Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOops - Stories of DevSecOps Failures and Success

DevSecOops - Stories of DevSecOps Failures and Success

8827303f1dc2bd94af6a68a258ef9fd4?s=128

Abhay Bhargav

November 15, 2020
Tweet

Transcript

  1. Copyright © we45 2020 DevSecOops! Stories of DevSecOps Failures and

    Success Abhay Bhargav
  2. Copyright © we45 2020 abhaybhargav Yours Truly • Founder @

    we45 • Chief Architect - Orchestron • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide
  3. abhaybhargav we45 Today… • Stories. Inspired by Real-Life Events •

    Problems of varied size, scale and complexity • Compressed into a single scenario for ease of understanding
  4. Copyright © we45 2020 Some Undeniable Truths

  5. Copyright © we45 2020 Some Undeniable Truths

  6. Copyright © we45 2020 Some Undeniable Truths

  7. Copyright © we45 2020 Some Undeniable Truths

  8. Copyright © we45 2020 Prelude • B2B - Cloud Storage

    Product Company • Diverse Suite of Products - Core Suite, Client Apps, etc • We work with them as an extended AppSec Team • Diverse Stack: Java, NodeJS, Native Mobile Apps, AWS, Containers, nascent Kubernetes Deployment • Combination of monoliths and newer microservices style apps
  9. Copyright © we45 2020 The Good • AppSec Training for

    Developers - Mandatory - During the year • Automated Security Checks in the CI Pipeline - Triaged and reported • Automated Vulnerability Management Tools • Exploring Bug-Bounty program in addition to internal pen testing
  10. Copyright © we45 2020 The Good • AppSec Training for

    Developers - Mandatory - During the year • Automated Security Checks in the CI Pipeline - Triaged and reported • Automated Vulnerability Management Tools • Exploring Bug-Bounty program in addition to internal pen testing
  11. Copyright © we45 2020 Problem “We’re finding a LOT of

    the same issues again and again”
  12. Copyright © we45 2020 Breaking down the Problem 1. Similar

    classes of AppSec issues cropping up across different products and services 2. Automated Checks in place - But Triaging and fixing would result in delays 3. Architectural Issues not identified soon enough - Resulting in (1)
  13. Copyright © we45 2020 High-Level Approach

  14. Copyright © we45 2020 High-Level Approach

  15. Copyright © we45 2020 High-Level Approach

  16. Copyright © we45 2020 High-Level Approach

  17. Copyright © we45 2020 abhaybhargav DevSecOps Plan Code Build Test

    Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST GitOps, Security in IaC SOAR/UEBA
  18. Copyright © we45 2020

  19. Copyright © we45 2020 Developers as Customers

  20. Copyright © we45 2020 Developers are our Customers • Devs

    have high pressure deadlines like the rest of us • Security being hard is likely to be Security NOT done • Happy Path: Security through HIGHER Dev Productivity
  21. Copyright © we45 2020 Which means… • Classifying and Baselining

    Types of Security Bugs • Security Engineering - Secure Defaults • Better Security Training for Developers
  22. Copyright © we45 2020 Approach to Mitigation • Most Effective

    & Scalable => Scalably Reducing Risk (Classes of Risk) • Effective NOT Scalable => Finding Individual Bugs • Baseline (Eliminate) the easy bugs
  23. Copyright © we45 2020 Threat Scenarios/Vulns by Complexity Easy Medium

    Complex Missing TLS (SSL) SQL Injection Multi-Step/Event-Driven Flaws Security Headers Session-Fixation and Session Based Flaws Business Logic Flaws Missing Security Defaults (Passwords, Configs) XSS Flaws Authorization Flaws (Param Pollution) Calling obviously dangerous functions (eval, etc) Most other OWASP Top 10 Bugs
  24. Copyright © we45 2020 Threat Scenarios/Vulns by Complexity Easy Medium

