Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOops - Stories of DevSecOps Failures and Success

8827303f1dc2bd94af6a68a258ef9fd4?s=47 Abhay Bhargav
November 15, 2020
Technology
0
810

DevSecOops - Stories of DevSecOps Failures and Success

8827303f1dc2bd94af6a68a258ef9fd4?s=128

Abhay Bhargav

November 15, 2020
Tweet

More Decks by Abhay Bhargav

See All by Abhay Bhargav
8827303f1dc2bd94af6a68a258ef9fd4?s=48 abhaybhargav
1
140
8827303f1dc2bd94af6a68a258ef9fd4?s=48 abhaybhargav
0
140
8827303f1dc2bd94af6a68a258ef9fd4?s=48 abhaybhargav
2
300

Other Decks in Technology

See All in Technology
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
160
0f4a27389318ca7087ae12b1593171c1?s=48 saoritakita
0
350
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
150
921515dc03f89bafe3d8f5d0b3ca0b74?s=48 mmarukaw
0
1.4k
9cdb1d21375062bc2cd0d1358c2fa1f0?s=48 noir_neo
0
130
11d3072d628a7b976cd2f4e6a3cf750f?s=48 yuyaabo
0
260
A8f0494d61f79b35ff8a4902c7decb73?s=48 iqbocchi
0
530
03858bb7b6debdd69ea0531b0f57c612?s=48 con_mame
4
2k
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
200
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
1.3k
3009eedce0d0f7ae45987a7bd8f57b85?s=48 nkjzm
1
830
E783e2d26dc6388730b73ced1348c638?s=48 vkbaba
0
130

Featured

See All Featured
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
196
15k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
66
3k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
14
1.1k
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
206
6.8k
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
52
2.8k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
176
7.4k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
93
3k
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
127
20k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
494
110k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
338
16k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
478
150k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
30
3.3k

Transcript

  1. Copyright © we45 2020 DevSecOops! Stories of DevSecOps Failures and

    Success Abhay Bhargav

  2. Copyright © we45 2020 abhaybhargav Yours Truly • Founder @

    we45 • Chief Architect - Orchestron • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide

  3. abhaybhargav we45 Today… • Stories. Inspired by Real-Life Events •

    Problems of varied size, scale and complexity • Compressed into a single scenario for ease of understanding

  4. Copyright © we45 2020 Some Undeniable Truths

  5. Copyright © we45 2020 Some Undeniable Truths

  6. Copyright © we45 2020 Some Undeniable Truths

  7. Copyright © we45 2020 Some Undeniable Truths

  8. Copyright © we45 2020 Prelude • B2B - Cloud Storage

    Product Company • Diverse Suite of Products - Core Suite, Client Apps, etc • We work with them as an extended AppSec Team • Diverse Stack: Java, NodeJS, Native Mobile Apps, AWS, Containers, nascent Kubernetes Deployment • Combination of monoliths and newer microservices style apps

  9. Copyright © we45 2020 The Good • AppSec Training for

    Developers - Mandatory - During the year • Automated Security Checks in the CI Pipeline - Triaged and reported • Automated Vulnerability Management Tools • Exploring Bug-Bounty program in addition to internal pen testing

  10. Copyright © we45 2020 The Good • AppSec Training for

    Developers - Mandatory - During the year • Automated Security Checks in the CI Pipeline - Triaged and reported • Automated Vulnerability Management Tools • Exploring Bug-Bounty program in addition to internal pen testing

  11. Copyright © we45 2020 Problem “We’re finding a LOT of

    the same issues again and again”

  12. Copyright © we45 2020 Breaking down the Problem 1. Similar

    classes of AppSec issues cropping up across different products and services 2. Automated Checks in place - But Triaging and fixing would result in delays 3. Architectural Issues not identified soon enough - Resulting in (1)

  13. Copyright © we45 2020 High-Level Approach

  14. Copyright © we45 2020 High-Level Approach

  15. Copyright © we45 2020 High-Level Approach

  16. Copyright © we45 2020 High-Level Approach

  17. Copyright © we45 2020 abhaybhargav DevSecOps Plan Code Build Test

    Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST GitOps, Security in IaC SOAR/UEBA

  18. Copyright © we45 2020

  19. Copyright © we45 2020 Developers as Customers

  20. Copyright © we45 2020 Developers are our Customers • Devs

    have high pressure deadlines like the rest of us • Security being hard is likely to be Security NOT done • Happy Path: Security through HIGHER Dev Productivity

  21. Copyright © we45 2020 Which means… • Classifying and Baselining

    Types of Security Bugs • Security Engineering - Secure Defaults • Better Security Training for Developers

  22. Copyright © we45 2020 Approach to Mitigation • Most Effective

    & Scalable => Scalably Reducing Risk (Classes of Risk) • Effective NOT Scalable => Finding Individual Bugs • Baseline (Eliminate) the easy bugs

