solve a security problem instead
play

Solve a Security Problem Instead By Ivan Ristic 1 / 35 Stop - PowerPoint PPT Presentation

Jan 21, 2023 •358 likes •722 views

Stop complaining and solve a security problem instead Stop complaining and Solve a Security Problem Instead By Ivan Ristic 1 / 35 Stop complaining and solve a security problem instead uilder 1) ModSecurity I am a compulsive b I am a

  1. Stop complaining and solve a security problem instead Stop complaining and… Solve a Security Problem Instead By Ivan Ristic 1 / 35

  2. Stop complaining and solve a security problem instead uilder 1) ModSecurity I am a compulsive b I am a compulsiv e builder (open source web application firewall), 2) Apache Security (O’Reilly, 2005), 3) SSL Labs (research and assessment platform), 4) ModSecurity Handbook (Feisty Duck, 2010) 2 / 33 2 / 33 2 / 35

  3. Stop complaining and solve a security problem instead Message for today Software is 3 / 33 3 / 33 universally insecure, and we are not doing enough to make things right. 3 / 35

  4. Stop complaining and solve a security problem instead Morris Morris Worm orm In November 1998, the first computer worm infected about 10% of the Internet 4 / 33 4 / 33 (about 6,000 servers). e worm was written by Robert T. Morris. (e worm source code is available from www.foo.be/docs-free/morris-worm/.) 4 / 35

  5. Stop complaining and solve a security problem instead e Morris Worm spread using password cracking , server 5 / 33 5 / 33 misconfiguration , buffer overflows , and remote code execution . 5 / 35

  6. Stop complaining and solve a security problem instead Same as today, eh? We haven’t seen 6 / 33 6 / 33 an improvement in computer security in the 22 years since the first worm. 6 / 35

  7. Stop complaining and solve a security problem instead In fact, the situation has become much 7 / 33 7 / 33 worse because of the wide adoption of computers and the Internet. 7 / 35

  8. Stop complaining and solve a security problem instead Why? Four reasons: 1) ignorance , 2) convenience , 8 / 33 8 / 33 3) economics , and 4) no single point of control , but ultimately because security is not important to us . 8 / 35

  9. Stop complaining and solve a security problem instead 9 / 33 9 / 33 Software is a market for lemons . 9 / 35

  10. Stop complaining and solve a security problem instead George A. Akerlof e Market for “Lemons”: 10 / 33 10 / 33 Quality Uncertainty and the Market Mechanism 10 / 35

  11. Stop complaining and solve a security problem instead “[…] the presence of people who wish 11 / 33 11 / 33 to pawn bad wares as good wares tends to drive out the legitimate business ”. 11 / 35

  12. Stop complaining and solve a security problem instead Security comes from making sensible decisions, thinking things trough, 12 / 33 12 / 33 taking your time… It is boring and it doesn’t make anyone rich . 12 / 35

  13. Stop complaining and solve a security problem instead Open source projects just want to succeed, companies want to make 13 / 33 13 / 33 profit, people want to get things done. Security is standing in everyone’s way. 13 / 35

  14. Stop complaining and solve a security problem instead Only one solution long-term: make the 14 / 33 14 / 33 parties involved accountable for the quality. But we are probably not ready yet. 14 / 35

  15. Stop complaining and solve a security problem instead Self-certi Self-certifi fication cation Could help us focus on those who really should be liable. 15 / 33 15 / 33 ( e Software Facts label taken from Jeff Williams’s talk at AppSec Europe 2005. ) 15 / 35

  16. Stop complaining and solve a security problem instead How to… really fix security issues Design platforms, libraries, and 16 / 33 16 / 33 components in such a way that vulnerabilities cannot exist. en use them. 16 / 35

  17. Stop complaining and solve a security problem instead Start small Do one thing, no 17 / 33 17 / 33 matter how small. Repeat. 17 / 35

  18. Stop complaining and solve a security problem instead Kaizen Philosophy of 18 / 33 18 / 33 continuous improvement. 18 / 35

  19. Stop complaining and solve a security problem instead Kaizen Continuous small 19 / 33 19 / 33 improvements will yield large compound improvement over time . 19 / 35

