Imagine application security is health care
We have a lot of doctors and patients. Think of app security as a public health issue. How do you stamp out SQL Injection as a disease. Can’t scale up patient level tehniques (penetration tests) to wipe out completely. New tools to instrument body to provide continuous real time monitoring. Annual checkups are reactive. That’s discovering a problem way too late and many people don’t even go that often. One day your phone will know you are sick before you do.

Tools are failing us

• Static analysis tools – request.getParameter() and conn.executeStatement() calls aren’t explicit anymore. They are within your framework. Unless the tool knows your framework, it wont fin issues.
• Penetration testing – spending time figuring out how to get tools to intercept traffic, doesn’t go fast enough to work with DevOps and Agile.

Showed the diagram that we climbing the wrong hill. We need “Continuous AppSec”

Definitions

• Portfolio Scale: The right defenses for every application are present, correct and used properly. (you can’t look at thousands of apps manually
• DevOps speed – applicaton security happens continuously and in real time

An example – clickjacking

• Want to design a sensor so that if a vulnerability gets injected, we get notified. Could look at headers.
• Datasource: HTTP, analysis technique: passive, expriment style: positive,environment: test
• Choose based on speed, accuracy, feedback , scalability, ease of use and cost
• Rather than an annual PDF per app, you can get data for the entire porfolio. Store in data warehouse so can get dashboard

Jeff wrote a tool: check your headers. Can check headers for common issues against a public website.

Other uses

• Access control – could have tool generate matrix from code rather than rely on old doc. Help identify missing ones. Ask developers to produce sensors. Can feed into Sonar dashboard. [need standards or per app]
• Known vulnerable libraries – Run DependencyCheck during every build (OWASP tool)
• CSRF – run tests trhough ZAP, use ZEST to check CSRF token, get results via ZAP REST API
• Check correctness of controls – tool don’t even try to validate correct. Write code test first so your tests cover this. Jeff used JUnit.
• Injection – this is a data flow problem – for example, build an IAST sensor
• Security intelligence – can gather any information such as outbound connections

What sensors you need

• most likely to have at least one vulnerability of: identifiaion and authentication, session management. Static analysis companies find XSS because they check for that well
• Figure out what most important to you

Model

• Can’t do security testing without a model
• Testers don’t know model so waste time testing SQL in an app without SQL
• Risk of not testing things that are needed

Nice Venn diagram to show not testing what we care about. Plus spotty even within the areas that do overlap.

Continuous Application Security
Map business concerns, defense strategies, actual defenses and sensors. Should start with business concerns not sensors. That say a new threat/business priority becomes a sensor and you get data back on it in the dashboard. Real time data, iteration.

Get started by building a sensor and creating a dashboard with Excel. Then can switch to point where can show covers business concerns and can add more based on business.

Business case to do: build sensor ones,get benefits forever. Now, a pen tester IS the sensor and is a very expensive one.

Detecting attack is not the same as detecting vulnerabilities.

Most of the industry is looking at compliance. Want to get to monitoring. Thn can have a strategy and optimization. [Like the levels used by CMM and many other processes.]

We can never improve if our only metric i whether we are doing what everyone else is doing. This wouldn’t work to stamp out a disease and shouldn’t b our approach.

My take
I always like seeing Jeff Williams speak. He is a great speaker and usually presents a unique spin on an idea orr a new idea. I liked the heallth care hook here.

speaker: Milton Smith

Open Ecosystem

• JP (java community process
• OpenJDK contirbutors including IBM and Apple

Security communications

• RSS feed for security alert
• (CPU) Critical Patch Update Advisories – for “normal” patches. Dates published a year in advance
• eBlasts – emails
• Blogs – Java PM blog

CVSS – common vulnerability scoring system

Added security track to JavaOne

Working on a platform is not the same as working an application. Current analysis tools don’t understand new syntax yet. Use tools where apply though.

Oracle considers Java to be strategic. Safety and security of Java is a top priority. Delayed Java 8 becuase security wasn’t ready.

Oracle is focusing on fixing applets (to limit attackers from using malicious applets), accelerating remediation and new security features.

Most vulnerabilities were in deployment and 2D because of applets. Interesting because don’t affect most people. And because applts are old.

