Merriam-Webster’s

“Protecting pretty much anything that runs by computers – which is everything

today!” – Die Hard Definition

Why are we where we are?

� Army secures land space

� Airforce secures air space

� Navy secures sea space

But what about space that


� But what about space that is not land, not air, nor sea?

– Cyber

Why are we where we are? – Contd.

� Seconomics ( a new term coined! )

– Cost of insecure software - $180,000,000,000,000

� Wars are won by bits and bytes

– Cyber-chess with an invisible enemy

– Whoever controls the Information can deal the


– Whoever controls the Information can deal the checkmate

� IT - Internet Terrorism?

– Cyberbullies

Securing Cyberspace – Easily said than done!

� No borders – Big Firewall

� Highly interconnected

� Short arm of the law

� Privacy invasion

Polymorphic threats


� Polymorphic threats

� Human

� Non Human

– Malicious Software

– Technology • VoIP

Cybersecurity Threat agents


• VoIP

• Pervasive computing

• Web 2.0wned - Social Netmares

Malicious Software a.k.a. Malware

Malware


Proliferative

Viruses & Worms

(Web Worms)

Stealthware

Spyware & Adware

Trojans Rootkits

Slap in the face-book

� I had to recently open the ‘Rootkits’ book

� I sent my wife a link on facebook and then it happened …

� Command and control

� Phishing Hooks

Tax Refund An Oxymoron Is IRS.gov and

Tax.gov the same?

The IRS is pleased? Hmmm

What currency is this? $ with ,


� Phishing Hooks

facebook

Should this not be the usual

3-5 business days?

And ofcoursethe legitimate

security warning!

What’s in common with these threats?

� Are Applications

� Run Applications

� Exploit Applications

� Applications

– The Weakest Link?


– The Weakest Link?

What’s wiring this evolving world?

� “In the 80’s we wired the world with cables

and in the 90’s we wired the world with

computer networks. Today we are wiring the world with applications using web services

and mashups. Having skilled professionals


and mashups. Having skilled professionals capable of designing and developing secure software is now critical to this evolving world.”

Mark Curphey

Director & Product Unit Manager, Microsoft

Founder of OWASP

Application a.k.a. Software a.k.a. System

� Abstracted business functionality

� Standalone or SaaS

� Conduits to data


Dude, where’s my data?

� Data will continue to be the primary motive behind future cyber crime - whether targeting

traditional fixed computing or mobile

applications. Data will drive cyber attacks for years to come. The data motive is woven


years to come. The data motive is woven

through all emerging cybersecurity threats,

whether botnets, malware, blended threats,

mobile threats or cyber warfare attacks.

Emerging Cyber Threats Report for 2009

Agar poolis ko mila tho?

� Sachin: Hey Zara, lag gaya hai, lag

gaya hai; Oot oot sab kuch chod kar

bhag

(Zara, we have been caught; get up, get up, leave everything and run)

� Sachin: Yeh kya kar raha hai thu?


� Sachin: Yeh kya kar raha hai thu?

(What are you doing?)

� Zara: Data hai yis mai hi hai!

(All the data are in these!)

� Zara: Agar poolis ko mila tho?

(What if the police get a hold of it?)

DAD against CIA – Data issues

� Disclosure - Attack against Confidentiality

� Alteration - Attack against Integrity

� Destruction - Attack against Availability


Application vulnerabilities – Opening the door to Cybercrime

- Injection

- Script

- Overflow

- Disclosure

- Session


- Session

- Cryptographic Source: OWASP Top 10 2007

What we need – First Steps - Holistic Security!

� People, Process and Technology

� Network, Hosts and Applications


Securing the Weak Link - People

� SecuriTRAINED

– Aware

– Trained

– Educated

� Certified Secure Software Lifecycle Professional


� Certified Secure Software Lifecycle Professional (CSSLP)

� It’s the People

Securing the Weak Link - Process


Source: (ISC)2

CSSLP Coursework

“The CSSLP Training

will cover each area

in more depth.”

For the first time in India – 2 day

CSSLP training at this conference.

Don’t miss out!

Process – Secure Design!


Process – Writing Secure Code


Secure the Weak Link - Technology

� Tools and Checklists caveat

� Validation & Verification (V&V)

� Certification & Accreditation (C&A)


Defense in Depth

Configuration management Auditing / Logging

Software SecurityInput validation Session managementAuthentication Parameter manipulationAuthorization CryptographySensitive data protection Exception managementConfiguration management Auditing / Logging

Firewall

Firewall

Web Server Database Server


Host Security

Patches Accounts Ports

Services Files / directories RegistryProtocols Auditing / logging Shares

Firewall

Firewall

Network Security

RoutersFirewallsSwitches

Host

Network

Detained in Brazil/Brasil!

� Let me tell you what happened to me when I was returning to the USA from Brazil (as the Americans spell it) / Brasil (as the English spell it)


What Next?

� Security in the Skies

– Cloud computing � S2aaS

� Virtualization

� Smart Grids

� Digital ants


� Digital ants

� Cybersecure Applications

– Reliable

– Resilient

– Recoverable

– Software seatbelts

If history is any predictor of the future …


Thank you!

2008 2009 2010

Applications ::The new Cybersecurity frontier

Securitybyte & OWASP Confidential

The new Cybersecurity frontier

Mano PaulCSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA

CEO, SecuRisk SolutionsMano.Paul(at)SecuRiskSolutions(dot)com

� Backup Slides



CSSLP™ - Certified Secure Software Lifecycle Professional

� (ISC)2 newest certification

� Base credential

� Professional certification program

� 7 Key Areas

– Concepts

– Requirements

– Design

– Implementation


certification program

� Caters to various stakeholders

– Implementation

– Testing

– Acceptance

– Deployment, Operations, Maintenance and Disposal

Data Protection warrants Application Security!

� In transit

� In storage

� In archives


What Cybersecurity is Not?


Documents

Applications - The New Cybersecurity Frontier - India's Largest …securitybyte.org/2009/schedule/Day1_Tulip_II_and_III... · 2009-12-04 · Who am I? (ISC)2’s Software Assurance