 Well, I thank you very much a few things to say if if I said I understood half of what those previous two talks are about I think I'd be a blatant liar So I'm not a developer. I'm not a coder. I think I left my coding days behind me back in about 1984 with the Spectrum 48k When I realized actually I got fed up of typing in those really long Pages of code only to find you made a spelling mistake halfway through thought screw that Let's play jetpack instead or manic minor, but What I'm here today to talk to you about is actually I'm an information security professional. So I'm the director of global the global security office for sapient So let's move on first off to a little disclaimer. So I'm actually not allowed to talk about specific things that we do within sapient This is great for me because when you break into raptorous applause at the end It's because it's all my own work and if you hate it It's because my damn company won't let me talk about the things. I really need to talk about But I am glad to say that actually what I'm going to put across now is some concepts and some ideas It's more of a conversation than anything else rather than a talking at you, but it's you know I'm trying to introduce my ideas about how actually Secure coding or coding with security in mind is actually vital. It's really really important But not necessarily for the reasons that you might think so We're going to talk about for instance how coding securely can save money It's kind of an obvious thing in a sense. You don't you don't do so much rework, you know hacks later on blah We're going to look into that in more detail But you know, this is probably in anybody who's in so any kind of commercial organization The better you code the more money you will save and the more money that the shareholders make or your bosses make or whatever Right, that's a good thing. Right. That's a good thing. Their success is your success. We'll I'm sure we all agree with that now What this image does remind me of actually it's a site segue But I have to say whenever I do a presentation like this I do an awful lot of Google image searches and you're trying to find the right kind of image And I have to say over the past few months The not only the quality and the resolution of the images has increased But the actual quality of the subjects of the images has increased and I think it's I think it's you know Just like as I say a little segue is something that's worth bearing in mind especially as we move on to the next point about how we can you know Secure coding helps us actually not only lose of confidence in things but also will help us build confidence as well And I think that's an important concept confidence not only within ourselves, but also within the Our clients and our employers, etc And the third thing we're going to talk about is we can save lives with this stuff This is important the internet of things that wonderful TLA that everybody's starting to hear more and more about This is an important concept. You quite literally can save lives with the right kind of coding done in the first place We're going to look at some examples around that Yeah, so without further ado, let's move on to Saving money so Sony and I've just noticed that my laptop is not giving me any of my notes whatsoever So I'm gonna kind of you know wing it a little bit now But Sony we all know about the Sony breach back in 2011 as carried out by Anonymous and members purporting to be of anonymous and they took something like I don't know 76 million records I think it was personal records the cost to Sony as a result of that was in the hundreds of millions without a shadow of a doubt not only in actually reputational damage but also in the fact that They had to you know with credit card information potentially being stolen. They had to pay You know restitutional damages to people and that that kind of thing and you know what the the primary cause of that hack was Does anybody have an idea of that? No, no, no that was even before sequel injection It was a sequel injection attack that allowed anonymous to get in there in the first place and then Capitalized on those other things if you saw to me So yes, the hack would probably have happened through other means and mechanisms But the primary entrance point into this was sequel injection. It was a coding error You know so and I you know the sequel injection is just one example You know and I'm sure everybody in this room never codes insecure And there's never coded a sequel injection error in their lives, of course But not far bit for me to say but I think sequel injection has been on the OWASP top 10 for 10 years 12 years something like that, you know, this is this is a Vulnerability that should be well shouldn't be around in today's day and age So, you know, I think you see, you know the Sony hack started with a sequel injection Let's try linked in this was a more common one again to your point It's because LinkedIn did not they encrypted their passwords. They didn't hash and salt them So they were very easily Reversed effectively But the first entry point into the linked in hack was a sequel injection attack Through a third-party application that's linked in used again very very simple basic pieces of attack or pieces of vulnerabilities were exploited to carry this now this was a far smaller scale linked in obviously is a Free product for 99% of the people out there the margins of paper thin It cost