Recent security features

• Easy way to disable Java on different platforms (Java 7 update 1)
• Java “best before” – Java should encourage updates. Baked date into binaries for knowing it is out of date once new CPU out (Java 7 update 10)
• End user can adjust plugin security levels via slide (Java 7 update 10). Removed low and custom levels in update 21
• Dynamic blacklisting support. Vendors call to say they learned released jars are vunlerable (java 7 update 21)
• Signing sandboxed applications (java 7 update 21)
• Enble stanadrdized revocation services – deal with stolen digital certs, now on by default (java 7 update 25)
• Provide ability to lock JARs to specific servers or domains (java 7 update 25)
• Turn off JRE out of date warnings – companies want to manage on own (java 7 update 40)
• Add whitelisting for enterprise and partners – prevents 3rd party ads and spearfishing from exploiting (java 7 update 40)
• Working on Java uninstaller to improve so adversaries can’t target older versions of Java as easily

Future

• With the January Java 7 update 51 release, self/un-signed applets will be blocked by default. All applets written before update 25 won’t run by default. Can lower seurity to Medium to change defaults. Can still create a CA within a company

Oracle’s Secure Coding Guidelines

My take
I’m not sure what I was expecting, but this felt light and fuzzy. Or maybe I knew a lot of this. Or maybe I’m tired because there wasn’t a break and I didn’t choose to miss a session in order to take one. The charts were interesting. As were the new features.

speaker: Mary Ann Davidson

The speaker is from Oracle. I’ve never seen a non-Java or database presentation from them. Even so, I was suprised Oracle doesn’t make her put the standard loong disclaimer on there.

“Translation” is a key skill – ask dumb questions, ask why something is a problem without being condescending
Policymakers need to undertstand issues to make good decision. [otherwise you get policies like “developers can’t use the internet at work”

Analogies help when work. Can be humorous if not
One Little Dutch Boy stops water in dyke. “If only we had 300K Little Dutch Boys” – they will all drown when the dam breaks.
Fridge on network. Forgot password “family of five starves to death, locked out of refrigerator”

Principled vs purist

• World isn’t perfect. Neither is security.
• Real metric is whether customers are protected. How fast you patch is less important; customers don’t like patches. Won’t apply if think will break something.

Economics

• Systemic risk (housing meltdown) – cannot be mitigated. Think about how to avoid systemic risk. The internet was not designed for everything to be on it such as fridges. Doesn’t mean all advances are bad. Have discussions before taking risk
• Efficient resource allocation – time, money and QUALIFIED people are always constrained. Opportunity cost. If make do something silly, will crowd out more valuable work.
• Market incentive – One off patches are expensive. Would rather build something new.

Game theory – Prisoner’s Dilemma

• Should someone defect and sell encryption code to another country? Hasn’t happened

Biology

• Chemical signaling – what if systems could communicate under attack and update defenses
• Deception – we have honeypots

Military

• Network centric warfare – translate information advantage into competitive advantage. Time to live infomation advantage
• This makes the network itself a battlefield that you need to defend
• Atacker’s goal is to disrupt defenders ability to wage war and prevent use of IT
• Tools need to be designed for your threat environment. Don’t want a watergun on the battlefield
• Situational awareness – who on the network, friend or foe, what i over the hill, etc
• Defend what is strategic; not everything

Education

• Can’t start security education too early. “Look both ways before crossing the Internet” – don’t open attahments
• Universities need to reflect building IT as infrastructure
• Vendors must educate every CS grad in basiic security and spend millions fixing avoidable preventable desig and code defects
• CS classes must embed and reinforce security – compared to structures in engineering. It’s part of the circulum, not a one off
• Have red team/blue team as part of all CS classes
• Accreditation bdies should force curricula change

Developers are personally responsible for code

OODA (observe, orient, decide, act

• Stay agile.
• Can targets be evolving to keep opponents off balance

Solve the right problem. Not everything is a tech problem

Oracle does security with coding standards, training classes, coding standards, checklists. Not optional. When acquire groups, need to start doing. Still have resistance, but have to for cost and brand damage.

My take on this
I liked this session. It’s hard to say what you learned because it is about thinking, but the points raised were good.