Security-by-design : en intégrer toutes les bonnes pratiques, en comprendre les conséquences et les avantages

Transcript

1. IOT MAKERS EXPERTS EN PRODUITS INTELLIGENTS ET CONNECTÉS

2. Secure by Design ▸ 1 - Introduction ▸ 2 –

   Risk Analysis ▸ 3 – DevSecOps ▸ 4 – DevSecOps @Rtone ▸ 5 – Return on Experience 2

3. 1. Introduction 3

4. 4 Alexis Duque R&D and Security leader at Rtone PhD

   @alexis0duque [email protected] security.rtone.fr

5. 5 Didier Midroit Directeur du développement didier-midroit-0b045019 [email protected] security.rtone.fr

6. 100 PROJECTS 11 years 30 people 3 M€ IOT MAKERS

7. 7

8. 8 IOT “a cyber-physical ecosystem of interconnected sensors and actuators,

   which enable intelligent decision making” ENISA 80% vulnerable 20 billions devices IN 2020 Gartners

9. NEWS & MEDIAS 9

10. STATEMENT We delivered not secured product RESPONSABILITIES Inform customers Security

    by Design as a new process 10

11. 2. Risk Analysis 11

12. 12 The correct level of security

13. 13

14. OWASP IOT TOP 10 2018 14

15. LEGAL ASPECTS GDPR LABELING 15 STANDARDISATION LAW ENFORCMENT

16. 3. DevSecOps

17. WHAT IS DEVSECOPS? ‘‘Deliver secure software and products at the

    DevOps speed’’ 17

18. DEVSECOPS GOALS ▸ Cost reduction ▸ Speed of recovery ++

    ▸ Threat hunting ▸ Security auditing, monitoring ▸ Customer Value ++ 18

19. DEVSECOPS HISTORY ▸ 2008: DevOps ▸ 2015: DevSecOps ▸ Netflix,

    RedHat, Amazon, Facebook ▸ … or SecDevOps 19

20. 4. DevSecOps @ Rtone 20

21. DEVSECOPS @ RTONE 21 Training Exigences Conception Diffusion Validation Implementa

    tion Response

22. 1. TEAM TRAINING ▸ Raise awareness & security culture ▸

    Methodology and Process ▸ Tools ▸ Hacking Labs ▸ Secure Programming FIST Action Group + WEEKLY Team Meeting 22

23. 2. REQUIREMENTS ▸ Define security level 23

24. 3. CONCEPTION ▸ Risk Analysis ▸ Threat Modeling ▸ GDPR

    and Privacy by Design ▸ Privacy Impact Assesment (PIA) 24

25. 3. CONCEPTION ▸ EBIOS (Expression des Besoins et Identification des

    Objectifs de Sécurité) 25 Risks Context Threat Scenarios Security Measures Feared Events

26. 3. CONCEPTION 26 As an <ATTACKER> I want to do

    <SOMETHING. BAD> When <SOMETHING> Is vulnerable To cause <NEGATIVE IMPACT>

27. 3. CONCEPTION 27 RISK = LIKEHOOD x GRAVITY

28. 4. IMPLEMENTATION ▸ Code versioning w/Gitlab ▸ Coding Rules ▸

    SAFECode ▸ Static Analysis w/ CPPCheck ▸ Unit Tests ▸ Code Review 28

29. 5. VALIDATION ▸ ‘On-Target’ integration tests 29

30. IoT Integration Testing on Target 30 CI Server IoT Device

    Program / Run Test Debug Probe

31. 5. VALIDATION ▸ ‘On-Target’ integration tests ▸ Memory leaks &

    Fuzzing ▸ Configuration assesment (e.g. SSLyze) ▸ Web scanner + pentests ▸ Automation w/ OWASP Glue 31

32. 32

33. 6. RESPONSE ▸ Implement CVD for vulnerability disclosure ▸ Provide

    secure update channel ▸ Watch CVE (Common Vulnerabilities and Exposures) ▸ Newsletter for our customers 33

34. 34

35. 4. Return on Experience 35

36. TAKEWAYS ▸ It can take some time ▸ Acceptance ratio

    is low at the beginning ▸ Make customers concerned ▸ Provide secure software and code blocks to Devs ▸ Bring Sec & Dev team together! 36

37. CREDIT AND FURTHER READS ▸ Microsoft SDL: https://www.microsoft.com/en- us/SDL/process/design.aspx ▸

    OWASP SAMM: https://www.owasp.org/index.php/ ▸ SAFEcode: https://safecode.org/wp- content/uploads/2018/03/SAFECode_Fundamental_Pra ctices_for_Secure_Software_Development_March_201 8.pdf ▸ Debian. Hardening:https://wiki.debian.org/Hardening ▸ Address Sanitizer: https://github.com/goog le/sanitizers 38

38. CREDIT AND FURTHER READS ▸ American Fuzzy Loop: https://lcamtuf.coredump.cx/afl ▸

    Arachni: https://gitub.com/Arachni/arachni ▸ w3af: https ://github.com/andresriancho/w3af ▸ ZAP: https://github.com/zaproxy/zaproxy ▸ http://sectooladdict.blogspot.fr/ ▸ SSLyze SSLyze : https://github.com/nabla-c0d3/sslyze ▸ Mozilla Minion: https://github.com/Wawki/minion 39

39. 40 THANKS! Any questions? Find us at @RtoneIoTSec , [email protected]

    & [email protected] !