Frank S. Rietta,
M.S. Information Security
rietta.com/blog
@frankrietta on Twitter October 12, 2015
Defending Against Data
Breaches, as part of a Custom
Software Development Process
Slides on Speaker Deck
http://bit.ly/1Lfs3AA
And the Paper At
Three to Give Away
How a Custom Software
App Comes to Be
How Apps Start
Bob the Entrepreneur
Wouldn’t in be great if…
Hire a designer
Bob the Entrepreneur
Custom code needs a coder
Bob the
Entrepreneur Backend Developer
Bigger team, means funding
(or revenue is needed)
Bob the Entrepreneur Backend Developer Front-end Dev Designer (Freelancer) Bob’s Funders… Wouldn’t in be great if…
So now we have a small team, and if we’re really lucky an Agile Product Owner. Otherwise, the lead
developer will have to fill that role him or herself. Oh, and a lot of people with ideas…
Developers at work
And by the way, there is no red team. That’s not in the budget.
TDD Cycle in a Startup
1. Read the user story 2. Write a failing test
3. Implement the feature 4. See the tests pass
Application Security
is the subset of
Infor mation Security focused on
protecting data and privacy from abuse
by adversaries who have access to the
software system as a whole. Its
purpose is to make software resilient to
attack, especially when network
defenses alone are insufficient.
Sensitive
Data
Means to
Read It
+
Unauthorized Person= Breach
Source: McCandless (2015)
Variety of hacking actions within Web App
Attacks patterns (n=205)
Major
Preventable
Flaws
• Compromised staff credentials, which would
be preventable by two-factor authentication
• Automated technical exploits, that are
aggressively applied over a large number of
sites, succeeded because basics are ignored
• Poor security, including unencrypted backups,
leading to an unauthorized person having
Hoglund, Greg , and Gary McGraw. (2004) Exploiting Software, p 9.
“Most outsourced software (software
developed off-site by contractors) is
full of backdoors….
Companies that
commission this kind of software
have not traditionally paid any
attention to security at all
” (2004).
“Security is not a
functional requirement”
Security is not a
Security-based
Development
Adapting heavy Security Enhanced Software Development Lifecycle to an Agile approach
Security
is
a
Requirement
Commercial Information
Classifications
1. Public: Public information
2. Internal Use: Confidential business information
3. Confidential: Information that customers consider confidential
4. Sensitive: Personal and Private Information (PII),
information that THE LAW considers confidential 5. Highly Sensitive: Encryption keys, server secrets,
Users can feel a privacy breach
even if the terms and conditions spell out in mouse print that they agree to such sharing. This is a yellow line violation.
Written Information
Security Policy
• Having a written information security policy is very
beneficial and in some cases required by regulation
• It should state how the organization deals with
sensitive information, such as formally adopting an information classification system
• It should include value statements that empower
internal stakeholders to demand security be
User Stories
& Abuser Stories
I want
an easy login experience
I want to obtain credentials and steal
User Stories
Are composed of three aspects:
1. a written description of the story used for planning and as a reminder
2. conversations about the story that serve to flesh out the details of the story
3. tests that convey and document details and that can be used to determine when a story is complete
The New Customer
As a Visitor, I can create a new account by filling in my e-mail address and desired password
Security Notes:
• Can we verify that the user really has the
email address on signup?
• The password should be at least 12
characters long and should definitely allow for spaces and punctuation
The Customer Service Rep
As a Staff member, I can choose the “Assist Customer” button to login as that customer to provide him or her with excellent service. Security Notes:
• We need to have a ton of logging around this feature
• Staff members should be required to have authenticated with
two-factor so that we do not have an unauthorized person accessing this with just a staff credential
• Let’s identify certain private fields that customer service does not
need access to while helping the customer. Those should be
restricted; can we use the database SQL permissions to raise an exception if any of those fields is accessed while using this feature?
The Lawyer
As general counsel, when I have received a subpoena
for all material records for a particular account and have exhausted my options to reject it, I work with a system administrator to produce the data while not pulling
unnecessary records. Security Notes:
• As a matter of policy, we push back on all Law
enforcement requests.
• Even when the government compels access, we
URL Tweaker
As an Authenticated Customer, I see what looks like my account number in the URL, so I change it to another number to see what will happen
Curious Editor
As an Authenticated Customer, I paste HTML that includes JavaScript into every field possible to see what happens.
Infrastructure Takeover
As a Malicious Hacker, I want to gain access to this web application’s Cloud Hosting account so
that I can lock out the legitimate owners and delete the servers and their backups, to destroy their
It Happened to Code Spaces in 2014
http://arstechnica.com/security/2014/06/aws-
Disgruntled Employee
As a disgruntled employee who will soon be fired, I want to permanently delete as much data as
possible, so that I can cause chaos.
Scam Artist / ID Thief
As a scam artist, I want to obtain employee
names, addresses, and social security numbers, so that I can steal their identity and finance a
Corvette under their name.
Hater
As as Person with ill will towards a person I hate, I will seek to compromise any details about that
person possible so that I can harm their reputation or endanger their life.
Clear Communication
About Threats to Inform
Development Decisions
Additional Practical Countermeasures
for Your Developers
• Read the OWASP Top 10, the STRIDE Threat Model • Use Secure HTTP Headers and enable SSL-only with
Strict-Transport Security on all production sites
• Run automated audit tools, such as Brakeman,
Bundler-audit, Code Climate, and Linters
• Use GnuPG (or PGP) as part of your workflow • Practice on the OWASP WebGoat, Railsgoat, or
Recap
1. Data breaches are a major concern that cannot be mitigated by wishful thinking alone
2. Application Security is about preventing abuse by adversaries who have access to the system, focusing on the app itself rather than just its environment
3. Have an Information Classification system
4. Treat security as a requirement by writing Abuser Stories along with your User Stories.
5. Apply practical technical countermeasures, such as including OWASP Top 10 and your abuse stories in your automated test suite
Frank S. Rietta, M.S. Information Security
• My blog, where I write on security and other topics • https://rietta.com/blog
• On Twitter
• https://twitter.com/frankrietta
• Learn more about Rietta’s community sponsorship,
including the Atlanta Ruby Users’ Group videos
