Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rugged Software Engineering 2015-10-22

Rugged Software Engineering 2015-10-22

Rugged Software Engineering, presented at LASCON, Austin, Texas on 2015-10-22

Nick Galbreath

October 22, 2015
Tweet

More Decks by Nick Galbreath

Other Decks in Technology

Transcript

  1. In London, my plea was to get Developers interested in

    Security. First version was at GotoCon London
  2. Software Liability is Inevitable Jeff Moss, Black Hat USA 2015

    http://techcrunch.com/2015/08/06/should-software-companies-be-legally-liable-for-security-breaches/ https://threatpost.com/software-liability-is-inevitable/114136/
  3. I think we’re going to do a really crappy job

    with software liability for a long time, and the people who will suffer will be the innovators and the startups, not the established companies Jennifer Granick, Black Hat USA 2015 Keynote
 2015-08-04 around minute 46:00 https://www.youtube.com/watch?v=Tjvw5fz_GuA
  4. 2015-09-10 The market for cyber insurance began to take off

    about five years ago, Beshar said. Today, globally, about $2 billion worth of premiums have been sold. Most of that coverage is in the United States, but the market is growing substantially, he said. http://wapo.st/1gcDU9i
  5. … the bill wants automakers to establish real-time monitoring to

    “immediately detect, report, and stop” hacking attempts in their cars.
  6. (USA) Government ranks last in fixing software security holes 


    Three-quarters of all government Web and mobile applications fail their initial security reviews CSO Online / Veracode Jun 23, 2015 … and then only fixing 27% a year later http://www.csoonline.com/article/2939234/application-security/government-ranks- last-in-fixing-software-security-holes.html
  7. 1 https://fireeyeapp/script/ NEI_ModuleDispatch.php? module=NEI_AdvancedConfig&function=HapiGetFile Contents&name=../../../../../../../../../../.. /etc/passwd&extension=&category=operating %20system %20logs&mode=download&time=...&mytoken=... 2 3

    ... 4 5 root:aaaaa:16209:0:99999:7::: 6 bin:*:15628:0:99999:7::: 7 daemon:*:15628:0:99999:7::: Here's your 0-day! — http://pastebin.com/ExXFZhDM Are you kidding me. https://twitter.com/h3rm4ns3c/status/638940105529499648
  8. Maybe Unfair Comparison • Dynamic • Risk-Based • Continuous •

    Cross-Team • Hopefully appealing • Static • List-Based • Discrete • Single Team • Tainted Word
  9. @kellan 2015-08-31 https://medium.com/@kellan/five-years-building- a-culture-and-handing-it-off-54a38c3ab8de Software development should be thought of

    as a cycle of continual learning and improvement rather a progression from start to finish, or a search for correctness.
  10. Sound Familiar? • 16. Be clear…. Even to a writer

    who is being intentionally obscure or wild of tongue we can say, "Be obscure clearly! Be wild of tongue in a way we can understand!" • 19. Do not take shortcuts at the cost of clarity. Many shortcuts are self-defeating; they waste the reader's time instead of conserving it. • 20. Avoid foreign languages. (write in the standard language, reuse existing dependencies) • 21. Prefer the standard to the offbeat. Young writers will be drawn at every turn toward eccentricities in language.
  11. BoringSSL So BoringSSL headers and sources look like this rather

    than this. The comments in BoringSSL headers can be extracted by a tool to produce documentation of a sort. (Although it could do with a make-over.) (Clang's formatting tool and its Vim integration are very helpful! It's been the biggest improvement in my code-editing experience in many years.) First thing mentioned? Style cleanup https://www.imperialviolet.org/2015/10/17/boringssl.html
  12. Lots of asterisks here. Low Data Quality, Cause != Correlation


    Type of Crime or Severity not well measured. Read on!: http://cebcp.org/evidence-based-policing/what- works-in-policing/research-evidence-review/broken-windows- policing/
  13. Only applies to accidents that scale linearly in severity …

    major failures have much more complex causes
  14. Results • Faster code reviews • More code reviews •

    Smaller diffs • Less merge conflicts • Faster bug detection • Faster on boarding • Side effect: simpler code. • Easier to read for everyone, including security reviews.
  15. Static Analysis • You are insane if you don't have

    automated static analysis running. • The closer it can run to the developer the better (i.e. can they run it locally or in editor?)
  16. Security Testing? Yes be mean to your code! Don't Forget

    the Home Field Advantage. 
 You know your site better than anyone else. 
 Optimize your security testing for it.
  17. Not just for the
 "software development team" Ops: Puppet /

    Chef / Dockerfiles, etc QA: testing patterns, cucumber Everyone: configuration and glue Today
  18. > function foobar() {… >… > } If this is

    the entire commit and deploy,
 we know it's not used. It's complete "safe" to be deployed.
  19. // doco.. > function foobar() {… >… > } >

    function test_foobar() { > … > } Missing doco, missing test.
  20. if ($usenewstuff) { foobar(); } else { old_code(); } $usenewstuff

    = false; When it's time to use, use a flag.
  21. Average time to fix a vulnerability is 150 days after

    being reported…. you think that is due to technical reasons?
  22. Continuous Deployment applies to your OS as well as your

    application The CIOs surveyed named the top 3 common information system vulnerabilities as being related to application security (55%), security awareness (51%), and, perhaps most surprisingly, out- of-date security patches (50%).
 
 http://www.information-age.com/industry/software/123459579/ why-your-business-cant-afford-not-patch 2015-06-02
  23. Security folks have been reluctant to continuous deployment for the

    applications. Love it for the OS* And application patches* Operations typically doesn't like deployment ever, OS or Application.* Developers love continuous deployment, but don't care about security or operations*. * Your experience may differ
  24. runtime monitoring • machine level monitoring • application level monitoring

    • code-level monitoring • but security monitoring?
  25. Key Questions • What are the attacks (they are happening)

    • Where are they attacking • Are they being successful And making this visible
  26. • Software written by and for a team. • Write

    code meant to be read
 Write code meant to be read in a diff • Filtered out the dumb stuff before deploy • Deploy small chunks, regularly • Make Security Visible • Watch What Happens