  20. Stop complaining and solve a security problem instead Start small In your current 20 / 33 20 / 33 project, make all new work secure. 20 / 35

  21. Stop complaining and solve a security problem instead Start small In your next project, 21 / 33 21 / 33 replace as many insecure components and practices as possible. 21 / 35

  22. Stop complaining and solve a security problem instead Start small ink about how to 22 / 33 22 / 33 solve a known security problem. ink some more next week. Help solve it. 22 / 35

  23. Stop complaining and solve a security problem instead Start small Reach out and inspire 23 / 33 23 / 33 someone else to do start small. 23 / 35

  24. Stop complaining and solve a security problem instead Start small Find an influential 24 / 33 24 / 33 person. Inspire her. 24 / 35

  25. Stop complaining and solve a security problem instead Start small Become an influential person. Join a popular open source 25 / 33 25 / 33 project, or an important company. Change the world. 25 / 35

  26. Stop complaining and solve a security problem instead Summary What we can do: 1) change ourselves, 2) contribute to 26 / 33 26 / 33 the body of knowledge, 3) inspire others, and 4) make a difference. 26 / 35

  27. Stop complaining and solve a security problem instead Example We need to transition to 27 / 33 27 / 33 a world without plain-text protocols. How? Start by fixing SSL. 27 / 35

  28. Stop complaining and solve a security problem instead Example: Fixing SSL (1) Perf erformance ormance 1) Improve protocols to address latency 28 / 33 28 / 33 issues, 2) major sites support improvements, 3) one browser gets a performance edge, 4) o ther browsers follow. Google is already doing this, and we should help them. 28 / 35

  29. Stop complaining and solve a security problem instead Example: Fixing SSL (2) No support f No supp ort for modern or modern TLS features TLS features 1) Realise that 29 / 33 29 / 33 the underlying libraries are lacking, 2) understand why, 3) fund development, and 4) continue funding development . 29 / 35

  30. Stop complaining and solve a security problem instead Example: Fixing SSL (3) Bad con Bad confi figuration guration 1) Raise awareness (but that won’t 30 / 33 30 / 33 work) , 2) target library developers to drop obsolete features, 3) target vendors to ship with secure defaults 30 / 35

  31. Stop complaining and solve a security problem instead Example: Fixing SSL (4) Virtual SSL hosting Virtual SSL hosting 1) Realise that we won’t get virtual SSL hosting until Windows XP is retired, 2) put pressure on 31 / 33 31 / 33 Microsoft to change their mind, 3) find one person at Microsoft who can change things. 31 / 35

  32. Stop complaining and solve a security problem instead Example: Fixing SSL (5) Certi Certifi ficate authority trust issues cate authority trust issues 1) Wait for a wide 32 / 33 32 / 33 adoption of DNSSEC, 2) put certificates into DNS, and 3) improve browser user interfaces. 32 / 35

  33. Stop complaining and solve a security problem instead Example: Fixing SSL (6) Plain-te Plain-text supp xt support issues ort issues 1) Use SRV records to enable sites to opt-out from supporting HTTP, then 33 / 33 33 / 33 2) support SRV records in web browsers, and 3) use Strict Transport Security in the meantime. 33 / 35

  34. Stop complaining and solve a security problem instead Message for today Do one 34 / 33 34 / 33 thing, no matter how small. Repeat. 34 / 35

  35. Stop complaining and solve a security problem instead Thank y ou! The slides will be available for download from http://blog.iv http://blog.ivanristic.com anristic.com 35 / 35

Recommend

Approximation Algorithms Q. Suppose I need to solve an NP-hard problem. What should I do? A.

Approximation Algorithms Q. Suppose I need to solve an NP-hard problem. What should I do? A.