them about two to three million dollars to get this fixed to get it squared away. They exposed I think it was something like eight million records or something like that If I had my notes on my laptop, I'd be able to tell you far more accurately Note to self check laptop before starting So, but this is a you know another example the third example I want to give obviously quite an obvious one target everybody knows about this one isn't sequel injection You'll be glad to hear but this this actually took advantage of a vulnerability Within the pause systems now somebody coded those pause systems, right? There is you know those pause systems were coded by somebody who actually wrote the Production code that they use and an invulnerability within that code was exploited which then allowed Folks to the the attackers I think they were rushing allegedly to scam the credit cards of you know millions of customers They reckon that the actual total damages Will come to billions in the end They act that the target posted a loss in earnings in the I think it was the following one or two quarters Which for target? That's a big deal I mean, you know when you're reporting to the street on a quarterly basis, you know Missing your targets by quite significant amounts is a big deal shareholder value goes down, etc You know, it's actually quite a quite a quite a problem to say the least So these are examples, you know, where I say actually secure coding in the first place saves money Okay, fair enough saves money reputation damage. Okay big deal. No problems Well, let's look at losing confidence side now This is not quite as clear-cut as it might seem now HB Gary more specifically HB Gary federal was an a governmental Security or I rephrase that a security company that served the US government's Space as it were you can't find a logo for HB Gary federal anymore I think they've they've invoked their right to be forgotten or something, but HB Gary now in 2011 their CEO chap called are and bar and I don't you know, tell if anybody's please nod vigorously If anybody remembers this or knows this their CEO are and bar a chap who I happen to know quite incidentally lovely fella He basically went to the telegraph. I think it was he's an American chap But he got his his point out to the telegraph saying I know how to identify Anonymous through social media, you know the hacker group when I was I can put names to them I was quite a grandiose claim and it put anonymous on a bit of a back foot for a short period of time They then attacked HB Gary using what? Sequel injection so they attacked the HB Gary CMS they went through the website Attack the CMS now that was just the first point There was a litany of errors after that they got into the CMS through sequel injection through through that the passwords were poorly encoded Using a using a I think it was a char one hash very very, you know low quality known to be bad hashing algorithm, so they got the password table they managed to you know Use the rainbow tables to to decrypt that effectively They then found passwords for the CMS for folks like Greg Hoglund and our and bar and other key leads within the HB Gary organization HB Gary then fell over again because they had password reuse they were constantly using the same passwords from account to account to account So they were able to use those passwords to get further into the system. They then use social classic social engineering They got onto the one of their third-party developers who maintain the CMS and pretended to have forgotten their username blah, blah, blah You know, can you open this port because I'm traveling in Spain, etc And then got access and basically released every single email that was in the HB Gary system You know to I think it was a past been and each one of these Each one of these emails was basically saying how HB Gary We're going to socially engineer it such that they could identify Key members of anonymous and they were going to plant false information Within the press they were going to plant false information around the world. It was somewhat shady stuff to say the least and so bottom line is Confidence was lost a year later HB Gary was HB Gary federal. I'm sorry did not meet Their projection their earnings projections and were bought out and effectively assets stripped a year later by another American company So they were gone quite simply gone HB Gary federal does not exist as it currently stands So that's a classic example of something where You know poor coding as well as a litany of other errors Results in the the loss of a company Maybe a good thing or a bad thing depends on where you stand with anonymous and where you stand with what HB Gary We're doing but nonetheless People lost their jobs. You know people got behind on their mortgage payments, etc. However Let's look at this in a broader context So from the information security breaches survey was carried out by the UK government the Department for Business Innovation and Skills The actual cost of a breach is Going up year-on-year the number of breaches Reported are going down, but the cost of a breach is going up a large company 600 K to 1.15 million per breach is the average here That's a lot of chunk of change that's being lost for a small company and that could be roughly 20 80 100 people 65 to 115 K how many more widgets or Things or consultancy that do you have to do to make up that kind of cost as a result of breaches into