DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Chris Wysopal)

Editor's Notes

• #3: This month it is 20 years since the L0pht testisfied in the Senate. This was 5 years into the change, asked hackers to give a take on government computer security. How did we get here? We made trouble. Trouble for vendors. Trouble for businesses. We didn’t do anything illegal but we made many people angry with us. Some would say today I am still making the CSO of Oracle, Mary Ann Davidson angry at me but that is a story for another day. Talked about the risk of targeting internet infrastructure. Said we could take the internet down in 30 minutes Testified with our hacker names due to not wanting to lose our day jobs. We didn’t think this through as their would be cameras. Jig was up next day at work.
• #4: This is a picture of the L0pht crew in the L0pht hobbit reverse engineers Microsoft SMB, dinner with paul leech and steve lipner L0pht builds a lab environment to hack software Mudge and Bruce Schneier find NTLM protocol weak L0phtCrack can brute force NTLM hashes and network protocol Microsoft sets up PSRT and L0pht is one of the first to coordinate disclosure.
• #5: Some people called us sell outs. The dream was to get paid to do what we loved doing. It didn’t work out quite as we had hoped. Got to work with some amazing people and projects. Besides l0pht members like Mudge and Kingpin I got to work with Alex Stamos, CISO of Yahoo and then Facebook, Window Snyder who was CISO of Mozilla. Got to help Microsoft build in security into their products in the early 2000’s. This included teaching Microsoft Threat Modeling.
• #6: Founded with Christien Rioux, Dildog from L0pht and Cult of the Dead Cow. There is a book out now on the history of Cult of the Dead Cow called “Cult of the Dead Cow”. It has a chapter on L0pht, @stake, and Veracode. Founded Veracode to automate the processes we did at @stake. Veracode automates code review and manual pen testing. This makes it possible for developers to build secure software without needing a security team. I realized there were many, many developers writing a lot of software and there were not enough security experts to help them do it securely.
• #8: Poor performance at the start of testing is true not only for in-house enterprise software, but also commercial off-the-shelf software. In fact, commercially developed software tends to do worse than internally coded applications upon first scan.
• #14: When examining the Iceberg effect further, we found an unevenness in the size of security debt. Upon further analysis, it was clear the discrepancy in iceberg size was in relations to more frequent scanning. In fact, those that scanned an applications 300+ times a year had 5X less security debt and 3X higher fix rate.
• #15: To better understand why this is, we looked at the impact of frequent scanning on time to remediate. Companies that scan roughly once a day saw a 72% reduction in MedianTTR. Knowing this as well as the fact that vulnerabilities not addressed soon after being found tend to be added to the security debt pile, led to the conclusion that companies scanning more frequently find and fix faster so that they are not adding to their security debt. But what about the debt they’ve already accumulated before the company had a DevSecOps program? We also saw evidence that having a dedicated program for addressing flaws in the development cycle, as well as creating a program for addressing old vulnerabilities helped melt the iceberg.
• #17: CIA – Confidentiality, Integrity, Availability Mistrust the Client, Server-side controls, Default Deny Approach, white list vs black list Fail Securely