AppSec and Software Quality - Presentation v0.5

Here is a slimmed down version of the presentation I delivered in Italy last March.

This version does not contain the part that talks about the problem (i.e. the attacks and why you need to do Application Security)

The key idea that I defend is that we can use Application Security to define and measure Software Quality

Let me know what you think

BSIMM Questions for Teams v0.7 (with all consolidated team questions and maybe column)

Following from Updated version of BSIMM Questions for Teams (now will all activities mapped) here is an improved version with:

• All team questions in one page
• Added a Maybe column
• Removed the 'If No, why not?' text from the last column
• Added spaces to ask for Application name and Jira ID

The source file is available at GitHub

Updated version of BSIMM Questions for Teams (now will all activities mapped)

Following from First pass at BSIMM questions for teams here is an updated version of the questionnaire for developers.

It looks like this and it has 3 sections:

The source file is available at GitHub

Note: this is still a very first early draft of these mappings (with many changes expected in the next couple weeks).

First pass at BSIMM questions for teams

Here (also embedded below) is a mapping of several BSIMM activities and translating them into a questionnaire that can be easily filled in by developers, technical architects,  business owners and security champions (called satellites in BSIMM).

Note that not all activities are there. Some only made sense for SSG (Software Security Group) to answer, and I already knew the answer for others.

This is still a work in progress, and I'm not happy with the wording of some of the questions. But it is good enough to give a try and get feedback.

The objective is to create metrics about multiple development teams, so that a set of targets can be set (and an action plan created)

Started working on new book "Measuring Software Quality using Application Security"

Over the 3 weeks I spent in the US (in an RV with family) I started working on a book based on the ideas shown at the "New Era of Software with modern Application Security" presentation (v1.0).

The current title is "Measuring Software Quality using Application Security" and it is going to be published at LeanPub: https://leanpub.com/Software_Quality

All content is hosted on the public GitHub repo
https://github.com/DinisCruz/Book_Software_Quality/tree/master/content, where you can also see a number of issues I plan to address (including areas for research)

I am currently in the brain dump stage of development, where I'm adding the content I want to talk about (in a kinda-structured way). The idea is to expand the bullet points into text and normalise the content in logical areas (some topics already have a first pass at expanding the ideas into final text).

When talking about Application Security and Software Quality, Pollution is a much better analogy than Technical Debt

One of the analogies that I make in my "New Era of Software with modern Application Security"  presentation is that Pollution is a much better way to describe quality (and security) issues (vs Technical Debt):

 


This analogy is inspired by David Rice's amazing keynote at OWASP AppSec USA 2010 "Upon the threshold of opportunity" (which you can see the video here)

David Rice is the author of the also amazing Geekonomics book, which really shows The Real Cost of Insecure Software

Unfortunately, David Rice after going to work for Apple, seems to have disappeared from the internet, which is a great loss for the world, since he was doing amazing research (of course that I'm sure he is doing great stuff for Apple, but it is a shame that we are not able to learn from him anymore)

David's http://blog.geekonomicsbook.com/ book site is down, but luckily the wayback machine was able to get a copy of the page with the abstract of this talk:

In the 1960s, pollution in the United States reached a breaking point. Large corporations, by and large, had been unresponsive to environmental issues leaving the nation's skies filled with smog, rivers filled with sludge, forests defoliated by acid rain, and fresh water lakes declared "dead." The natural heritage of the nation was being destroyed by its industrial prosperity.

The U.S. response was a series of less-than-satisfactory regulatory attempts to correct for substantial environmental damage. Faced with serious and costly legacy issues of industrialism however, many companies stonewalled and delayed for much of the 1980s and 1990s, emphasizing legal compliance and reactionary practices over real progress. The turn of the century ushered in a fresh perspective in corporate America, with companies like GE, DuPont, and Wal-Mart actively pursuing sustainability initiatives linked to corporate performance, transforming environmental crisis into financial opportunity. What happened?

Within the story of the U.S. battle against environmental pollution lies key lessons for confronting the equivalent of pollution in cyberspace: software vulnerabilities. The toxic effluence of software vulnerabilities leave networks saturated with spam, computers clogged with malware, and servers defoliated of sensitive private data.