Approximation Algorithms Q. Suppose I need to solve an NP-hard problem. What should I do? A. Theory says you're unlikely to find a poly-time algorithm. Must sacrifice one of three desired features. Solve problem to optimality. Solve

247 views • 20 slides
Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to

Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to

Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to the problem? What do you need in the language to represent the problem? How can you map from the informal problem description to a

569 views • 7 slides
Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to

Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to

Representing Knowledge Given a problem to solve, how do you solve it? What is a solution to the problem? What do you need in the language to represent the problem? How can you map from the informal problem description to a

128 views • 12 slides
The Four Steps 1 Solve the problem. 2 Write the app. 3 Compile the app. 4 Run the app. CSE 1020

The Four Steps 1 Solve the problem. 2 Write the app. 3 Compile the app. 4 Run the app. CSE 1020

The Four Steps 1 Solve the problem. 2 Write the app. 3 Compile the app. 4 Run the app. CSE 1020 moodle.yorku.ca Phases 1 Analysis (define the problem) 2 Design (solve the problem) 3 Implementation (write and compile the app) 4 Testing (run the

444 views • 22 slides
Module 5 19/05/2015 2 Agenda 1. When and how to solve a problem 2. Praise, criticism and

Module 5 19/05/2015 2 Agenda 1. When and how to solve a problem 2. Praise, criticism and

PROBLEM SOLVING Module 5 19/05/2015 2 Agenda 1. When and how to solve a problem 2. Praise, criticism and feedback 3. The four steps When and how to solve 3 a problem Top Tips: There are four steps in problem solving: Remain calm and

540 views • 7 slides
The eight queens problem Let us now use Prolog to solve a more difficult kind of problem. One of

The eight queens problem Let us now use Prolog to solve a more difficult kind of problem. One of

The eight queens problem Let us now use Prolog to solve a more difficult kind of problem. One of these famous problems is the eight queens problem . It consists in placing on a (European) chess board eight queens such that they do not attack each

215 views • 8 slides
Persuasive Communication Sweet Spot Relate to the audience Solve a problem Tell a story

Persuasive Communication Sweet Spot Relate to the audience Solve a problem Tell a story

Persuasive Communication Sweet Spot Relate to the audience Solve a problem Tell a story Relate to the audience Ethos, Logos, Pathos (Credibility, Logic, Emotion) Solve a Problem Halitosis Tell a Story 5. The Solution 4. The Real

221 views • 5 slides
Problem Solving & Algorithm Design 01-1 Problem solving The act of finding a solution

Problem Solving & Algorithm Design 01-1 Problem solving The act of finding a solution

Problem Solving & Algorithm Design 01-1 Problem solving The act of finding a solution to a perplexing, distressing, vexing, or unsettled question 01-2 How to Solve it Written by George Polya in 1945 01-3 How to Solve it

907 views • 31 slides
Using Game Theory To Solve Network Security A brief survey by Willie Cohen Network Security

Using Game Theory To Solve Network Security A brief survey by Willie Cohen Network Security

Using Game Theory To Solve Network Security A brief survey by Willie Cohen Network Security Overview By default networks are very insecure Connected to the open internet There are a number of well known methods for securing a

659 views • 21 slides
Solve a Constraint Problem Without Modeling It Chris'an

Solve a Constraint Problem Without Modeling It Chris'an

1 /20 Solve a Constraint Problem Without Modeling It Chris'an Bessiere, Remi Cole1a, Nadjib Lazaar CNRS, University of Montpellier COCONUT Team

229 views • 20 slides
Why Standards are Not Enough to Solve Healthcare's Interoperability Problem (And How RDF Can

Why Standards are Not Enough to Solve Healthcare's Interoperability Problem (And How RDF Can

- DRAFT - Why Standards are Not Enough to Solve Healthcare's Interoperability Problem (And How RDF Can Help) David Booth, Ph.D. Latest version of these slides: http://dbooth.org/2014/standards/ See also associated paper Definition Semantic

632 views • 23 slides
Exercises What problem did Tim Berners-Lee t hink he could solve using t he Web? What is t

Exercises What problem did Tim Berners-Lee t hink he could solve using t he Web? What is t

Exercises What problem did Tim Berners-Lee t hink he could solve using t he Web? What is t he difference bet ween a firewall and proxy? Name t wo ways t hat bias could be int roduced int o search result s Exercises Which of the

280 views • 3 slides
Project Overview The problem we were trying to solve and how we will measure success The P e

Project Overview The problem we were trying to solve and how we will measure success The P e

