Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps ou comment faire aimer la sécurité aux Devs (-IoT) ?

DevSecOps ou comment faire aimer la sécurité aux Devs (-IoT) ?

Sur le même concept que DevOps, le mouvement DevSecOps vise à apporter un peu de sécurité au quotidien du développeur, en faisant collaborer les équipes Sec et Dev.

Intégrer correctement l’ensemble des aspects sécurité dans le cycle de développement logiciel n’est pas toujours aisé, implique parfois des efforts conséquents et rebute donc la communauté de développeurs.
Mais c’est à ce prix que nous pouvons avoir confiance dans la qualité des services développés. Notons que 61% des applications développées échouent au test de conformité de l’OWASP.

Durant ce talk, nous présenterons ce mouvement, ainsi que les différentes méthodologies proposées.
Nous proposerons d’en décrire les différents aspects de leur mise en pratique avec des exemple concrets, rapidement applicables.
Le coeur de la présentation s’articulera autour de notre retour d'expérience de mise en application de DevSecOps au sein de l’équipe *“Full Stack”* ** d’Rtone IoT Makers.
Nous verrons ainsi qu'intégrer les aspects sécurité dans un cycle de développement logiciel permet d’améliorer la qualité global du code produit, tout en réduisant les failles de sécurité et le coût des correctifs.

** Full Stack : dev. hardware, firmware, embarqué, mobile, web et cloud :)

Alexis DUQUE

January 24, 2019
Tweet

More Decks by Alexis DUQUE

Other Decks in Programming

Transcript

  1. 2 HELLO! I am Alexis Duque R&D and Security leader

    at Rtone PhD @alexis0duque [email protected] security.rtone.fr sli.do/DevSecOpsSnw19
  2. SUMARRY ▸ Our Team ▸ IoT Security & Context ▸

    DevSecOps ▸ Methodologies ▸ Agility & Security ▸ Return on Experience &Feedback 3
  3. A TEAM “FULL STACK” HARDWARE ▸ Electronics ▸ PCB design

    ▸ Mass production ▸ Radio/Antenna EMBEDDED SOFT. ▸ Embedded Linux – Android ▸ Firmware ▸ MCU ▸ Radio/Protocols MOBILE ▸ Android ▸ iOS ▸ UX ▸ Native 5 CLOUD ▸ IoT Platform ▸ Cloud (AWS, OVH) ▸ Backend, Frontend ▸ Microservices
  4. 7

  5. 8 IOT “a cyber-physical ecosystem of interconnected sensors and actuators,

    which enable intelligent decision making” ENISA 80% vulnerable 20 billions devices IN 2020 Gartners
  6. WHAT SECURITY MEANS? 2 years Ago TEAM HARDWARE “Sécurité physique

    ❓” “Securité éléctrique ❓” “Securité incendie ❓” “Champ éléctromagnetique ” 11 TEAM FIRMWARE " “On crypte avec la MAC Adresse Bluetooth”
  7. WHAT SECURITY MEANS? 2 years Ago TEAM CLOUD "HTTPS, SSL”

    “TLS vs SSL ❓” “XSS – CRSF” “Spring Security” “PKI” TEAM SECURITY " 12
  8. WHAT IS DEVOPS? ‘‘Implementing a culture of sharing between Development

    and Operations’’ ▸ Culture ▸ Automation ▸ Measurement ▸ Sharing 16
  9. DEVSECOPS GOALS ▸ Cost reduction ▸ Speed of recovery ++

    ▸ Threat hunting ▸ Security auditing, monitoring ▸ Secure By Design ▸ Customer Value ▸ Culture of openness and transparency 19
  10. DEVSECOPS FOCUS ▸ People & Culture ▹ Training ▹ Sharing

    ▸ Process and Practices ▹ Methodology ▸ Technology ▹ Approved tools 21
  11. WHY DEVSECOPS? ▸ Security not a primary concern ▸ Lack

    of secure coding awareness or best practice ▸ Too much focus on costs and speed ▸ Misconfiguration of systems ▸ Lack of audit trails, review 22
  12. DEVSECOPS HISTORY ▸ 2008: DevOps ▸ 2015: DevSecOps ▸ Netflix,

    RedHat, Amazon, Facebook ▸ … or SecDevOps 23
  13. DEVSECOPS HISTORY ▸ 2008: DevOps ▸ 2015: DevSecOps ▸ Netflix,

