DevSecOops - Stories of DevSecOps Failures and Success

Transcript

1. Copyright © we45 2020 DevSecOops! Stories of DevSecOps Failures and

   Success Abhay Bhargav

2. Copyright © we45 2020 abhaybhargav Yours Truly • Founder @

   we45 • Chief Architect - Orchestron • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide

3. abhaybhargav we45 Today… • Stories. Inspired by Real-Life Events •

   Problems of varied size, scale and complexity • Compressed into a single scenario for ease of understanding

4. Copyright © we45 2020 Some Undeniable Truths

5. Copyright © we45 2020 Some Undeniable Truths

6. Copyright © we45 2020 Some Undeniable Truths

7. Copyright © we45 2020 Some Undeniable Truths

8. Copyright © we45 2020 Prelude • B2B - Cloud Storage

   Product Company • Diverse Suite of Products - Core Suite, Client Apps, etc • We work with them as an extended AppSec Team • Diverse Stack: Java, NodeJS, Native Mobile Apps, AWS, Containers, nascent Kubernetes Deployment • Combination of monoliths and newer microservices style apps

9. Copyright © we45 2020 The Good • AppSec Training for

   Developers - Mandatory - During the year • Automated Security Checks in the CI Pipeline - Triaged and reported • Automated Vulnerability Management Tools • Exploring Bug-Bounty program in addition to internal pen testing

10. Copyright © we45 2020 The Good • AppSec Training for

    Developers - Mandatory - During the year • Automated Security Checks in the CI Pipeline - Triaged and reported • Automated Vulnerability Management Tools • Exploring Bug-Bounty program in addition to internal pen testing

11. Copyright © we45 2020 Problem “We’re finding a LOT of

    the same issues again and again”

12. Copyright © we45 2020 Breaking down the Problem 1. Similar

    classes of AppSec issues cropping up across different products and services 2. Automated Checks in place - But Triaging and fixing would result in delays 3. Architectural Issues not identified soon enough - Resulting in (1)

13. Copyright © we45 2020 High-Level Approach

14. Copyright © we45 2020 High-Level Approach

15. Copyright © we45 2020 High-Level Approach

16. Copyright © we45 2020 High-Level Approach

17. Copyright © we45 2020 abhaybhargav DevSecOps Plan Code Build Test

    Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST GitOps, Security in IaC SOAR/UEBA

18. Copyright © we45 2020

19. Copyright © we45 2020 Developers as Customers

20. Copyright © we45 2020 Developers are our Customers • Devs

    have high pressure deadlines like the rest of us • Security being hard is likely to be Security NOT done • Happy Path: Security through HIGHER Dev Productivity

21. Copyright © we45 2020 Which means… • Classifying and Baselining

    Types of Security Bugs • Security Engineering - Secure Defaults • Better Security Training for Developers

22. Copyright © we45 2020 Approach to Mitigation • Most Effective

    & Scalable => Scalably Reducing Risk (Classes of Risk) • Effective NOT Scalable => Finding Individual Bugs • Baseline (Eliminate) the easy bugs

23. Copyright © we45 2020 Threat Scenarios/Vulns by Complexity Easy Medium

    Complex Missing TLS (SSL) SQL Injection Multi-Step/Event-Driven Flaws Security Headers Session-Fixation and Session Based Flaws Business Logic Flaws Missing Security Defaults (Passwords, Configs) XSS Flaws Authorization Flaws (Param Pollution) Calling obviously dangerous functions (eval, etc) Most other OWASP Top 10 Bugs

24. Copyright © we45 2020 Threat Scenarios/Vulns by Complexity Easy Medium

    Complex Missing TLS (SSL) SQL Injection Multi-Step/Event-Driven Flaws Security Headers Session-Fixation and Session Based Flaws Business Logic Flaws Missing Security Defaults (Passwords, Configs) XSS Flaws Authorization Flaws (Param Pollution) Calling obviously dangerous functions (eval, etc) Most other OWASP Top 10 Bugs Certain Crypto Flaws

