Upgrade to Pro — share decks privately, control downloads, hide ads and more …

App Security is just a Git flow (with built-in conflicts)

App Security is just a Git flow (with built-in conflicts)

This talk illustrates the pain points of traditional security assessments within modern development processes and how security can be provided directly at run-time, as a dedicated software component.

630bcbf98d335080f59e77b73f55c510?s=128

Jean-Baptiste Aviat

April 22, 2016
Tweet

Transcript

  1. Confidential & proprietary © Sqreen, 2015 Dev Sec Fix your

    ... Let's attack! ??? We're screwed! Come on... No way... Let's ship! App Security is just a Git flow ( with built-in conflicts )
  2. Confidential & proprietary © Sqreen, 2015 sqreen.io Status: Security is

    out of CI
  3. Confidential & proprietary © Sqreen, 2015 sqreen.io Approach: In-app runtime

    protection
  4. Confidential & proprietary © Sqreen, 2015 We make products antifragile.

    We make products antifragile. (dbg) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query Successfully created breakpoint with id 1 (dbg) continue [283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, binds = []) 289: type_casted_binds = binds.map { |col, val| 290: [col, type_cast(val, col)] 291: } 292: (dbg) p sql sql = SELECT * FROM posts WHERE id=3 SQL injection protection: database driver
  5. Confidential & proprietary © Sqreen, 2015 We make products antifragile.

    We make products antifragile. (byebug) break ActionView::OutputBuffer.<< [6, 15] in actionview-4.2.3/lib/action_view/buffers.rb … 10: def <<(value) => 11: return self if value.nil? 12: super(value.to_s) 13: end 14: alias :append= :<< 15: (byebug) var local value = "my <script>alert()</script> title" (byebug) value.html_safe? true XSS protection: template rendering
  6. Confidential & proprietary © Sqreen, 2015 We make products antifragile.

    We make products antifragile. irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20s\t%s\t%s " % [k, v.version, v.homepage] end rake 10.4.2 i18n 0.7.0 http://github.com/svenfuchs/i18n tzinfo 1.2.2 http://tzinfo.github.io activesupport 4.2.3 http://www.rubyonrails.org erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/… execjs 2.6.0 https://github.com/rails/execjs ... An application dependencies CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035
  7. Confidential & proprietary © Sqreen, 2015 sqreen.io Detect attacks as

    they occur raise So we can to block them
  8. Confidential & proprietary © Sqreen, 2015 sqreen.io And that’s only

    for SQL injection Everything can be done inside the app
  9. 9 Confidential & Proprietary © Sqreen 0a448b | Slide sqreen.io

    "Oh man, I f***ing hate security" - Kevin, Rails dev Ops Let's begin the security assessment... We keep on developing! We found so many breaches! We identified breaches in... Can we punt the release? The assessed product is too old! No way! Okay, let's ship like this... Assessment v1 v2 Hey, where are the fixes? Sec team Dev
  10. © Sqreen sqreen.io Jean-Baptiste Aviat CTO @SqreenIO (https://sqreen.io) Former hacker

    at
 Apple (Red Team) @JbAviat jb@sqreen.io
  11. Confidential & proprietary sqreen.io Every product should embed 
 its

    own security logic