DevSecOps ou comment faire aimer la sécurité aux Devs @Meetup GDG Cloud IoT Lyon

Transcript

1. GDG Cloud & IOT 2019 - Session 3 (12)

2. Orga Thierry Chantier - Philippe Charrière - Louis Tournayre

3. Merci À Alexis DUQUE (@alexis0duque) À vous À Zenika pour

   les , les et les

4. À venir Le 22 mai : Grâce et en collaboration

   avec le Python AFPY : “Construire des solutions intelligentes grâce au Machine Learning” Par Laurent Picard @PicardParis Le 26 juin : SAVE THE DATE Stay tuned... Plus de news @gdglyon

5. Nous aimerions beaucoup Des speakers du coin (pas que Lyon)

   N’hésitez pas à proposer (à dénoncer aussi ;) ) Quel que soit votre niveau (il faut bien commencer un jour)

6. Aujourd’hui DevSecOps ou comment faire aimer la sécurité aux Devs

   (-IoT) Par Alexis DUQUE (@alexis0duque)

7. DEVSECOPS COMMENT FAIRE ♥ LA SÉCURITÉ AUX DEVS (IOT) ?

8. 8 HELLO! I am Alexis Duque R&D and Security leader

   at Rtone PhD @alexis0duque [email protected] rtone.fr/securite

9. “We Are IoT Makers 9 ”

10. A TEAM “FULL STACK” HARDWARE ▸ Electronics ▸ PCB design

    ▸ Mass production ▸ Radio/Antenna EMBEDDED SOFT. ▸ Embedded Linux – Android ▸ Firmware ▸ MCU ▸ Radio/Protocols MOBILE ▸ Android ▸ iOS ▸ UX ▸ Native 10 CLOUD ▸ IoT Platform ▸ Cloud (AWS, OVH) ▸ Backend, Frontend ▸ Microservices

11. SUMARRY ▸ IoT Security & Context ▸ DevSecOps ▸ Methodologies

    ▸ Agility & Security ▸ Return on Experience & Feedback 11

12. 2. IOTs SECURITY 12

13. 13

14. 14 IOT “a cyber-physical ecosystem of interconnected sensors and actuators,

    which enable intelligent decision making” ENISA 80% vulnerable 20 billions devices IN 2020 Gartners

15. OWASP IOT TOP 10 2018 15

16. NEWS & MEDIAS 16

17. WHAT SECURITY MEANS? 2 years Ago TEAM HARDWARE “Sécurité physique

    ❓” “Securité éléctrique ❓” “Securité incendie ❓” “Champ éléctromagnetique ” 17 TEAM FIRMWARE “On crypte avec la MAC Adresse Bluetooth”

18. WHAT SECURITY MEANS? 2 years Ago TEAM CLOUD "HTTPS, SSL”

    “TLS vs SSL ❓” “XSS – CSRF” “Spring Security” “PKI” TEAM SECURITY 18

19. 19 SECURITY TRIADE Availability Confidentiality Integrity

20. LEGAL ASPECTS GDPR LABELING 20 STANDARDISATION LAW ENFORCMENT

21. 2. DevSecOps

22. WHAT IS DEVOPS? ‘‘Implementing a culture of sharing between Development

    and Operations’’ ▸ Culture ▸ Automation ▸ Measurement ▸ Sharing 22

23. WHAT IS DEVSECOPS? ‘‘Deliver secure software and products at the

    DevOps speed’’ 23

24. DEVSECOPS GOALS ▸ Cost reduction ▸ Speed of recovery ++

    ▸ Threat hunting ▸ Security auditing, monitoring ▸ Secure By Design ▸ Customer Value ▸ Culture of openness and transparency 24

25. WHAT IS DEVSECOPS? 25 Security Security 25

26. DEVSECOPS FOCUS ▸ People & Culture ▹ Training ▹ Sharing

    ▸ Process and Practices ▹ Methodology ▸ Technology ▹ Approved tools 26

27. WHY DEVSECOPS? ▸ Security not a primary concern ▸ Lack

    of secure coding awareness or best practice ▸ Too much focus on costs and speed ▸ Misconfiguration of systems ▸ Lack of audit trails, review 27

28. DEVSECOPS HISTORY ▸ 2008: DevOps ▸ 2015: DevSecOps ▸ Netflix,

    RedHat, Amazon, Facebook ▸ … or SecDevOps 28

29. DEVSECOPS HISTORY ▸ 2008: DevOps ▸ 2015: DevSecOps ▸ Netflix,

    RedHat, Amazon, Facebook ▸ … or SecDevOps 29

30. DEVSECOPS FRAMEWORKS ▸ Microsoft Security Development Lifecycle (SDL) ▸ OWASP

    Software Assurance Maturity Model (SAMM) ▸ SAFECode, OpenDevSecOps & many more … 30