your organization? This is this is quite a big deal. It's quite a big deal, but here's the rub Here's the rub 10 percent of every company that was surveyed for this had to completely change Their business model as a result of being attacked. They either had to exit You know that their internet strategy or that this their e-commerce strategy They had to completely change how they operated as a result of the hack 10% that's quite a significant amount if you will Now the interesting part is when you look at some of the other companies that were involved in here So let's go back to Sony we go back to Sony Sony were hacked a total of four times or actually there were hacked once Four times if you see what I mean. It's the same hack every time. They didn't fix the breach 2008 big global downturn Sony's share price went down just like every other company's share price went down When the breach happened and the subsequent breaches happened their share price went even lower So their share price at that point was a quarter of what it was about 15 to 18 months before prior Prior it was a significant drop only now are they just recovering pre-breach levels But hands up here who has bought a Sony product since 2011 You probably bought one that you didn't know about now. My question is what are you doing? This is an insecure company. Why are you buying products from an insecure company? Tell you why because they do good products So the interesting thing is just because a company gets a breach and suffers and drops share price Many times and more often than not it does not result in that business disappearing HB Gary was a very specific example when you start searching for businesses that have actually gone out of business Or organizations have gone out of business as a result of breaches. There's not many out there. It's quite interesting some statistics say that if a company handles its breach correctly buffer the buffer app the folks who allow you to Broadcast on social media across multiple platforms. They handled their breach Incredibly well so that their actual market share took off after the breach Now, I don't know what could what the cause of their breach was I'm not even going to suggest it was sequel injection at this time But their business actually took off so it's not quite as simple as you might think. Yes, you might lose money Yes, you might lose shareholder value, you know, yes, you might have a little bit of reputational damage But very often you think about Sony You don't think about them any differently now to what you did before so this brings about a little bit of a conundrum I can't say to you guys as a developer community in front of me if you don't code securely We're all going to be out of a job. It's a little bit more complex than that It's going to reduce value. It may result in short-term redundancy. It may result in a downturn, but it's not going to be the end of the world So that's actually then let's look at a different concept saving lives everybody know what this device is It's it's an insulin pump. So for people have type 1 diabetes And particularly aggressive forms of it. The pump is is basically Plumbed into their blood supply. It checks there the blood sugars and every time the blood sugars dropped to a certain level the pump Activates and pushes insulin into their system automatically means you don't have to constantly check your blood yourself and keep doing it Very good, especially if you forgetful This is a Bluetooth Pump so you can actually on your smartphone monitor what's going on and gather a record and things like that now in 2008 a chap called Barnaby Jack the late Barnaby Jack He died. I think it was a like last year He showed at the death con conference how actually there are such fundamental vulnerabilities in this device That someone within a 30-foot range Could with relative ease hack into it and deliver a fatal dose of insulin to the individual Now now tell me that secure coding isn't important When you put it in context like that we put all of our emphasis Into securing credit cards and making sure money isn't lost You know making sure that you know shareholder value is increased all of this stuff is inherently Replaceable and as we've seen actually doesn't have that much of an impact But when we start talking about the internet of things, this is a significant thing secure code I'm not so you know, I don't even know if anybody here is coding on any any platform like this But the vulnerabilities were so basic that actually it was very very straightforward to do Barnaby Jack Obviously also went on and showed how the standalone ATMs that connect over a GSM signal They can also be hacked in the same way and you can start churning out as many You know you can route the the ATM and give out money They haven't fixed this These vulnerabilities still exist in Bluetooth Insulin pumps in the world Those vulnerabilities still exist Does anyone know what this is? God take a guess come on Pacemaker there we go. It's just one of those smart pacemakers. It's the type of one that Dick Cheney had Now whatever your political views he actually took a very sensible Precaution because these pacemakers have become wireless effectively used to be you had to almost a bit like an Access badge. You had to actually place a wand over the chest. Sorry chest in order to Access the data that's held on the pacemaker, etc. Now it can be done from 20 meters away He actually had the