Solve a Security Problem Instead

(1)

1 / 35 Stop complaining and solve a security problem instead

Stop complaining and…

Solve a Security

Problem Instead

(2)

Stop complaining and solve a security problem instead

2 / 35 2 / 33

2 / 33

I am a compulsive builder

1)

ModSecurity

(open source web application firewall),

2)

Apache

Security (O’Reilly, 2005),

3)

SSL Labs (research

and assessment platform),

4)

ModSecurity

(3)

3 / 35 3 / 33

3 / 33

Message for today

Software is

universally insecure, and we are not

doing enough to make things right.

(4)

4 / 35 4 / 33

4 / 33

Morris Worm

In November 1998, the first

computer worm infected

about 10% of the Internet

(about 6,000 servers). e

worm was written by

Robert T. Morris.

(e worm source code is available from

(5)

5 / 35 5 / 33

5 / 33

e Morris Worm spread using

password cracking

,

server

misconfiguration

,

buﬀer overflows

,

(6)

6 / 35 6 / 33

6 / 33

Same as today, eh?

We haven’t seen

an improvement in computer security

(7)

7 / 35 7 / 33

7 / 33

In fact, the situation has become

much

worse

because of the wide adoption of

(8)

8 / 35 8 / 33

8 / 33

Why?

Four reasons:

1)

ignorance

,

2)

convenience

,

3)

economics

, and

4)

no single point of

control

, but ultimately because

(9)

9 / 35 9 / 33

9 / 33

Software is a

(10)

10 / 35 10 / 33

10 / 33

George A. Akerlof

e Market for “Lemons”:

Quality Uncertainty and the

Market Mechanism

(11)

11 / 35 11 / 33

11 / 33

“[…] the presence of people who wish

to pawn bad wares as good wares tends to

(12)

12 / 35 12 / 33

12 / 33

Security comes from making sensible

decisions, thinking things trough,

taking your time… It is

boring

and it

(13)

13 / 35 13 / 33

13 / 33

Open source projects just want to

succeed, companies want to make

profit, people want to get things done.

Security is standing in

everyone’s way.

(14)

14 / 35 14 / 33

14 / 33

Only one solution long-term:

make the

parties involved accountable

for the quality.

(15)

15 / 35 15 / 33

15 / 33

Self-certification

Could help us focus on those

who really should be liable.

(

e Software Facts label taken

from Jeﬀ Williams’s talk at

AppSec Europe 2005.

)

(16)

16 / 35 16 / 33

16 / 33

How to… really fix security issues

Design platforms, libraries, and

components in such a way that

vulnerabilities cannot exist.

(17)

17 / 35 17 / 33

17 / 33

Start small

Do one thing, no

(18)

Stop complaining and solve a security problem instead 18 / 35 18 / 33 18 / 33

Kaizen

Philosophy of

continuous improvement.

(19)

19 / 35 19 / 33

19 / 33

Kaizen

Continuous small

improvements will yield large

(20)

20 / 35 20 / 33

20 / 33

Start small

In your current

(21)

21 / 35 21 / 33

21 / 33

Start small

In your next project,

replace as many insecure components

and practices as possible.

(22)

22 / 35 22 / 33

22 / 33

Start small

ink about how to

solve a known security problem. ink

some more next week. Help solve it.

(23)

23 / 35 23 / 33

23 / 33

Start small

Reach out and inspire

(24)

24 / 35 24 / 33

24 / 33

Start small

Find an influential

(25)

25 / 35 25 / 33

25 / 33

Start small

Become an influential

person. Join a popular open source

project, or an important company.

(26)

26 / 35 26 / 33

26 / 33

Summary What we can do:

1)

change ourselves,

2)

contribute to

the body of knowledge,

3)

inspire

(27)

27 / 35 27 / 33

27 / 33

Example

We need to transition to

a world without plain-text protocols.

How? Start by fixing SSL.

(28)

28 / 35 28 / 33

28 / 33

Example: Fixing SSL (1)

Performance

1)

Improve protocols to address latency

issues,

2)

major sites support improvements,

3)

one browser

gets a performance edge,

4)

o

ther browsers follow.

Google is already doing this, and we

should help them.

(29)

29 / 35 29 / 33

29 / 33

Example: Fixing SSL (2)

No support for modern TLS features

1)

Realise

that

the underlying libraries are lacking,

2)

understand why,

3)

fund development, and

4)

continue funding development

.

(30)

30 / 35 30 / 33

30 / 33

Example: Fixing SSL (3)

Bad configuration

1)

Raise awareness (but that won’t

work)

,

2)

target library developers to drop obsolete features,

(31)

31 / 35 31 / 33

31 / 33

Example: Fixing SSL (4)

Virtual SSL hosting

1)

Realise that we won’t get virtual

SSL hosting until Windows XP is retired,

2)

put pressure on

Microsoft to change their mind,

3)

find one person at Microsoft

(32)

32 / 35 32 / 33

32 / 33

Example: Fixing SSL (5)

Certificate authority trust issues

1)

Wait for a wide

adoption of DNSSEC,

2)

put certificates into DNS,

(33)

33 / 35 33 / 33

33 / 33

Example: Fixing SSL (6)

Plain-text support issues

1)

Use SRV records to

enable sites to opt-out from supporting HTTP, then

2)

support SRV records in web browsers, and

3)

use Strict

(34)

34 / 35 34 / 33

34 / 33

Message for today

Do one

thing, no matter how small.

(35)

35 / 35 Stop complaining and solve a security problem instead