31. MICROSOFT SECURITY DEVELOPMENT LIFECYCLE ▸ Software development process ▸ Used

    and proposed by Microsoft ▸ Reduce software maintenance costs ▸ Increase reliability of software ▸ Reduce software security bugs ▸ Must be fully implemented 31

32. MICROSOFT SDL 32 Training Exigences Conception Diffusion Validation Implementat ion

    Response

33. OWASP SOFTWARE ASSURANCE MATURITY MODEL ▸ Evaluate current state of

    security recommendations ▸ Define goals ▸ Highlight improvements ▸ Define and measure activities related to security in software development lifecycle ▸ Can and should be adapted! 33

34. 34

35. 4. DevSecOps @ Rtone 35

36. DEVSECOPS @RTONE 1. Training 2. Requirements 3. Conception 4. Implementation

    5. Verification 6. Response 36

37. 1. TEAM TRAINING ▸ Raise awareness & security culture ▸

    Methodology and Process ▸ Tools ▸ Hacking Labs ▸ Secure Programming WEEKLY Team Meeting 37

38. 2. REQUIREMENTS ▸ Define security level 38

39. 3. CONCEPTION ▸ Risk Analysis ▸ Threat Modeling ▸ GDPR

    and Privacy by Design ▸ Privacy Impact Assessment (PIA) 39

40. 3. CONCEPTION ▸ EBIOS (Expression des Besoins et Identification des

    Objectifs de Sécurité) 40 Risks Context Threat Scenarios Security Measures Feared Events

41. 3. CONCEPTION 41 As an <ATTACKER> I want to do

    <SOMETHING. BAD> When <SOMETHING> Is vulnerable To cause <NEGATIVE IMPACT>

42. 3. CONCEPTION 42 RISK = LIKELIHOOD x GRAVITY

43. 4. IMPLEMENTATION ▸ Security must keep up with speed of

    delivery ▸ Surround dynamic processes with protection ▸ Incremental but improvement to security ▸ Quality at source, with frequent feedback 43

44. 4. IMPLEMENTATION ▸ Code versioning w/Gitlab ▸ Coding Rules ▸

    SAFECode ▸ Static Analysis w/ CPPCheck ▸ Unit Tests ▸ Code Review 44

45. 5. VALIDATION ▸ ‘On-Target’ integration tests 45

46. IoT Integration Testing on Target 46 CI Server IoT Device

    Program / Run Test Debug Probe

47. 5. VALIDATION ▸ ‘On-Target’ integration tests ▸ Memory leaks &

    Fuzzing ▸ Configuration assessment (e.g. SSLyze) ▸ Web scanner + pentests ▸ Automation w/ OWASP Glue 47

48. 48

49. 6. RESPONSE ▸ Implement CVD for vulnerability disclosure ▸ Provide

    secure update channel ▸ Watch CVE (Common Vulnerabilities and Exposures) ▸ Newsletter for our customers 49

50. 50

51. 5. Return on Experience 51

52. TAKEWAYS ▸ It can take some time ▸ Acceptance ratio

    is low at the beginning ▸ Make customers concerned ▸ Provide secure software and code blocks to Devs ▸ Mix sec. and dev. team! 52

53. TAKEWAYS ▸ Everyone is responsible for security ▸ Clear communication

    + active collaboration ▸ Build with secure defaults mindset ▸ Test driven development ▸ Hack your applications, infra, etc. like real attackers ▸ Keep learning and sharing 53

54. CREDIT AND FURTHER READS ▸ Microsoft SDL: https://www.microsoft.com/en-us/SDL/process/design.a spx ▸

    OWASP SAMM: https://www.owasp.org/index.php/ ▸ SAFEcode: https://safecode.org/wp-content/uploads/2018/03/SAFE Code_Fundamental_Practices_for_Secure_Software_D evelopment_March_2018.pdf ▸ Debian. Hardening:https://wiki.debian.org/Hardening ▸ Address Sanitizer: https://github.com/goog le/sanitizers 54

55. CREDIT AND FURTHER READS ▸ American Fuzzy Loop: https://lcamtuf.coredump.cx/afl ▸

    Arachni: https://gitub.com/Arachni/arachni ▸ w3af: https ://github.com/andresriancho/w3af ▸ ZAP: https://github.com/zaproxy/zaproxy ▸ http://sectooladdict.blogspot.fr/ ▸ SSLyze SSLyze : https://github.com/nabla-c0d3/sslyze ▸ Mozilla Minion: https://github.com/Wawki/minion 55

56. 56 THANKS! Any questions? You can reach me at @alexis0duque

    & [email protected]