To date, a series of less-than-satisfactory regulatory attempts – such as PCI, SOX, and data breach laws – have been enacted to address what appears to be widespread unresponsiveness to the substantial harm to the global digital eco-system caused by unrestricted vulnerability dumping. Faced with serious and costly legacy issues of poorly implemented software systems however, many companies continue to stonewall or delay security programs, emphasizing legal compliance and reactionary practices while demonstrating no real improvement. What would it take to change this, to turn the crisis of “pollution” in cyberspace into an opportunity?

This keynote highlights a possible fresh perspective, putting software security into the context of social responsibility linked to corporate performance, illustrating how the software market - like corporate America - stands upon the threshold of its greatest opportunity.

Related posts:

• Is Quality is a measure of how successful a product is in what it is SUPPOSED to do?

"New Era of Software with modern Application Security" presentation (v1.0)

This is the final slide deck of the "New Era of Software with modern Application Security" presentation I delivered at Codemotion Rome, which was a developer-focused conference (with 2000 tickets sold).

Description: "This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive"

Simple Threat Model (template) - Good place to start

When teaching about Threat Models, the most common question I get is 'How do I start?'.

To make this process easier, I usually recommend to use the simple '1 page Threat Model' which you can see on the right ( download here)

The idea is to kickstart the process by mapping out the:

1. Data Flow Diagrams (i.e app architecture)
2. Entry Points (i.e Attack surface)
3. Assets (i.e. what is valuable and needs to be protected)
4. External Dependencies and Trust Levels
5. Threats(edited)

Another great source of (first steps on Threat Modelling) resources are the Microsofts' At a Glance: Web Application Threat Modeling and OWASP's Application Threat Modeling pages 

JIRA RISK workflow handling of 'Risk Fatigue'

On a email thread related to Updated JIRA RISK workflow (now with a 'Fixing' State), I received this great question:

I really like the idea of forcing someone to almost sign that they accept the risk. Forces them to really think about it.

One thing I'm curious about is whether there is such as thing as "risk fatigue" like you have "monitoring fatigue". So, the first few times you accept risk you do so with a heavy heart, but each time you do it and there are no perceived negative consequences, it gets a little easier. That is until the point when you're completely exposed and something bad does actually happen. Having said that, the alternative of not physically accepting the risk in some way is far worse IMO, and that by using something like Jira you can at least measure the ratio of fixed vs risk accepted over time. Hopefully it moves in the right direction!

And here is my answer:

Updated JIRA RISK workflow (now with a 'Fixing' State)

As an improvement of the workflow I showed at JIRA Workflows for handing AppSec RISKS here is a version that adds a 'Fixing' state between 'Allocated for Fix' and ‘Test Fix’.

The reason for this change, was to take into account projects (or components) that have a large number of open issues that want to be fixed (vs risks to be accepted).

Since we try to use an Kanban 'Work in Progress' model for the issues to fix (i.e. no more than 3 to 4 active items), this new state helps to keep a nice separation between the issues that:

• need to be 'Risk Accepted' (i.e. there is no intention (or resources) to fix in the next couple months)
• have been reviewed and are 'Allocated for Fix'
• are currently being worked on (i.e. in a 'Fixing' state)

Presenting at OWASP AppSecEU on "Using JIRA to manage Risks and Security Champions activities"

I just received this nice invitation from the OWASP AppSec EU today:

My plan is to use this opportunity to document the JIRA workflows that I have been creating and implementing (when acting as Head of Application Security)

Here are a couple related posts:

• JIRA Workflows for handing AppSec RISKS 
• What are Security Champions and what do they do? 
• Does your team has a Security Champion? If not, get this Mug and Library 
• "New Era of Software with modern Application Security" updated presentation (v.0.6) 

Thinking of writing a book called "Measuring Software Quality using Application Security"

This book will be based on the ideas I've been talking about in my "New Era of Software with modern Application Security" presentation.

The plan is to use my experience with Leanpub (where I have published 7 books), with the content being hosted on GitHub and published early and ofter.