    RedHat, Amazon, Facebook ▸ … or SecDevOps 24
  14. DEVSECOPS FRAMEWORKS ▸ Microsoft Security Development Lifecycle (SDL) ▸ OWASP

    Software Assurance Maturity Model (SAMM) ▸ SAFECode, OpenDevSecOps & many more … 25
  15. MICROSOFT SECURITY DEVELOPMENT LIFECYCLE ▸ Software development process ▸ Used

    and proposed by Microsoft ▸ Reduce software maintenance costs ▸ Increase reliability of software ▸ Reduce software security bugs ▸ Must be fully implemented 26
  16. OWASP SOFTWARE ASSURANCE MATURITY MODEL ▸ Evaluate current state of

    security recomendations ▸ Define goals ▸ Highlight improvments ▸ Define and measure activities related to security in software development lifecycle ▸ Can and should be adapted ! 28
  17. 29

  18. DEVSECOPS @ RTONE 1. Training 2. Requirements 3. Conception 4.

    Implementation 5. Verification 6. Response 31
  19. 1. TEAM TRAINING ▸ Raise awareness & security culture ▸

    Methodology and Process ▸ Tools ▸ Hacking Labs ▸ Secure Programming FIST Action Group + WEEKLY Team Meeting 32
  20. 2. REQUIREMENTS ▸ Define security level ▸ Agree on metrics

    w/ TEAM + CUSTOMER ▸ Define security needs 34
  21. 3. CONCEPTION ▸ Risk Analysis ▸ Threat Modeling ▸ GDPR

    and Privacy by Design ▸ Privacy Impact Assesment (PIA) 35
  22. 3. CONCEPTION ▸ EBIOS (Expression des Besoins et Identification des

    Objectifs de Sécurité) 36 Risks Context Threat Scenarios Security Measures Feared Events
  23. 3. CONCEPTION 37 As an <ATTACKER> I want to do

    <SOMETHING. BAD> When <SOMETHING> Is vulnerable To cause <NEGATIVE IMPACT>
  24. 4. IMPLEMENTATION ▸ Security must keep up with speed of

    delivery ▸ Surround dynamic processes with protection ▸ Incremental but improvement to security ▸ Quality at source, with frequent feedback 39
  25. 4. IMPLEMENTATION ▸ Code versioning w/Gitlab ▸ Coding Rules ▸

    SAFECode ▸ Static Analysis w/ CPPCheck ▸ Unit Tests ▸ Code Review 40
  26. 5. VALIDATION ▸ ‘On-Target’ integration tests ▸ Memory leaks &

    Fuzzing ▸ Configuration assesment (e.g. SSLyze) ▸ Web scanner + pentests ▸ Automation w/ OWASP Glue 43
  27. 44

  28. 45

  29. 6. RESPONSE ▸ Implement CVD for vulnerability disclosure ▸ Provide

    secure update channel ▸ Watch CVE (Common Vulnerabilities and Exposures) ▸ Newsletter for our customers 46
  30. TAKEWAYS ▸ It can take some time ▸ Acceptance ratio

    is low at the beginning ▸ Make customers concerned ▸ Provide secure software and code blocks to Devs ▸ Sec. team also must code! ▸ You need Trojan! 48
  31. TAKEWAYS ▸ Everyone is responsible for security ▸ Clear communication

    + active collaboration ▸ Build with secure defaults mindset ▸ Test driven development ▸ Hack your applications, infra, etc. like real attackers ▸ Keep learning and sharing 49
  32. CREDIT AND FURTHER READS ▸ Microsoft SDL: https://www.microsoft.com/en- us/SDL/process/design.aspx ▸

    OWASP SAMM: https://www.owasp.org/index.php/ ▸ SAFEcode: https://safecode.org/wp- content/uploads/2018/03/SAFECode_Fundamental_Pra ctices_for_Secure_Software_Development_March_201 8.pdf ▸ Debian. Hardening:https://wiki.debian.org/Hardening ▸ Address Sanitizer: https://github.com/goog le/sanitizers 50
  33. CREDIT AND FURTHER READS ▸ American Fuzzy Loop: https://lcamtuf.coredump.cx/afl ▸

    Arachni: https://gitub.com/Arachni/arachni ▸ w3af: https ://github.com/andresriancho/w3af ▸ ZAP: https://github.com/zaproxy/zaproxy ▸ http://sectooladdict.blogspot.fr/ ▸ SSLyze SSLyze : https://github.com/nabla-c0d3/sslyze ▸ Mozilla Minion: https://github.com/Wawki/minion 51