Practical DevSecOps Pipelines

Transcript

1. Copyright © we45 2020 abhaybhargav Practical DevSecOps Pipelines Abhay Bhargav,

   we45

2. Copyright © we45 2020 abhaybhargav Yours Truly • Founder @

   we45 • Chief Architect - Orchestron • Avid Pythonista and AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide

3. Copyright © we45 2020 abhaybhargav Virtual Training • DevSecOps MasterClass

   => 1 & 2 July 2020 • Attacking and Defending Containers, Kubernetes and Serverless => June 22-25 2020 • Significant Discount on all courses • URL: store.we45.com • Get Live Training + Access to Labs + Access to Videos + Certification =

4. Copyright © we45 2020 abhaybhargav Conference Training

5. abhaybhargav we45 Community Initiatives Youtube Channel: youtube.com/we45-appsec Blog: we45.com/blog Talks/Workshops

   at several OWASP Events

6. Copyright © we45 2020 abhaybhargav Agenda • CI Problems with

   Security Tools • Security Problems with CI Tools • Developments in Static Analysis • Cloud-Native Pipelines - A New Hope • Demos • FIN

7. Copyright © we45 2020 abhaybhargav Pray to the Demo Gods

8. Copyright © we45 2020 abhaybhargav CI Problems with Security Tools

   • “Run MY tool. See MY Dashboard” • Inconsistent APIs • Long-running jobs

9. Copyright © we45 2020 abhaybhargav Security Tools - Its all

   about me!

10. Copyright © we45 2020 abhaybhargav Security Tool Narcissism

11. Copyright © we45 2020 abhaybhargav Long-running jobs

12. Copyright © we45 2020 abhaybhargav Blocking Good Feedback a.k.a Security(-Usability)

    Issues with CI Tools

13. Copyright © we45 2020 abhaybhargav –Several unsung security heroes “Jenkins

    is the Wordpress of CI”

14. Copyright © we45 2020 abhaybhargav –Abhay Bhargav “There’s something very

    ironic about finding RCEs in a RCE platform”

15. Copyright © we45 2020 abhaybhargav Let’s play Outcome Jeopardy! •

    Authentication Bypass => RCE! • AuthZ Bypass => RCE! • XSS => RCE! • RCE => RCE!

16. Copyright © we45 2020 abhaybhargav On top of that… •

    Not very CD friendly - Especially for “born in cloud” services • Not very cloud/container-native friendly • Not very micro-services friendly

17. Copyright © we45 2020 abhaybhargav And in many cases ….

18. Copyright © we45 2020 abhaybhargav Better (more Practical) DevSecOps Pipelines

19. Copyright © we45 2020 abhaybhargav Areas of Focus • A

    More effective world of Static Analysis • Test Automation weds DAST/IAST • Cloud-Native DevOps Pipelines

20. Copyright © we45 2020 abhaybhargav SAST Tools •Multi-Language (Typically Commercial)

    SAST Tools •Multi-Language and Platform •Combination of AST and Regex •Source-Sink and linked usage functionality •Single Language/Platform (Typically OSS) SAST Tools •Single Language or Platform •Typically AST based Scanning Tools •No Source-Sink. Typically File and Line-based analysis •Semantic Grep/QL Tools •New Category of SAST Analysis •Semantic Grep or Queries against Source Code (like SQL) •Aims at uncovering flaws at scale

21. Copyright © we45 2020 abhaybhargav SAST Test Approaches •Good ol’

    Regular Expressions •Abstract Syntax Trees •Semantic Grep or QL

22. Copyright © we45 2020 abhaybhargav Errors Code Comments: # Don’t

    use this!! jwt.decode(something, secret, verify=False)

23. Copyright © we45 2020 abhaybhargav SAST with AST

24. Copyright © we45 2020 abhaybhargav AST example with Python call

    nil jwt.decode args local “verify”

25. Copyright © we45 2020 abhaybhargav Semgrep and CodeQL

26. Copyright © we45 2020 abhaybhargav Demo

27. Copyright © we45 2020 abhaybhargav A New Hope

28. Copyright © we45 2020 abhaybhargav A (Better) alternative? • No

    Persistent Compute => Typically with Orchestration (Container) • Cloud-Native: • Integrated Secrets Management • Centralized IAM Implementation • Object Storage • Query Tools (Athena)

29. Copyright © we45 2020 abhaybhargav In addition… • Closer to

    developer workflows => Github, Gitlab, AWS • Container-Native workflows

30. Copyright © we45 2020 abhaybhargav Existing Options

31. Copyright © we45 2020 abhaybhargav Some unconventional approaches • Test

    Automation Frameworks for Security Workflows • Step Functions (State Machines) • Flows with Container Orchestration

32. Copyright © we45 2020 abhaybhargav Test Automation Driven Workflows •

    Test Automation Frameworks can be used to trigger all kinds of security workflows • Frameworks like Robot Framework and Gauge are low-maintenance and low- code • Much more suited to developer and QA workflows

33. Copyright © we45 2020 abhaybhargav Robot Framework *** Test Cases

    *** Clone repo from Github clone repository from url ${GIT_URL} ${TO_PATH} Run NodeJSScanner run nodejsscan against source ${TO_PATH} ${RESULTS_PATH} nodejsscan write to orchy ${RESULTS_PATH}/nodejsscan.json ${SECRET} ${ACCESS} ${HOOK} Run NPM Audit against packageJSON run npmaudit against source ${TO_PATH} ${RESULTS_PATH} npmaudit write to orchy ${RESULTS_PATH}/npm_audit.json ${SECRET} ${ACCESS} ${HOOK} Initialize ZAP [Tags] zap_init start gui zap ${ZAP_PATH} sleep 10 zap open url http://${TARGET_URI} Authenticate to Cut the Funds as Admin [Tags] walk_web_service &{res}= POST /users/login {"email": "[email protected]", "password": "spiderman"} Integer response status 200 Boolean response body auth true set suite variable ${TOKEN} ${res.body["token"]} log ${TOKEN}

34. Copyright © we45 2020 abhaybhargav Gauge Demo

35. Copyright © we45 2020 abhaybhargav Github Actions

36. Copyright © we45 2020 abhaybhargav Step Functions • Coordinate AWS

    services into Serverless Workflows • Can be used for: • AWS Lambda • Fargate • Sagemaker

37. Copyright © we45 2020 abhaybhargav Step Functions States • Task

    • Choice • Fail/Succeed • Pass • Wait • Parallel • Map

38. Copyright © we45 2020 abhaybhargav Benefits • Modeling complex workflows

    • Event-driven => Invoked only as required • No Persistent Compute/Service • Engineering/Developer-first workflow

39. Copyright © we45 2020 abhaybhargav

40. Copyright © we45 2020 abhaybhargav Demo

41. Copyright © we45 2020 abhaybhargav DAST/IAST Workflows

42. Copyright © we45 2020 abhaybhargav Data Consumption Possibilities • Orchestron/Other

    Vulnerability Management tool • Athena (equivalent) to query and render results • Slack/JIRA push, etc

43. Copyright © we45 2020 abhaybhargav Conclusions • Think Feedback more

    than force-fitting into Pipelines • Think beyond CI tools to run CIs. There are some significant constraints • Speed and High Signal Ratio is very important for you to be more effective • Leverage Cloud-Native tooling for “born in cloud/ container-dependent” services abhaybhargav we45