Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOops - Stories of DevSecOps Failures and Success

Abhay Bhargav
November 15, 2020
Technology
0
1.3k

DevSecOops - Stories of DevSecOps Failures and Success

Abhay Bhargav

November 15, 2020
Tweet

More Decks by Abhay Bhargav

See All by Abhay Bhargav
Flaming Hot SLSA!
abhaybhargav
1
200
SecAppDev - Fantastic API Security Vulnerabilities and where to find them
abhaybhargav
1
33
SecAppDev 2022 - Everything as code
abhaybhargav
0
43
Hook, Line and Sinker - Pillaging API Webhooks
abhaybhargav
0
630
Practical DevSecOps Pipelines
abhaybhargav
1
260
A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle
abhaybhargav
0
200
Agile Threat Modeling-as-Code
abhaybhargav
2
560

Other Decks in Technology

See All in Technology
ラズパイとGASで加湿器の消し忘れをLINEでリマインド&操作
minako__ph
0
140
WebLogic Server for OCI 概要
oracle4engineer
PRO
3
870
S3とCloudWatch Logsの見直しから始めるコスト削減 / Cost saving S3 and CloudWatch Logs
shonansurvivors
0
210
OCIコンテナサービス関連の技術詳細 /oke-ocir-details
oracle4engineer
PRO
0
760
AI Builderについて
miyakemito
0
870
OCI技術資料 : ロード・バランサー 詳細 / Load Balancer 200
ocise
2
7.2k
Raspberry Pi Camera 3 介紹
piepie_tw
PRO
0
130
OPENLOGI Company Profile
hr01
0
12k
plotlyで動くグラフを作る
kosshi
0
750
Pentesting Password Reset Functionality
anugrahsr
0
420
日経電子版だけじゃない! 日経の新規Webメディアの開発 - NIKKEI Tech Talk #3
sztm
0
160
2年で10→70人へ! スタートアップの 情報セキュリティ課題と施策
miekobayashi
1
320

Featured

See All Featured
The Web Native Designer (August 2011)
paulrobertlloyd
76
2.2k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Docker and Python
trallard
30
1.9k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.6k
Faster Mobile Websites
deanohume
295
29k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k
The Brand Is Dead. Long Live the Brand.
mthomps
48
2.9k
A Tale of Four Properties
chriscoyier
149
21k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
29
7.9k
Designing the Hi-DPI Web
ddemaree
273
32k
Unsuck your backbone
ammeep
659
56k
Practical Orchestrator
shlominoach
178
8.9k

Transcript

  1. Copyright © we45 2020 DevSecOops! Stories of DevSecOps Failures and

    Success Abhay Bhargav

  2. Copyright © we45 2020 abhaybhargav Yours Truly • Founder @

    we45 • Chief Architect - Orchestron • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide

  3. abhaybhargav we45 Today… • Stories. Inspired by Real-Life Events •

    Problems of varied size, scale and complexity • Compressed into a single scenario for ease of understanding

  4. Copyright © we45 2020 Some Undeniable Truths

  5. Copyright © we45 2020 Some Undeniable Truths

  6. Copyright © we45 2020 Some Undeniable Truths

  7. Copyright © we45 2020 Some Undeniable Truths

  8. Copyright © we45 2020 Prelude • B2B - Cloud Storage

    Product Company • Diverse Suite of Products - Core Suite, Client Apps, etc • We work with them as an extended AppSec Team • Diverse Stack: Java, NodeJS, Native Mobile Apps, AWS, Containers, nascent Kubernetes Deployment • Combination of monoliths and newer microservices style apps

  9. Copyright © we45 2020 The Good • AppSec Training for

    Developers - Mandatory - During the year • Automated Security Checks in the CI Pipeline - Triaged and reported • Automated Vulnerability Management Tools • Exploring Bug-Bounty program in addition to internal pen testing

  10. Copyright © we45 2020 The Good • AppSec Training for

    Developers - Mandatory - During the year • Automated Security Checks in the CI Pipeline - Triaged and reported • Automated Vulnerability Management Tools • Exploring Bug-Bounty program in addition to internal pen testing

  11. Copyright © we45 2020 Problem “We’re finding a LOT of

    the same issues again and again”

  12. Copyright © we45 2020 Breaking down the Problem 1. Similar

    classes of AppSec issues cropping up across different products and services 2. Automated Checks in place - But Triaging and fixing would result in delays 3. Architectural Issues not identified soon enough - Resulting in (1)

  13. Copyright © we45 2020 High-Level Approach

  14. Copyright © we45 2020 High-Level Approach

  15. Copyright © we45 2020 High-Level Approach

  16. Copyright © we45 2020 High-Level Approach

  17. Copyright © we45 2020 abhaybhargav DevSecOps Plan Code Build Test

    Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST GitOps, Security in IaC SOAR/UEBA

  18. Copyright © we45 2020

  19. Copyright © we45 2020 Developers as Customers

  20. Copyright © we45 2020 Developers are our Customers • Devs

    have high pressure deadlines like the rest of us • Security being hard is likely to be Security NOT done • Happy Path: Security through HIGHER Dev Productivity

  21. Copyright © we45 2020 Which means… • Classifying and Baselining

    Types of Security Bugs • Security Engineering - Secure Defaults • Better Security Training for Developers

