Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps ou comment faire aimer la sécurité aux Devs (-IoT) ?

DevSecOps ou comment faire aimer la sécurité aux Devs (-IoT) ?

Sur le même concept que DevOps, le mouvement DevSecOps vise à apporter un peu de sécurité au quotidien du développeur, en faisant collaborer les équipes Sec et Dev.

Intégrer correctement l’ensemble des aspects sécurité dans le cycle de développement logiciel n’est pas toujours aisé, implique parfois des efforts conséquents et rebute donc la communauté de développeurs.
Mais c’est à ce prix que nous pouvons avoir confiance dans la qualité des services développés. Notons que 61% des applications développées échouent au test de conformité de l’OWASP.

Durant ce talk, nous présenterons ce mouvement, ainsi que les différentes méthodologies proposées.
Nous proposerons d’en décrire les différents aspects de leur mise en pratique avec des exemple concrets, rapidement applicables.
Le coeur de la présentation s’articulera autour de notre retour d'expérience de mise en application de DevSecOps au sein de l’équipe *“Full Stack”* ** d’Rtone IoT Makers.
Nous verrons ainsi qu'intégrer les aspects sécurité dans un cycle de développement logiciel permet d’améliorer la qualité global du code produit, tout en réduisant les failles de sécurité et le coût des correctifs.

** Full Stack : dev. hardware, firmware, embarqué, mobile, web et cloud :)

83124b745752d1a1b0ca2eee1af0bd48?s=128

Alexis DUQUE

January 24, 2019
Tweet

Transcript

  1. DEVSECOPS COMMENT FAIRE ♥ LA SECURITÉ AUX DEVS (IOT) ?

  2. 2 HELLO! I am Alexis Duque R&D and Security leader

    at Rtone PhD @alexis0duque alexisd@rtone.fr security.rtone.fr sli.do/DevSecOpsSnw19
  3. SUMARRY ▸ Our Team ▸ IoT Security & Context ▸

    DevSecOps ▸ Methodologies ▸ Agility & Security ▸ Return on Experience &Feedback 3
  4. “We Are IoT Makers 4 ”

  5. A TEAM “FULL STACK” HARDWARE ▸ Electronics ▸ PCB design

    ▸ Mass production ▸ Radio/Antenna EMBEDDED SOFT. ▸ Embedded Linux – Android ▸ Firmware ▸ MCU ▸ Radio/Protocols MOBILE ▸ Android ▸ iOS ▸ UX ▸ Native 5 CLOUD ▸ IoT Platform ▸ Cloud (AWS, OVH) ▸ Backend, Frontend ▸ Microservices
  6. 2. IOTs SECURITY 6

  7. 7

  8. 8 IOT “a cyber-physical ecosystem of interconnected sensors and actuators,

    which enable intelligent decision making” ENISA 80% vulnerable 20 billions devices IN 2020 Gartners
  9. OWASP IOT TOP 10 2018 9

  10. NEWS & MEDIAS 10

  11. WHAT SECURITY MEANS? 2 years Ago TEAM HARDWARE “Sécurité physique

    ❓” “Securité éléctrique ❓” “Securité incendie ❓” “Champ éléctromagnetique ” 11 TEAM FIRMWARE " “On crypte avec la MAC Adresse Bluetooth”
  12. WHAT SECURITY MEANS? 2 years Ago TEAM CLOUD "HTTPS, SSL”

    “TLS vs SSL ❓” “XSS – CRSF” “Spring Security” “PKI” TEAM SECURITY " 12
  13. 13 SECURITY TRIADE Availability Confidentiality Integrity

  14. LEGAL ASPECTS GDPR LABELING 14 STANDARDISATION LAW ENFORCMENT

  15. 2. DevSecOps

  16. WHAT IS DEVOPS? ‘‘Implementing a culture of sharing between Development

    and Operations’’ ▸ Culture ▸ Automation ▸ Measurement ▸ Sharing 16
  17. WHAT IS DEVSECOPS? ‘‘Deliver secure software and products at the

    DevOps speed’’ 18
  18. DEVSECOPS GOALS ▸ Cost reduction ▸ Speed of recovery ++

    ▸ Threat hunting ▸ Security auditing, monitoring ▸ Secure By Design ▸ Customer Value ▸ Culture of openness and transparency 19
  19. WHAT IS DEVSECOPS? 20 Security Security 20

  20. DEVSECOPS FOCUS ▸ People & Culture ▹ Training ▹ Sharing

    ▸ Process and Practices ▹ Methodology ▸ Technology ▹ Approved tools 21
  21. WHY DEVSECOPS? ▸ Security not a primary concern ▸ Lack

    of secure coding awareness or best practice ▸ Too much focus on costs and speed ▸ Misconfiguration of systems ▸ Lack of audit trails, review 22
  22. DEVSECOPS HISTORY ▸ 2008: DevOps ▸ 2015: DevSecOps ▸ Netflix,

    RedHat, Amazon, Facebook ▸ … or SecDevOps 23
  23. DEVSECOPS HISTORY ▸ 2008: DevOps ▸ 2015: DevSecOps ▸ Netflix,