wireless capability on his pacemaker disabled Because the secret service not that they're paranoid or anything But the secret service said you are at risk because you actually had that functionality disabled yet Have you know wires hanging out of his body to in order for the pacemaker to be monitored, etc? Barnaby Jack again the late Barnaby Jack again He showed how from 20 feet away you can deliver a fatal electric shock to somebody's heart through a pacemaker Now again putting things into perspective one not many people have pacemakers to not many people actually have Wireless pacemakers. I think they're all a bit traditional. You fast forward ten years. This type kind of thing is going to be standard We look at cars. We look at Tesla for instance, you know, they that a car manufacturer offers a bug bounty for vulnerabilities in its code That's a bit weird isn't it when you if you go back five years and said, you know in five years time a car manufacturer We offer in bug bounties for it for the for the code that sits in its car What really but they're doing that the Toyota Prius has been shown that it can be taken over the they can From a car driving behind it. They can take over the I think it's the the the lights and the horn and the Indicators, etc. Not particularly Difficult not particularly dangerous as such. That's just stage one. This is just a research project, right? What next and the Prius although it's you know, technically a fairly complex car It's quite dated as it as regards technology. You've got BMWs now that you can control either iPhone You know, who knows what could happen next you got drive by wire Steering, you know Somebody could take you off the road. This is where the future of secure coding is going to be not just in Websites not just in things that might affect people's credit cards or things like that. This is where the future of it Again, I want to emphasize we put a lot of our efforts into securing people's financial Lives which are completely replaceable and not putting enough effort into doing things that actually will take lives in the future So Where where the priorities that we should be looking at is it? Internet of things is it the cash? I don't know. This is not this is not a a right or wrong description I think it's more food for thought about how you as developers can view the work that you do Not just the work that you are doing today, but actually how you approach it as a developer Developers you're all developers. There are millions of lines of code in everything, you know And one qa team or one testing Environment cannot go through every single line of code that's written But each individual developer could go through every single line of code that they write and ensure that it's actually To the very best of their knowledge secure properly written, you know, and as robust as it possibly could be Let's talk about the takeaways here because actually at the end of the day It's all very well Tom, but you know actually so what what have we got to do about it? Well, I think there's three things that we can look at here The first one. Let's start coding more maturely This is my humble opinion, you know, and I welcome any kind of suggestions Otherwise the logo on the you're probably familiar with the one on the right logo on the on the left is bsim the It's bringing security in maturity model. So it's about actually Ensuring that the way that an organization codes and manages its its development environment Has a maturity actually has the checks in place. It's not it's not a standard as such It is quite literally that a maturity model that allows You to measure how you as an organization might actually see where your code is compared to others So we've got some big names there some of the big banks No marks and spenders for instance a part of the bsim environment is kicked off by an organization called sigital It's actually technically a not-for-profits organization although there are You know money does change hands It's at a sort of break-even point to say the least but you can start to measure the maturity of your development environment And on the right of course the OWASP the OWASP top 10 and they've graced our shores for a you know decade or whatever OWASP is very good, but of course, you know, they bring out the top 10 every couple of three years They might not be your top 10 That's the problem with this. This is such a generic thing I think I was to a great job and they they're doing an awful lot to bring this to our attention But it's a generic thing their top 10 is not necessarily your top 10 You might have two or three on there, you know sequel injection is on there still But you need to look at your code in priorities in the same way that they do what are you what is your top 10? What are the 10 things that actually cause? 