25. Copyright © we45 2020 Tradeoffs? Safe:Easy • There’s easy ways

    to achieve X for any developer • And there’s safe ways for a developer to achieve X • The objective is to make the safe way, as easy as possible

26. Copyright © we45 2020 Sec Engineering: Secure Defaults • Falls

    into the Bucket of Security Engineering • Idea is to default to secure behavior rather than teaching folks, complex ways to create secure behavior • Has seen lots of success in: • Secrets and Crypto • Authentication/AuthZ • Injection and XSS

27. Copyright © we45 2020

28. Copyright © we45 2020 –Google’s Tink Library Docs. Tink is

    a misuse resistant crypto library “Using crypto in your application shouldn't have to feel like juggling chainsaws in the dark.”

29. Copyright © we45 2020 Crypto - Secure Default • Misuse

    Resistant • Strong Algos only • Strong padding techniques • Easy to use • No exposure to padding/nonces/IV • Secure by default Functions only • Explicit Insecure Modes only

30. Copyright © we45 2020 Attacks against PKI (RSA)

31. Copyright © we45 2020 Attacks against PKI (RSA)

32. Copyright © we45 2020 Attacks against PKI (RSA)

33. Copyright © we45 2020 Attacks against PKI (RSA)

34. Copyright © we45 2020 Attacks against PKI (RSA)

35. Copyright © we45 2020 Attacks against PKI (RSA)

36. Copyright © we45 2020 Attacks against PKI (RSA)

37. Copyright © we45 2020 Other examples of Secure Defaults •

    Secure wrapper Libraries to existing Libraries with insecure defaults • Secure-By-Default Libraries and Frameworks •

38. Copyright © we45 2020 Secure Defaults: Tooling • SAST rules

    to identify use of insecure libraries • Personally love Semgrep, CodeQL for this • Lower false-positives when scanning for specific items

39. Copyright © we45 2020 Secure Defaults: Training/Docs

40. Copyright © we45 2020 Feedback Loops

41. Copyright © we45 2020 Long-running jobs

42. Copyright © we45 2020 Long-running jobs

43. Copyright © we45 2020 Long-running jobs

44. Copyright © we45 2020

45. Copyright © we45 2020

46. Copyright © we45 2020

47. Copyright © we45 2020

48. Copyright © we45 2020 Examples of Feedback Loops • Closer

    to Developer: IDE • Git hooks • Pull Requests

49. Copyright © we45 2020 Amazon Step Functions

50. Copyright © we45 2020 Decentralizing Security

51. Copyright © we45 2020 Decentralizing Security • Decentralized Security Libraries

    and Frameworks: • Open-Policy-Agent • Casbin •

52. Copyright © we45 2020 Agile AppSec/DevSecOps/Continuous AppSec Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection

53. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection

54. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories

55. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria

56. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines

57. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases

58. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models

59. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation

60. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation Detection Models

61. Copyright © we45 2020 Why?

62. Copyright © we45 2020 Why?

63. Copyright © we45 2020 Story-Driven Threat Modeling

64. Copyright © we45 2020 Some Background • Story-Driven Threat Modeling

    is threat modeling against user stories/ functionality definitions in the sprint. • The idea is to break threat modeling down by feature to produce useful, effective, yet efficient threat models • Not perfect, and still doesn’t negate the need for a system-wide threat model. But most effective in Agile Development

65. Copyright © we45 2020 Pre-requisites • Cross-Functional Team running the

    Threat Model • Leave your egos at the door • Run in Sprint Planning Meeting • Consider multi-stage approach

66. Copyright © we45 2020 Success Factors • Focus on “Good-enough”

    Threat Models • Keep the feature in scope - don’t dwell too outside of it • Cross-Functional Team • Just enough Information

67. Copyright © we45 2020 Put another way….

68. Copyright © we45 2020 Put another way…. User Story/Feature Description

69. Copyright © we45 2020 Put another way…. User Story/Feature Description

70. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story

71. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story What abuses against Functionality

72. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story What abuses against Functionality

73. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality

74. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life

75. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life

76. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations

77. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations

78. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations Security Test Case