    Complex Missing TLS (SSL) SQL Injection Multi-Step/Event-Driven Flaws Security Headers Session-Fixation and Session Based Flaws Business Logic Flaws Missing Security Defaults (Passwords, Configs) XSS Flaws Authorization Flaws (Param Pollution) Calling obviously dangerous functions (eval, etc) Most other OWASP Top 10 Bugs Certain Crypto Flaws
  25. Copyright © we45 2020 Tradeoffs? Safe:Easy • There’s easy ways

    to achieve X for any developer • And there’s safe ways for a developer to achieve X • The objective is to make the safe way, as easy as possible
  26. Copyright © we45 2020 Sec Engineering: Secure Defaults • Falls

    into the Bucket of Security Engineering • Idea is to default to secure behavior rather than teaching folks, complex ways to create secure behavior • Has seen lots of success in: • Secrets and Crypto • Authentication/AuthZ • Injection and XSS
  27. Copyright © we45 2020

  28. Copyright © we45 2020 –Google’s Tink Library Docs. Tink is

    a misuse resistant crypto library “Using crypto in your application shouldn't have to feel like juggling chainsaws in the dark.”
  29. Copyright © we45 2020 Crypto - Secure Default • Misuse

    Resistant • Strong Algos only • Strong padding techniques • Easy to use • No exposure to padding/nonces/IV • Secure by default Functions only • Explicit Insecure Modes only
  30. Copyright © we45 2020 Attacks against PKI (RSA)

  31. Copyright © we45 2020 Attacks against PKI (RSA)

  32. Copyright © we45 2020 Attacks against PKI (RSA)

  33. Copyright © we45 2020 Attacks against PKI (RSA)

  34. Copyright © we45 2020 Attacks against PKI (RSA)

  35. Copyright © we45 2020 Attacks against PKI (RSA)

  36. Copyright © we45 2020 Attacks against PKI (RSA)

  37. Copyright © we45 2020 Other examples of Secure Defaults •

    Secure wrapper Libraries to existing Libraries with insecure defaults • Secure-By-Default Libraries and Frameworks •
  38. Copyright © we45 2020 Secure Defaults: Tooling • SAST rules

    to identify use of insecure libraries • Personally love Semgrep, CodeQL for this • Lower false-positives when scanning for specific items
  39. Copyright © we45 2020 Secure Defaults: Training/Docs

  40. Copyright © we45 2020 Feedback Loops

  41. Copyright © we45 2020 Long-running jobs

  42. Copyright © we45 2020 Long-running jobs

  43. Copyright © we45 2020 Long-running jobs

  44. Copyright © we45 2020

  45. Copyright © we45 2020

  46. Copyright © we45 2020

  47. Copyright © we45 2020

  48. Copyright © we45 2020 Examples of Feedback Loops • Closer

    to Developer: IDE • Git hooks • Pull Requests
  49. Copyright © we45 2020 Amazon Step Functions

  50. Copyright © we45 2020 Decentralizing Security

  51. Copyright © we45 2020 Decentralizing Security • Decentralized Security Libraries

    and Frameworks: • Open-Policy-Agent • Casbin •
  52. Copyright © we45 2020 Agile AppSec/DevSecOps/Continuous AppSec Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection
  53. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection
  54. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories
  55. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria
  56. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines
  57. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases
  58. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models
  59. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation
  60. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation Detection Models
  61. Copyright © we45 2020 Why?

  62. Copyright © we45 2020 Why?

  63. Copyright © we45 2020 Story-Driven Threat Modeling

  64. Copyright © we45 2020 Some Background • Story-Driven Threat Modeling

    is threat modeling against user stories/ functionality definitions in the sprint. • The idea is to break threat modeling down by feature to produce useful, effective, yet efficient threat models • Not perfect, and still doesn’t negate the need for a system-wide threat model. But most effective in Agile Development
  65. Copyright © we45 2020 Pre-requisites • Cross-Functional Team running the

    Threat Model • Leave your egos at the door • Run in Sprint Planning Meeting • Consider multi-stage approach
  66. Copyright © we45 2020 Success Factors • Focus on “Good-enough”

    Threat Models • Keep the feature in scope - don’t dwell too outside of it • Cross-Functional Team • Just enough Information
  67. Copyright © we45 2020 Put another way….

  68. Copyright © we45 2020 Put another way…. User Story/Feature Description

  69. Copyright © we45 2020 Put another way…. User Story/Feature Description

  70. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story
  71. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story What abuses against Functionality
  72. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story What abuses against Functionality
  73. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality
  74. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life
  75. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life
  76. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations
  77. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations
  78. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations Security Test Case