apidays Paris 2024 - Secure SDLC for Modern APIs, Kayssar Daher, GitGuardian

Transcript

1. www.gitguardian.com Achieving high performance (security) engineering Secure SDLC for the

   modern API

2. Who? Whoʼs this guy? and who does he work for?

3. Kayssar Daher Security Lead @ GitGuardian Security & data privacy

   enthusiast specialising in building security for French tech scale-ups. whoami Todayʼs talk Loves road cycling. Cooks okay food. Worked in security for many French Tech orgs. Not enough Pull Requests. Writes the.secure.engineer blog. CV

4. Funding $56M in total with a $44M Series B in

   Dec 2021 Mission Make secure software the easiest choice for every organization Products Secrets detection, Honeytoken (intrusion detection), SCA Technology Over 1 billion GitHub commits secured every year! Adoption 370k+ developers currently using our free plan Founding year 2017 HQ Paris, France Boston, MA, US Team 150+ GitGuardian is the code security platform for the DevOps generation

5. Everything is an API How does GitGuardian work? API used

   by our web app frontend • Cookie authentication APIs used by our user-facing services • Service tokens Internal API Public API Internal services API used by humans and machines • API keys • Clients include: curl, py-gitguardian, ggshield Out of scope

6. What is security? 01 Itʼs not office warfare

7. Security What is ?

8. Oxford English Dictionary Security 1. secure condition or feeling. 2.

   thing that guards or guarantees. 3.a. safety against espionage, theft, etc. 3.b. organization for ensuring this

9. Control What is ?

10. Oxford English Dictionary Control 1. power of directing. 2. power

    of restraining. 3. means of restraint. 4. means of regulating.

11. Control Security Security requires some control But security is not

    control

12. So, what is security? In the context of software engineering

    security is the discipline of slowing down attackers while ensuring maximum delivery velocity

13. How to slow down attackers? In a technical system Code

    Your own code can be vulnerable to all sorts of attacks. So ware dependencies The libraries you use can be vulnerable. (eg. log4shell, xz, ua-parser-js) Platform dependencies The container, VM or network that hosts your workload can be vulnerable. 👉 Eliminate vulnerabilities at all levels System features Your appʼs own features can themselves be a vulnerability.

14. Letʼs talk about water 02

15. Water in the Paris metropolitan area 0 cholera outbreaks Found

    within the 12.2 million resident population in 2023 100 liters Of water are consumed everyday by Ile-de-France residents 12 210 000 people Live in the greater Paris metropolitain area

16. Water treatment process How does tap water work? Coagulation 1

    Flocculation 2 Sedimentation 3 Filtration 4 Disinfection 5 OTB Checks ∞

17. Optimising for high performance, secure flow 03 How we go

    fast, and slow down attackers

18. High performance, high security SDLC Automation and recurring checks Design

    review 1 SCA & dependencies 3 Secrets detection 5 etc. ∞ Code review 8 Linters 2 SAST 4 IaC security 6 DAST 7 etc. ? Bug bounty ∞ CSPM ∞ Attack surface ∞ Pentesting ∞ Openbox audit ∞ Monitoring ? High availability! ? CI pipeline security ? Secret rotation ? Patching SLAs ? Threat modeling ? Base image hardening ?

19. SCA Sometimes, the wheel you didnʼt invent, is broken ❔

    💣 🏭 What is it? Software composition analysis 🛠 Examples of tools Dependency-Check, Snyk What risk does it mitigate? Vulnerable dependencies eg. log4shell, xz, spring4shell How does it work? Compares your pipfile.lock, package-lock.json against a DB of known vulnerable packages At GitGuardian… What do we use? GitGuardian & Renovate-Bot (moving away from Snyk) How do we use it? • GitGuardian in CI jobs with ggshield, and through the web app • Renovate-Bot opens pull requests to upgrade all our dependencies Any other info? • We self-host our own Renovate-Bot • We use CycloneDX for SBOM generation • cd repo && ggshield sca scan all

20. SAST Finding out the building will crack, by looking at

    the blueprint ❔ 💣 🏭 What is it? Static Application Security Testing 🛠 Examples of tools Sonar, Gitlab, Veracode What risk does it mitigate? Vulnerable app code How does it work? Parses code looking for vulnerable code patterns (eg. unencoded strings sent to the frontend, SQL query concatenated with user input) At GitGuardian… What do we use? Semgrep How do we use it? • In CI jobs on our app code • Breaks pipeline if issue is found Any other info? • Integrated with Gitlabʼs JUnit based testing framework • Scans all our Python & JS code • Does generate false positives ◦ Important to allow users to ignore false positives ◦ git blame 🎉