  23. Copyright © we45 2020 Threat Scenarios/Vulns by Complexity Easy Medium

    Complex Missing TLS (SSL) SQL Injection Multi-Step/Event-Driven Flaws Security Headers Session-Fixation and Session Based Flaws Business Logic Flaws Missing Security Defaults (Passwords, Configs) XSS Flaws Authorization Flaws (Param Pollution) Calling obviously dangerous functions (eval, etc) Most other OWASP Top 10 Bugs

  24. Copyright © we45 2020 Threat Scenarios/Vulns by Complexity Easy Medium

    Complex Missing TLS (SSL) SQL Injection Multi-Step/Event-Driven Flaws Security Headers Session-Fixation and Session Based Flaws Business Logic Flaws Missing Security Defaults (Passwords, Configs) XSS Flaws Authorization Flaws (Param Pollution) Calling obviously dangerous functions (eval, etc) Most other OWASP Top 10 Bugs Certain Crypto Flaws

  25. Copyright © we45 2020 Tradeoffs? Safe:Easy • There’s easy ways

    to achieve X for any developer • And there’s safe ways for a developer to achieve X • The objective is to make the safe way, as easy as possible

  26. Copyright © we45 2020 Sec Engineering: Secure Defaults • Falls

    into the Bucket of Security Engineering • Idea is to default to secure behavior rather than teaching folks, complex ways to create secure behavior • Has seen lots of success in: • Secrets and Crypto • Authentication/AuthZ • Injection and XSS

  27. Copyright © we45 2020

  28. Copyright © we45 2020 –Google’s Tink Library Docs. Tink is

    a misuse resistant crypto library “Using crypto in your application shouldn't have to feel like juggling chainsaws in the dark.”

  29. Copyright © we45 2020 Crypto - Secure Default • Misuse

    Resistant • Strong Algos only • Strong padding techniques • Easy to use • No exposure to padding/nonces/IV • Secure by default Functions only • Explicit Insecure Modes only

  30. Copyright © we45 2020 Attacks against PKI (RSA)

  31. Copyright © we45 2020 Attacks against PKI (RSA)

  32. Copyright © we45 2020 Attacks against PKI (RSA)

  33. Copyright © we45 2020 Attacks against PKI (RSA)

  34. Copyright © we45 2020 Attacks against PKI (RSA)

  35. Copyright © we45 2020 Attacks against PKI (RSA)

  36. Copyright © we45 2020 Attacks against PKI (RSA)

  37. Copyright © we45 2020 Other examples of Secure Defaults •

    Secure wrapper Libraries to existing Libraries with insecure defaults • Secure-By-Default Libraries and Frameworks •

  38. Copyright © we45 2020 Secure Defaults: Tooling • SAST rules

    to identify use of insecure libraries • Personally love Semgrep, CodeQL for this • Lower false-positives when scanning for specific items

  39. Copyright © we45 2020 Secure Defaults: Training/Docs

  40. Copyright © we45 2020 Feedback Loops

  41. Copyright © we45 2020 Long-running jobs

  42. Copyright © we45 2020 Long-running jobs

  43. Copyright © we45 2020 Long-running jobs

  44. Copyright © we45 2020

  45. Copyright © we45 2020

  46. Copyright © we45 2020

  47. Copyright © we45 2020

  48. Copyright © we45 2020 Examples of Feedback Loops • Closer

    to Developer: IDE • Git hooks • Pull Requests

  49. Copyright © we45 2020 Amazon Step Functions

  50. Copyright © we45 2020 Decentralizing Security

  51. Copyright © we45 2020 Decentralizing Security • Decentralized Security Libraries

    and Frameworks: • Open-Policy-Agent • Casbin •

  52. Copyright © we45 2020 Agile AppSec/DevSecOps/Continuous AppSec Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection

  53. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection

  54. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories

  55. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria

  56. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines

  57. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases

  58. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models

  59. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation

  60. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation Detection Models

  61. Copyright © we45 2020 Why?

  62. Copyright © we45 2020 Why?

  63. Copyright © we45 2020 Story-Driven Threat Modeling

  64. Copyright © we45 2020 Some Background • Story-Driven Threat Modeling

    is threat modeling against user stories/ functionality definitions in the sprint. • The idea is to break threat modeling down by feature to produce useful, effective, yet efficient threat models • Not perfect, and still doesn’t negate the need for a system-wide threat model. But most effective in Agile Development

  65. Copyright © we45 2020 Pre-requisites • Cross-Functional Team running the

    Threat Model • Leave your egos at the door • Run in Sprint Planning Meeting • Consider multi-stage approach

  66. Copyright © we45 2020 Success Factors • Focus on “Good-enough”

    Threat Models • Keep the feature in scope - don’t dwell too outside of it • Cross-Functional Team • Just enough Information

  67. Copyright © we45 2020 Put another way….

  68. Copyright © we45 2020 Put another way…. User Story/Feature Description

  69. Copyright © we45 2020 Put another way…. User Story/Feature Description

  70. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story

  71. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story What abuses against Functionality

  72. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story What abuses against Functionality

  73. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality

  74. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life

  75. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life

  76. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations

  77. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations

  78. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations Security Test Case