1995 percent of the vulnerabilities within the within the code that you produce. How do you actually? route that out Right at the very beginning rather than having to you know pick apart the code at the end So code more maturely look at different ways that you can actually address this The third one is skin in the game now This is a Roman bridge And I don't know if people know this I'm not even sure if it's an urban myth. I don't think it is but in Roman times They built good bridges and we can tell that by the modern bollard in front You know in the fact that this bridge is still standing and you know if nothing else grass is going on You probably walk over the top of it however many hundreds of years later But one of the reasons why it's still there is because the architect who designed it had some real skin in the game and he had skin in the game because He was forced to stand underneath the arches as The supporting structures were taken away once the bridge was completed So that's a bit like saying you need to code you need to write the code for this Insulin pump and then we're going to plug it into you and have a right old pop at that insulin pump And as long as you're confident that you're not going to keel over in some kind of shock That's the equivalent right? I'm not suggesting that maybe but What I'm saying have some skin again have a sense of You know of responsibility of what you're doing. This is not just a job. Nobody's in here I would suggest Because it's just a job. I think most people in this room have a passion for what they do You wouldn't actually be it's what 8 o'clock you wouldn't be here in an office at 8 o'clock at night listening to some You know Pratt talk about coding and secure code and if you didn't have a passion for it in the first place Turn that passion into the code and the code that you deliver put some skin in the game to it And remember I think this is a very important thing to remember That every time you write code Just think of that knock on the door at 2 o'clock in the morning All right, the next person who's got a look at your code who's actually got to fix it If they know where you live and they're particularly unhappy and a little bit unhinged you might code a little bit harder Just think of it in those terms as well again very I know it's a very blasé thing to say But it's it's true. You do need to actually think about it in these so it's not just an activity for now It's not just an activity to get you to the next pay job payroll. Sorry your next payday It's an activity this code could be in production for decades in some cases You know or even if it's only in production for three years But you've left the country and migrated to emigrated to Australia's become a sheep farmer How the hell are they going to be able to work out your code? if you're not actually coding it in a way that can be understood and in a way that is robust and actually easily easily deconstructed and That is the end of it. It's my various internet Residencies if anybody would like to chat to me after now, we'll take questions now, but thank you very much Any questions? Yes So I was was a good place to start the Sands Institute run very good courses They will work you hard their courses start on a Saturday morning And then run through to the following Friday in many cases So the Sands Institute is a very very good place to go Otherwise, I mean, I think that would be my top tip is look at the Sands Institute. They're also an open institute They'll point you in other directions as well Engaging honestly communities like this you're already one step ahead by the fact You're actually engaging in a community that cares about what you do There's also organizations for instance even iSACA and ISC squared they have specialities when it comes to coding and development You know Google is your friend to be honest with you in many of these cases, but yeah, very good point I my first place would be the Sands Institute Yes Yeah, very quite challenging. I know I do carry out audits and assessments, but not on code as you've probably gathered Not unless it's got a rubber keyboard. I might have a chance without you understanding what you're writing, but Very challenging Yeah, now there are various tools out there and in fact one and Coincidentally, it's from an organization called Sigital again They have an application that will actually sit on top of your coding platform, whatever that might be And obviously it's got to be customized for that particular platform and as you write code if it detects a Vulnerability it will actually highlight it and tell you why it's a vote why it's vulnerable what its implications are and Tell you what you should do to fix it Obviously you can ignore that because it might be out of context, etc. But it's it's a bit like You know, oh, I see you're trying to write a letter clippy coming up and telling you you know Oh, I see you're coding a sequel injection. Would you like some help? It's kind of like that concept maybe a little bit cleverer Yes, it could do it could do but but if nothing else because if if that code is reviewed Two weeks two months later and then taken back to the developer. I don't know, but this is real-time feedback I think in that particular case as regards Not sure I've got a particularly strong answer for you as regards auditing. It's not my it's not my Strength, but you know vulnerability assessments, you know, you can code review code analysis There's a lot of automated tools a lot manual tools my team is based in Miami and Gurgaon in India and they do a lot of this stuff for me You know, I make up for my lack of knowledge by hiring other people who know more than me So but yeah, that's the best I can offer. Sorry. You had a question Yeah, I just waving. Yes Yes, but Metasploit Which is basically HD more? And and everything complies to HD's more more as law There's a phrase that's banded around the security arena, which is basically you must be this tall to ride the internet Which is effectively if you can come if you can code effectively against