Is Quality is a measure of how successful a product is in what it is SUPPOSED to do?

Here is a question I received on the concept "Application Security can be used to define and measure Quality" (slides here) 

Quality is a measure of how successful a product is in what it is SUPPOSED to do.

AppSec is a measure of how many and what things product does that it is NOT SUPPOSED to.

These two are not related. A startup may have a good quality product full of security holes, and a bank may have a highly secure product that is also of great quality.

I think that measuring Quality by only looking at the success rate of a product is a very narrow definition of Quality.

Video for my LSCC presentation on: New Era of Software with modern Application Security

Skillsmatter has just published the video of the presentation I delivered last week at the LSSC (London Software Craftsmanship Community)

You can see it here:
https://skillsmatter.com/skillscasts/7582-new-era-of-software-with-modern-application-security

"New Era of Software with modern Application Security" updated presentation (v.0.6)

Here is the updated version of the talk I delivered last week at the LSCC (this time around delivered at the OWASP London Chapter)

There are a number of new slides, but it is still far from complete :)

Please take a look at the slides and let me know what you think of them? (and what can be improved for the next version)

I'm delivering an Application Security Training in London on 3rd and 4th of March

This is an 100% customised course (to the participants) with as many practical examples as possible.

Here is the course description:

V0.5 of "New Era of Software with modern Application Security" presentation

Here is my first pass at creating the "New Era of Software with modern Application Security" presentation, which I will deliver as a Keynote at the Codemotion Rome developer conference (March 19th)

This is the version that I presented yesterday at the London Software Craftsmanship Community event and its video is here

Interestingly, one of the concepts that I arrived at (when working on the slides) was that Application Security can be used to define and measure Quality.

This is something that I have been thinking about for a long time, and I'm starting to find a way to explain how I'm able to use Application Security to help developers to create better applications (with not only better security, but with better quality)

Please take a look at the slides and let me know what you think of them? (and what can be improved for the next version)

Published update to my Practical Eclipse book

You can get the latest version from https://leanpub.com/Practical_Eclipse for FREE by choosing the $0 minimum price.

Here is the email I send to my readers:

Speaking at LSCC (18th Feb) on "New Era of Software with modern Application Security"

In preparation to my CodeMotion keynote in March, next week I'm presenting a first version of it at LSCC (London Software Craftsmanship Community) which is also a developed focused audience.

You can register at https://skillsmatter.com/meetups/7845-lscc-talks-feb-2016

Here are the talk details:

Title: New Era of Software with modern Application Security

Description: This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way.

Bio:Dinis is focused on creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by Applications developed internally, outsourced or purchased. He is also an active Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.

Is Google a geopolitical threat to the UK? (i.e. what would happen if it pulled the plug on UK's traffic)

During one of the recent Application Security training courses I delivered recently, one interesting example I gave during a section on "Our dependencies on Technologies and Frameworks that we don't fully understand" was the concept of how much of a threat to the UK economy is Google?

For example if Twitter or Facebook were not available from the UK, I don't think the impact would be significant.

But if Google and all its services (search, mail, calendar, maps, geolocation, docs, spreadsheets,  contacts, Google ID) was suddenly not available, I bet that there would be a significant disruption to a LOT of individuals, business and government agencies.

There is a lot of talk in the UK about the Geopolitical threat of Russia (and its control on natural resources used by the UK), but I'm pretty sure Google can do more damage.

Of course that it would be economical/business suicidal for Google to do such a thing, but that doesn't make it less real or dangerous.

Speaking at Codemotion Rome on "New Era of Software with modern Application Security"

Next march I'm going to be delivering the "New Era of Software with modern Application Security" keynote at Rome's Codemotion (17-19 March),

This is very exciting, since Codemotion is a developer focused conference, which is exactly the audience that we (AppSec) need to be talking to (and learning from).

The speaker line up is also pretty impressive (see more details here), so if you are around, this is a good conference to go to this year.