    RedHat, Amazon, Facebook ▸ … or SecDevOps 24
  24. DEVSECOPS FRAMEWORKS ▸ Microsoft Security Development Lifecycle (SDL) ▸ OWASP

    Software Assurance Maturity Model (SAMM) ▸ SAFECode, OpenDevSecOps & many more … 25
  25. MICROSOFT SECURITY DEVELOPMENT LIFECYCLE ▸ Software development process ▸ Used

    and proposed by Microsoft ▸ Reduce software maintenance costs ▸ Increase reliability of software ▸ Reduce software security bugs ▸ Must be fully implemented 26
  26. MICROSOFT SDL 27 Training Exigences Conception Diffusion Validation Implementat ion

    Response
  27. OWASP SOFTWARE ASSURANCE MATURITY MODEL ▸ Evaluate current state of

    security recomendations ▸ Define goals ▸ Highlight improvments ▸ Define and measure activities related to security in software development lifecycle ▸ Can and should be adapted ! 28
  28. 29

  29. 4. DevSecOps @ Rtone 30

  30. DEVSECOPS @ RTONE 1. Training 2. Requirements 3. Conception 4.

    Implementation 5. Verification 6. Response 31
  31. 1. TEAM TRAINING ▸ Raise awareness & security culture ▸

    Methodology and Process ▸ Tools ▸ Hacking Labs ▸ Secure Programming FIST Action Group + WEEKLY Team Meeting 32
  32. 2. REQUIREMENTS ▸ Define security level 33

  33. 2. REQUIREMENTS ▸ Define security level ▸ Agree on metrics

    w/ TEAM + CUSTOMER ▸ Define security needs 34
  34. 3. CONCEPTION ▸ Risk Analysis ▸ Threat Modeling ▸ GDPR

    and Privacy by Design ▸ Privacy Impact Assesment (PIA) 35
  35. 3. CONCEPTION ▸ EBIOS (Expression des Besoins et Identification des

    Objectifs de Sécurité) 36 Risks Context Threat Scenarios Security Measures Feared Events
  36. 3. CONCEPTION 37 As an <ATTACKER> I want to do

    <SOMETHING. BAD> When <SOMETHING> Is vulnerable To cause <NEGATIVE IMPACT>
  37. 3. CONCEPTION 38 RISK = LIKEHOOD x GRAVITY

  38. 4. IMPLEMENTATION ▸ Security must keep up with speed of

    delivery ▸ Surround dynamic processes with protection ▸ Incremental but improvement to security ▸ Quality at source, with frequent feedback 39
  39. 4. IMPLEMENTATION ▸ Code versioning w/Gitlab ▸ Coding Rules ▸

    SAFECode ▸ Static Analysis w/ CPPCheck ▸ Unit Tests ▸ Code Review 40
  40. 5. VALIDATION ▸ ‘On-Target’ integration tests 41

  41. IoT Integration Testing on Target 42 CI Server IoT Device

    Program / Run Test Debug Probe
  42. 5. VALIDATION ▸ ‘On-Target’ integration tests ▸ Memory leaks &

    Fuzzing ▸ Configuration assesment (e.g. SSLyze) ▸ Web scanner + pentests ▸ Automation w/ OWASP Glue 43
  43. 44

  44. 45

  45. 6. RESPONSE ▸ Implement CVD for vulnerability disclosure ▸ Provide

    secure update channel ▸ Watch CVE (Common Vulnerabilities and Exposures) ▸ Newsletter for our customers 46
  46. 5. Return on Experience 47

  47. TAKEWAYS ▸ It can take some time ▸ Acceptance ratio

    is low at the beginning ▸ Make customers concerned ▸ Provide secure software and code blocks to Devs ▸ Sec. team also must code! ▸ You need Trojan! 48
  48. TAKEWAYS ▸ Everyone is responsible for security ▸ Clear communication

    + active collaboration ▸ Build with secure defaults mindset ▸ Test driven development ▸ Hack your applications, infra, etc. like real attackers ▸ Keep learning and sharing 49
  49. CREDIT AND FURTHER READS ▸ Microsoft SDL: https://www.microsoft.com/en- us/SDL/process/design.aspx ▸

    OWASP SAMM: https://www.owasp.org/index.php/ ▸ SAFEcode: https://safecode.org/wp- content/uploads/2018/03/SAFECode_Fundamental_Pra ctices_for_Secure_Software_Development_March_201 8.pdf ▸ Debian. Hardening:https://wiki.debian.org/Hardening ▸ Address Sanitizer: https://github.com/goog le/sanitizers 50
  50. CREDIT AND FURTHER READS ▸ American Fuzzy Loop: https://lcamtuf.coredump.cx/afl ▸

    Arachni: https://gitub.com/Arachni/arachni ▸ w3af: https ://github.com/andresriancho/w3af ▸ ZAP: https://github.com/zaproxy/zaproxy ▸ http://sectooladdict.blogspot.fr/ ▸ SSLyze SSLyze : https://github.com/nabla-c0d3/sslyze ▸ Mozilla Minion: https://github.com/Wawki/minion 51
  51. 52 THANKS! Any questions? You can find me at @alexis0duque

    & alexisd@rtone.fr !