App Security is just a Git flow (with built-in conflicts)

Transcript

1. Confidential & proprietary © Sqreen, 2015 Dev Sec Fix your

   ... Let's attack! ??? We're screwed! Come on... No way... Let's ship! App Security is just a Git flow ( with built-in conflicts )

2. Confidential & proprietary © Sqreen, 2015 sqreen.io Status: Security is

   out of CI

3. Confidential & proprietary © Sqreen, 2015 sqreen.io Approach: In-app runtime

   protection

4. Confidential & proprietary © Sqreen, 2015 We make products antifragile.

   We make products antifragile. (dbg) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query Successfully created breakpoint with id 1 (dbg) continue [283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, binds = []) 289: type_casted_binds = binds.map { |col, val| 290: [col, type_cast(val, col)] 291: } 292: (dbg) p sql sql = SELECT * FROM posts WHERE id=3 SQL injection protection: database driver

5. Confidential & proprietary © Sqreen, 2015 We make products antifragile.

   We make products antifragile. (byebug) break ActionView::OutputBuffer.<< [6, 15] in actionview-4.2.3/lib/action_view/buffers.rb … 10: def <<(value) => 11: return self if value.nil? 12: super(value.to_s) 13: end 14: alias :append= :<< 15: (byebug) var local value = "my <script>alert()</script> title" (byebug) value.html_safe? true XSS protection: template rendering

6. Confidential & proprietary © Sqreen, 2015 We make products antifragile.

   We make products antifragile. irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20s\t%s\t%s " % [k, v.version, v.homepage] end rake 10.4.2 i18n 0.7.0 http://github.com/svenfuchs/i18n tzinfo 1.2.2 http://tzinfo.github.io activesupport 4.2.3 http://www.rubyonrails.org erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/… execjs 2.6.0 https://github.com/rails/execjs ... An application dependencies CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035

7. Confidential & proprietary © Sqreen, 2015 sqreen.io Detect attacks as

   they occur raise So we can to block them

8. Confidential & proprietary © Sqreen, 2015 sqreen.io And that’s only

   for SQL injection Everything can be done inside the app

9. 9 Confidential & Proprietary © Sqreen 0a448b | Slide sqreen.io

   "Oh man, I f***ing hate security" - Kevin, Rails dev Ops Let's begin the security assessment... We keep on developing! We found so many breaches! We identified breaches in... Can we punt the release? The assessed product is too old! No way! Okay, let's ship like this... Assessment v1 v2 Hey, where are the fixes? Sec team Dev

10. © Sqreen sqreen.io Jean-Baptiste Aviat CTO @SqreenIO (https://sqreen.io) Former hacker

    at
 Apple (Red Team) @JbAviat [email protected]

11. Confidential & proprietary sqreen.io Every product should embed 
 its

    own security logic