21. DAST Poking and prodding, until it bursts ❔ 💣 🏭

    What is it? Static Application Security Testing 🛠 Examples of tools BurpSuite Enterprise, Intruder.io What risk does it mitigate? Vulnerabilities within live apps & APIs How does it work? Sends attack HTTP requests to the live app At GitGuardian… What do we use? StackHawk How do we use it? • Runs everyday on our preprod • On a dedicated workspace • Through Gitlab CI job Any other info? • Dedicated runners • Triage workflow is currently manual • Based on OWASP ZAP • Ingests OpenAPI file, and bombards API with attacks

22. Secret detection Our bread and butter ❔ 💣 🏭 What

    is it? Finds API keys, passwords, private keys 🛠 Examples of tools git-leaks, GitGuardian What risk does it mitigate? Vulnerabilities within live apps & APIs How does it work? Ingests code from github/gitlab, and runs in pre-commit At GitGuardian… What do we use? GitGuardian How do we use it? • In pre-commit hooks • In CI jobs • Connected to our Gitlab, and Slack Any other info? • Saved us from 2 incidents in 2023 • No incidents in 2024

23. Bug bounty Outsourcing your security testing ❔ 💣 🏭 What

    is it? Paying strangers for accurate security reports 🛠 Examples of tools HackerOne, BugCrowd, Yogosha What risk does it mitigate? Vulnerabilities within live apps & APIs How does it work? Hunters submit reports, you evaluate them, and pay them when appropriate At GitGuardian… What do we use? YesWeHack How do we use it? • Private bug bounty program since 2022 • All our APIs, and our CLI are in scope Any other info? • 120+ reports submitted • 39 resolved reports ◦ 0 reports with CVSS > 8 ◦ 3 reports with CVSS between 7 & 8 ◦ 36 reports CVSS < 7

24. Secret rotation The best thing since sliced bread ❔ 💣

    🏭 What is it? System that avoids static credentials 🛠 Examples of tools Hashicorp Vault, Confidant, Infiniscal What risk does it mitigate? Secret leaks How does it work? Generates short lived secrets on-demand At GitGuardian… What do we use? Hashicorp Vault How do we use it? • Everywhere ◦ AWS creds ◦ DB creds ◦ SSH creds ◦ K8S creds Any other info? • Makes IAM much easier • Incident response becomes so much easier

25. Base image hardening If it doesn't spark joy, get rid

    of it ❔ 💣 🏭 What is it? Remove unnecessary packages and attack surface 🛠 Examples of tools Distroless, DockerSlim, Chisel What risk does it mitigate? Vulnerabilities within the platform layer How does it work? Container images with the bare minimum packages necessary to run your apps At GitGuardian… What do we use? Chainguard How do we use it? • To build our app base images Any other info? • We now ship 0 Critical & High CVE releases • We monitor for this using daily Grype scans ◦ Results available on Grafana

26. OWASP ASVS A hidden gem ❔ What is it? Application

    Security Verification Standard by OWASP Available on Github 232 control points in 14 chapters: • Validation, sanitization & encoding • Access control • Stored cryptography • Error Handling and logging • API & Web services • etc. At GitGuardian… What did we do? Full ASVS audit of our apps Why did we do it? • Much more thorough than any pentest • Covers what automated tools cannot find Any other info? • Covers design, implementation and feature security • Takes a lot of time to complete • Worth every second

27. Boost your APIʼs security 04 How to guide

28. 🔎 Run an ASVS audit Some checks are specifically interesting

    for APIs (eg. IDOR, schema validation, etc.) Boost your APIʼs security quickly Focus on high value items 🏭 Boost your CI security SCA, Secret Detection, SAST 🧪 Invest in security testing Deploy a DAST & a bug bounty program ➔ Donʼt hire external help for this ➔ Youʼll find design issues, race conditions, broken rate limiting, broken authorisation etc. ➔ Fixing them will take a while, thatʼs ok GitGuardianʼs advice ➔ Introduce Security CI jobs to PR pipelines ➔ Allow failure, monitor failure rates, help engineers avoid them ➔ Make security check blocking, then fix issues in the main branch ➔ Feed the DAST your OpenAPI file, fix findings ➔ A bug bounty program will cost you time and money, but will increase security testing coverage significantly

29. Thank you!