Metasploit You will code out 90% of the security threats out there because Anybody can pick up Metasploit and load modules in and you know, script kitties, etc That's by volume not necessarily by threats, but by volume. That's what you're getting off So actually that's it's you're right. It is Metasploit, but it's actually does get rid of a vast number There are plenty of other areas for for code reviews But it is you know, it is that height chart of being able to ride on the internet So Yeah Well, that was that was you know, HD more is done, you know So much good for you know web security and internet security But the flip side of course is that anybody can pick up his stuff and start you know hacking in day one I reckon even I could do it if I put my mind to it another weekend and a couple of bottles of wine You know, I could probably use Metasploit as well. I think it's that it's that straightforward So somebody else had a question down here. Yeah In terms of payment gateways, there's news payment gateways like Stripe coming out and there's the sort of PCI compliance around getting those as kind of changing as of next year with like the PCI DSS 3s a cube 3 but the SAQ AEP I think it is like versus the SAQA like When I'm not entirely sure on when to I need to get to PCI compliance A versus AEP especially for stuff like Stripe Like other sort of API based payment gateways now I can see you're hoping for a really helpful answer from me on this And I really hate to disappoint honestly, I couldn't answer that one directly, you know, PCI is not my bag It's we as an organization. It's not something we're involved in I know it I know of it. I'm not any kind of a I couldn't give you any guidance on that I have to say I'm gonna I'm gonna fell on that one but You know reach out to me afterwards it'd be something interesting I'd be listen to you know, please contact me. I'd love to stay in touch It's an education for everybody to be honest with you use these I always like to try and use these opportunities as an education both sides Because a question unanswered is one that I want to know the answer to at the end of the day Right, because I don't want to stand here looking stupid Um, but no the good question. I can't answer it, but do you know ask it again in writing Simple words two or three syllables will be all right That's it. I like TLA's Anyone else Using Somebody is going to Try and use it on every IP address every every IP address on the internet So your server is going to Have it run against it at some point, you know, you know, you know when you see these weird mob messages and say I don't know a word press hack or something like that Maybe someone's trying on the odd jobs It's not it's a part trying it on every user connected to the internet. So it's not a random occurrence So you will every exploit will be tried against your server at some point So 10 years ago security through obscurity there was something in it smaller companies etc Now I think something like 80 percent of all attacks are against smaller companies actually targeted attacks not You know sweeping across they sweep across and find a target and then we'll go and attack it properly But small companies are actually a significant Number or smaller companies are a significant statistic of And subjects of an attack. Sorry. Yes. It's the HVAC company I think the HVAC one it was it Was it a spearfishing attack? I'm not sure No, you're absolutely right the the insider threat. I totally agree and I think you know, perhaps what I should have emphasized I didn't is that you know, um It's not all your fault. All right. It's not all down to cut bad coding or anything like that The significant threat is the insider threat Um, now the insider threat means it's you know, they've got a threat actor inside Who will then attack your SQL server through a SQL injection attack if you sort of mean so just because it's sitting inside doesn't mean you can Be lazy about coding if you sort of move but the actual source of the attack That means they've got they've already got access to these things in the first place But it's like and I don't like the term, you know, the onion skin approach to defence in depth I mean, it's a little bit dated. It shouldn't really be like that It's um, but if you can stop them at the first hurdle You know, then you're well for a start you've got a you know a clean bill of health straight away If you sort of mean it should be rather than having to have defence in depth and having You know seven eight nine ten layers of different things to get to just secure by design Just make it secure in the first place and then there wouldn't be the sequence of vulnerabilities Even if they are Even if they are sort of spearfishing attacks or password reuse You know by making sure you can't have password reuse across multiple systems is security by design You know the Social engineering attacks by making sure that people are trained to recognize social engineering attacks is security by design It doesn't have to be code or technology. It can be awareness as well Um, so yeah, if if I gave the impression actually, it's all your fault. That's not the case at all You play an important part alongside with everybody else. I say you as developers I'm assuming everybody here is a developer, right? Am I the only one who's not? Oh, lovely Okay, um, so, uh, so yeah, it's it's but it's it's an important and vital role Uh that that we play in this