I still have quite a bit of work to do on my presentation and slides, but the key idea is to cover how a new generation of application security thinking (using TDD, Docker, Test Automation, Static Analysis, Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, ELK) not only makes apps more secure/resilient but it allows them to be developed in a much more efficient and productive way

Job post on "Application Security Manager" for The Hut Group (in Northwich, UK)

Here is a real cool opportunity to work for a company that is focused on Application Security and developing innovative solutions to embed Application Security into the SDL (disclamer: I'm currently contracting for them as interim 'Head of Application Security')

You can see full details at https://www.linkedin.com/jobs2/view/102336625 and here is the main description

We are looking for an individual to who can take a hands-on approach to build and run an industry leading application security team. The Application Security Manager will develop, implement and run a secure application development program, with supporting standards and processes, and formal methodologies where relevant. 

Securing our applications and customer data is critical to the success of our business. The Application Security Manager will be a security evangelist who can translate security concepts to technical and non-technical audiences, and will approach application security from the perspective of business risk. This person will be the leading authority for Application Security within the group.

In addition to being an AppSec expert, the key for this role is to have significant development experience/knowledge.

A large part of the work is in supporting the existing network of Security Champions and working with devs/architects on figuring out how to secure the wide variety of apps they are developing (see here and here for more details on what these Security Champions do)

You can apply for the job at that LinkedIn page, and let them know that you saw this on my blog :)

First-Party-Only Cookies - nice solution to mitigate CSRF

Just saw https://tools.ietf.org/html/draft-west-first-party-cookies-01 which proposes

   This document updates RFC6265 by defining a "First-Party-Only"
   attribute which allows servers to assert that a cookie ought to be
   sent only in a "first-party" context.  This assertion allows user
   agents to mitigate the risk of cross-site request forgery attacks,
   and other related paths to cross-origin information leakage.

It looks really good, and it seems that Chrome 50 is going to support it https://www.chromestatus.com/features/4672634709082112

The current solution seems to be inspired by the SameDomain Cookie attribute as described at http://people.mozilla.org/~mgoodwin/SameDomain/samedomain-latest.txt

I actually prefer the SameDomain name to First-Party-Cookies :)

Reverse engineering recently patched Wordpress

On the topic of the recent Wordpress update (see https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release) I was asked an interesting question which was ‘how to test/exploit’ the patched vulnerabilities? (namely the SSRF one)

Since this seems to be an scenario where Wordpress has not released the details, one way to do it is to diff the current release with the previous one

Depending on the technology, this can be really hard (C++ patches requiring IDA Pro foo) or doable (.NET, Java, PHP)

Assuming that Wordpress is not distributed in compiled PHP (http://stackoverflow.com/questions/1408417/can-you-compile-php-code) this could be as simple as doing a file diff (it will depend on how many changes where made in the current release)

And how to perform this diff?

Use Git :)

Just:

1. install previous version
2. commit all files
3. install upgrade (which in Wordpress can be done via the web interface)
4. review changed files (it might be useful to commit files that clearly are not related to the issue)

Come on Amazon, its time for 100% TLS (aka https)

On a thread about moving a site to 100% TLS (ie. SSL), which btw, is the right thing to do in 2016 if one wants to protect users from Man-in-the-middle attacks, I was asked this question:

I notice Amazon is not secure until you authenticate, then all pages become secure. This is an interesting approach. What do you think Dinis?

This really sucks!

Lots of eCommerce companies look at Amazon as the benchmark on what to do (and what risks to accept), so the fact that they don't support 100% TLS (as can see by googling amazon) is not helpful at all.

Here was my reply:

Well shame on Amazon for not also not doing 100% SSL 

That said, amazon has an amazing application security team (with https://firebounty.com/bug-bounty-program/16/amazon) and they have quite a lot of visibility into what is going on in their platform (namely on fraud and account hijack/abuses) 

Also, Amazon is getting there, for example note how if you start your amazon journey on https:// (in most cases) you still stay in SSL if you do some actions and go to checkout

Yes there are users that don't support TLS and in some cases there are a couple performance tweaks that will need to be done. But we shouldn't be downgrading the security of 99% of users due to a couple user's locations or browsers.

The ones to follow on this topic are ETSY (see https://codeascraft.com/2012/10/09/scaling-user-security) who did this change in Oct 2012