November Meetup - Breaching Embedded Systems & Software Security with BSIMM

Agenda

• Food, Drinks & Networking (15 mins) (Don't forget to bring your business card)

• Introduction & Announcement (10 mins)

• Breaching Embedded Systems the Die Hard Way by Pishu Mahtani (60 mins)

• Break (5 mins)

• Build Security and Quality In — Software Security Strategy with BSIMM by Olli Jarva (30 mins)

Abstracts

Breaching Embedded Systems the Die Hard Way by Pishu Mahtani

The Internet of Things (IoT), is envisioned as a transformative approach for providing numerous services. Compact smart devices constitute an essential part of IoT. They range widely in use, size, energy capacity, and computation power. However, the integration of these smart things into the standard Internet introduces several security challenges because the majority of Internet technologies and communication protocols were not designed to support IoT. Moreover, commercialisation of IoT has led to public security concerns, including personal privacy issues, the threat of cyber attacks, and organised crime. Thus, this talk attempts to provide an introduction into the world of (in)security from an embedded systems perspective. The presenter will be providing his views around anti-tamper mechanisms, challenges in reverse engineering smart devices, and a discussion on current approaches in securing them. An interesting hands-on demonstration involving an existing embedded device will be conducted to give attendees a better appreciation on the topic.

Build Security and Quality In — Software Security Strategy with BSIMM by Olli Jarva (30 mins)

If you play a role in your organization’s software security program, you know there is no shortage of things to do. In fact, the Building Security In Maturity Model (BSIMM) calls out the 113 most commonly observed software security activities. The BSIMM enables you to discover what others are doing in this universe, how they’re doing it, and how they are likely to do it in the future.

However, implementing BSIMM activities like a checklist won’t get you to success. It takes some real strategy to efficiently include new software security activities and also ensure existing activities continue to be applied well.

In this talk, we are looking into how to marry software security activities to strategy so you can build viable security program.

The talk focuses on the following topics:

• What kind of commonly observed software security activities we are seeing happening

• Prescriptive vs. Descriptive models

• How to get organisations to move away from penetrate and patch/test-it-in mentality?

• What does this mean if you're moving into DevOps?

How does your firm think about software quality and software security? What are you trying to accomplish today? Where does the tool fit? Who will run it? Where do the bugs go? Who will help dev work them off? Is this a compliance thing?

Speakers' Bio

Pishu Mahtani is a member of Trustwave SpiderLabs – the advanced security team focused on penetration testing, incident response, application security and reverse engineering. He has more than 15 years of information security and assurance experience gained from working in diverse set of industries; from Banking and Financial Services, Government and Defence, and Technology Consulting. He currently has a concentrated focus in the area of software and embedded systems security where he's considered as a specialist in the areas of binary analysis, embedded firmware reverse engineering, IoT security and software bug discovery. Over the years, before the age of bug bounties, he contributed to the efforts in securing cyberspace through responsible disclosure of security vulnerabilities, his involvement in open source projects at The Center for Internet Security (CIS) and OWASP. He has recently spoken at security conferences such as DEFCON USA 2017, (ISC)² Security Congress APAC 2017, DevSecCon Asia 2017 and GovWare 2016, on software and IoT security topics. He holds a Master of Science (MSc.) in Information Security from Royal Holloway, University of London and is a Certified Secure Software Lifecycle Professional (CSSLP).

Olli Jarva is working as a Managing Consultant with Synopsys Software Integrity Group. In his current role, Olli is helping organisations with their Application Security Initiatives. Prior to his current post, he worked for the company called Codenomicon, developing intelligent fuzzing solutions and solutions to manage open source liabilities and vulnerabilities. Olli has an extensive experience in network protocol security and he carries a deep understanding of protocol implementation vulnerabilities. Olli's professional background is in system administration and risk management. He has been involved in the discovery and coordination of a number of zero-day vulnerabilities, including the IPv6 Jumbo diagram and Linux SCTP stack vulnerabilities.