Project Overview The problem we were trying to solve and how we will measure success The P e Prob oblem em Attendance at ET Davis and ED Nixon Elementary Schools is lower on rainy days because students who walk to school do not have the

301 views • 16 slides
VT VT-x Deepayan Bhattacharjee VT-x : Motivation To solve the problem that the x86

VT VT-x Deepayan Bhattacharjee VT-x : Motivation To solve the problem that the x86

MMU virtualization in In Intel VT VT-x Deepayan Bhattacharjee VT-x : Motivation To solve the problem that the x86 instructions architecture cannot be virtualized. Simplify VMM software by closing virtualization holes by design of Ring

507 views • 14 slides
Choosing a Representation Language You need to represent a problem to solve it on a computer.

Choosing a Representation Language You need to represent a problem to solve it on a computer.

Choosing a Representation Language You need to represent a problem to solve it on a computer. problem specification of problem appropriate computation Example representations: C++,

269 views • 7 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
The Internet Protocol (IP) What problem are we trying to solve? Since there are numerous DL

The Internet Protocol (IP) What problem are we trying to solve? Since there are numerous DL

The Internet Protocol (IP) What problem are we trying to solve? Since there are numerous DL technologies and protocols, an internetwork is going to need to pass data between subnetworks with different: protocols addressing schemes

1.01k views • 54 slides
Plan Approval Create Improve What is the problem you are trying to solve?

Plan Approval Create Improve What is the problem you are trying to solve?

Ask Brainstorm Plan Approval Create Improve What is the problem you are trying to solve? What materials do you have? What is your time frame? How will you test your design? What are some solutions to your

600 views • 10 slides
Trive truth discovered We solve the someone is wrong on the internet problem.

Trive truth discovered We solve the someone is wrong on the internet problem.

Truth Discovery Network Trive truth discovered We solve the someone is wrong on the internet problem. Scalable, Unbiased, Transparent, Crowd Sourced. info@trive.news Page 1 Fake news is a serious problem for

464 views • 21 slides
CAN BLOCKCHAIN SOLVE THE HOLD-UP PROBLEM? RICHARD HOLDEN AND ANUP MALANI UNSW AND UNIVERSITY OF

CAN BLOCKCHAIN SOLVE THE HOLD-UP PROBLEM? RICHARD HOLDEN AND ANUP MALANI UNSW AND UNIVERSITY OF

CAN BLOCKCHAIN SOLVE THE HOLD-UP PROBLEM? RICHARD HOLDEN AND ANUP MALANI UNSW AND UNIVERSITY OF CHICAGO OVERVIEW 1. Holdup is an important problem in contracts. Reduces gains from trade, output. Alters firm boundaries. 2. Contract

423 views • 24 slides
Going Anterior With A Corpectomy is the Only Way to Solve the Problem Gregory D. Schroeder, MD

Going Anterior With A Corpectomy is the Only Way to Solve the Problem Gregory D. Schroeder, MD

Going Anterior With A Corpectomy is the Only Way to Solve the Problem Gregory D. Schroeder, MD Assistant Professor, Orthopaedic Surgery The Rothman Institute at Thomas Jefferson University Goals of surgery Decompress cord Relieve

509 views • 31 slides
Using Genetic Algorithms to solve the Minimum Labeling Spanning Tree Problem MLST; problem

Using Genetic Algorithms to solve the Minimum Labeling Spanning Tree Problem MLST; problem

Using Genetic Algorithms to solve the Minimum Labeling Spanning Tree Problem MLST; problem set-up Genetic Algorithms Oliver Rourke, oliverr@umd.edu MLST: GA Advisor: Dr Bruce L. Golden, bgolden@rhsmith.umd.edu MLST: GA++ R. H. Smith

479 views • 47 slides
Algorithms COSC 1010 Algorithms Algorithm - A clear specification of how to solve a problem

Algorithms COSC 1010 Algorithms Algorithm - A clear specification of how to solve a problem

Algorithms COSC 1010 Algorithms Algorithm - A clear specification of how to solve a problem E ff ective method: Measured in the resources solved in dependence of the size of the problem Time Memory Algorithms

477 views • 16 slides

More recommend