This is the overview and outline for a chapter in our upcoming book, "Epic Failures in DevSecOps". Each chapter is a unique voice, telling us a story about an epic failure that has been encountered as part of a personal DevOps/DevSecOps transformation.
Would you like to proofread a chapter and give us feedback? If so, look at the bottom right of this page and confirm you'd like to be a proofreader. (If you don't see the box, leave a comment.) This will put you on the "keep me up to date on the project" list, and we'll reach out when ready for your help. There are going to be eight chapters.Keep an eye out for the others. -- Mark Miller, Executive Editor
Despite the security community’s emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is exponentially increasing.
In the world of cybersecurity, the relationship between the role of an advisory and that of a defender is a highly asymmetric. A defender has to find all security holes in their applications and portals, whereas an advisory only has to find one vulnerability to exploit. This asymmetry is one that highly favors the advisory.
Perimeter centric models plays directly to the asymmetry and advantage of an advisory. Consequently this model has failed to achieve its goal and the results show in terms of both the volume as well as the magnitude of many of the recent breaches.
Web applications are the targets du-jour as they are often the “front door” for many companies; as such, vulnerabilities in web applications allow adversaries access to company's private data, which contains consumer's private information. Web applications are, by their nature, available to everyone, at anytime, from anywhere, and this includes adversaries.
Therefore, adversaries have the opportunity to perform reconnaissance over time, thereby acquiring information on the layout and technologies of the web application, before launching an attack. However, the defender must be prepared for all possible attacks and does not have the luxury of performing reconnaissance on the adversary.
Many techniques and tools using static analysis (white-box) or dynamic analysis (black-box) approaches have been proposed and developed to discover the vulnerabilities of web applications so that the vulnerabilities can be removed before adversaries discover and exploit them.
Such efforts of discovering and fixing vulnerabilities are not sufficient to protect web applications for many reasons:
In this chapter we formalize the notion of a system’s attack surface using an evolving I/O automata model of the system and introduce a metric to measure the attack surface in a systematic manner. Software developers and DevOps can use the metric in multiple phases of the software development process to improve software security.
We also will take an complementing view by reviewing a new technique called Moving Target Defense (MTD). If we wish to break the continual cycle of patching our application assets to defend against adversarial evasion tactics, we must redesign the way these applications are deployed so that the advisory can no longer glean the information about system under attack and use tactics to pivot or laterally move across the fabric to comprise similar systems.
The idea of moving-target defense (MTD) is to impose the same asymmetric disadvantage on advisories by making the attack surface dynamic and therefore harder to explore and predict. The ultimate goal is to increase the advisory’s workload so as to level the cybersecurity playing field for both defenders and advisories.
About Chetan Conikee
Chetan is a serial entrepreneur with over 20+ years of experience in authoring and architecting and securing mission critical software. His expertise includes building web-scale distributed infrastructure, cyber security, personalization algorithms, complex event processing, fraud detection and prevention in investment/retail banking domains. He was most recently Chief Data Officer and GM Operations at CloudPhysics. Prior to CloudPhysics he was part of early founding teams at CashEdge (acquired FiServ), Business Signatures (acquired Entrust) and EndForce (acquired Sophos).
Want to be a proofreader for the book? Fill in your email address in the box on the right. (If you don't see the box, leave a comment). We'll get back to you within the next three weeks with a chapter for your review.