  22. Copyright © we45 2020 Approach to Mitigation • Most Effective

    & Scalable => Scalably Reducing Risk (Classes of Risk) • Effective NOT Scalable => Finding Individual Bugs • Baseline (Eliminate) the easy bugs

  23. Copyright © we45 2020 Threat Scenarios/Vulns by Complexity Easy Medium

    Complex Missing TLS (SSL) SQL Injection Multi-Step/Event-Driven Flaws Security Headers Session-Fixation and Session Based Flaws Business Logic Flaws Missing Security Defaults (Passwords, Configs) XSS Flaws Authorization Flaws (Param Pollution) Calling obviously dangerous functions (eval, etc) Most other OWASP Top 10 Bugs

  24. Copyright © we45 2020 Threat Scenarios/Vulns by Complexity Easy Medium

    Complex Missing TLS (SSL) SQL Injection Multi-Step/Event-Driven Flaws Security Headers Session-Fixation and Session Based Flaws Business Logic Flaws Missing Security Defaults (Passwords, Configs) XSS Flaws Authorization Flaws (Param Pollution) Calling obviously dangerous functions (eval, etc) Most other OWASP Top 10 Bugs Certain Crypto Flaws

  25. Copyright © we45 2020 Tradeoffs? Safe:Easy • There’s easy ways

    to achieve X for any developer • And there’s safe ways for a developer to achieve X • The objective is to make the safe way, as easy as possible

  26. Copyright © we45 2020 Sec Engineering: Secure Defaults • Falls

    into the Bucket of Security Engineering • Idea is to default to secure behavior rather than teaching folks, complex ways to create secure behavior • Has seen lots of success in: • Secrets and Crypto • Authentication/AuthZ • Injection and XSS

  27. Copyright © we45 2020

  28. Copyright © we45 2020 –Google’s Tink Library Docs. Tink is

    a misuse resistant crypto library “Using crypto in your application shouldn't have to feel like juggling chainsaws in the dark.”

  29. Copyright © we45 2020 Crypto - Secure Default • Misuse

    Resistant • Strong Algos only • Strong padding techniques • Easy to use • No exposure to padding/nonces/IV • Secure by default Functions only • Explicit Insecure Modes only

  30. Copyright © we45 2020 Attacks against PKI (RSA)

  31. Copyright © we45 2020 Attacks against PKI (RSA)

  32. Copyright © we45 2020 Attacks against PKI (RSA)

  33. Copyright © we45 2020 Attacks against PKI (RSA)

  34. Copyright © we45 2020 Attacks against PKI (RSA)

  35. Copyright © we45 2020 Attacks against PKI (RSA)

  36. Copyright © we45 2020 Attacks against PKI (RSA)

  37. Copyright © we45 2020 Other examples of Secure Defaults •

    Secure wrapper Libraries to existing Libraries with insecure defaults • Secure-By-Default Libraries and Frameworks •

  38. Copyright © we45 2020 Secure Defaults: Tooling • SAST rules

    to identify use of insecure libraries • Personally love Semgrep, CodeQL for this • Lower false-positives when scanning for specific items

  39. Copyright © we45 2020 Secure Defaults: Training/Docs

  40. Copyright © we45 2020 Feedback Loops

  41. Copyright © we45 2020 Long-running jobs

  42. Copyright © we45 2020 Long-running jobs

  43. Copyright © we45 2020 Long-running jobs

  44. Copyright © we45 2020

  45. Copyright © we45 2020

  46. Copyright © we45 2020

  47. Copyright © we45 2020

  48. Copyright © we45 2020 Examples of Feedback Loops • Closer

    to Developer: IDE • Git hooks • Pull Requests

  49. Copyright © we45 2020 Amazon Step Functions

  50. Copyright © we45 2020 Decentralizing Security

  51. Copyright © we45 2020 Decentralizing Security • Decentralized Security Libraries

    and Frameworks: • Open-Policy-Agent • Casbin •

  52. Copyright © we45 2020 Agile AppSec/DevSecOps/Continuous AppSec Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection

  53. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection

  54. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories

  55. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria

  56. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines

  57. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases

  58. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models

  59. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation

  60. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation Detection Models

  61. Copyright © we45 2020 Why?

  62. Copyright © we45 2020 Why?

  63. Copyright © we45 2020 Story-Driven Threat Modeling

  64. Copyright © we45 2020 Some Background • Story-Driven Threat Modeling

    is threat modeling against user stories/ functionality definitions in the sprint. • The idea is to break threat modeling down by feature to produce useful, effective, yet efficient threat models • Not perfect, and still doesn’t negate the need for a system-wide threat model. But most effective in Agile Development

  65. Copyright © we45 2020 Pre-requisites • Cross-Functional Team running the

    Threat Model • Leave your egos at the door • Run in Sprint Planning Meeting • Consider multi-stage approach

  66. Copyright © we45 2020 Success Factors • Focus on “Good-enough”

    Threat Models • Keep the feature in scope - don’t dwell too outside of it • Cross-Functional Team • Just enough Information

  67. Copyright © we45 2020 Put another way….

  68. Copyright © we45 2020 Put another way…. User Story/Feature Description

  69. Copyright © we45 2020 Put another way…. User Story/Feature Description

  70. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story

  71. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story What abuses against Functionality

  72. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story What abuses against Functionality

  73. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality

  74. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life

  75. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life

  76. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations

  77. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations

  78. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations Security Test Case