Upgrade to Pro — share decks privately, control downloads, hide ads and more …

App Security is just a Git flow (with built-in conflicts)

App Security is just a Git flow (with built-in conflicts)

This talk illustrates the pain points of traditional security assessments within modern development processes and how security can be provided directly at run-time, as a dedicated software component.

Jean-Baptiste Aviat

April 22, 2016
Tweet

More Decks by Jean-Baptiste Aviat

Other Decks in Programming

Transcript

  1. Confidential & proprietary © Sqreen, 2015
    Dev
    Sec
    Fix your ...
    Let's attack!
    ???
    We're screwed!
    Come on... No way... Let's ship!
    App Security is just a Git flow
    ( with built-in conflicts )

    View full-size slide

  2. Confidential & proprietary © Sqreen, 2015
    sqreen.io
    Status:
    Security is out of CI

    View full-size slide

  3. Confidential & proprietary © Sqreen, 2015
    sqreen.io
    Approach:
    In-app runtime protection

    View full-size slide

  4. Confidential & proprietary © Sqreen, 2015
    We make products antifragile.
    We make products antifragile.
    (dbg) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query
    Successfully created breakpoint with id 1
    (dbg) continue
    [283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb
    287:
    => 288: def exec_query(sql, name = nil, binds = [])
    289: type_casted_binds = binds.map { |col, val|
    290: [col, type_cast(val, col)]
    291: }
    292:
    (dbg) p sql
    sql = SELECT * FROM posts WHERE id=3
    SQL injection protection:
    database driver

    View full-size slide

  5. Confidential & proprietary © Sqreen, 2015
    We make products antifragile.
    We make products antifragile.
    (byebug) break ActionView::OutputBuffer.<<
    [6, 15] in actionview-4.2.3/lib/action_view/buffers.rb

    10: def <<(value)
    => 11: return self if value.nil?
    12: super(value.to_s)
    13: end
    14: alias :append= :<<
    15:
    (byebug) var local
    value = "my alert() title"
    (byebug) value.html_safe?
    true
    XSS protection:
    template rendering

    View full-size slide

  6. Confidential & proprietary © Sqreen, 2015
    We make products antifragile.
    We make products antifragile.
    irb(main):001:0> Gem.loaded_specs.map do |k, v|
    puts "%20s\t%s\t%s " % [k, v.version, v.homepage]
    end
    rake 10.4.2
    i18n 0.7.0 http://github.com/svenfuchs/i18n
    tzinfo 1.2.2 http://tzinfo.github.io
    activesupport 4.2.3 http://www.rubyonrails.org
    erubis 2.7.0 http://www.kuwata-lab.com/erubis/
    nokogiri 1.6.6.2 http://nokogiri.org
    actionview 4.2.3 http://www.rubyonrails.org
    sqlite3 1.3.10 https://github.com/sparklemotion/…
    execjs 2.6.0 https://github.com/rails/execjs
    ...
    An application
    dependencies
    CVE-2015-1819
    CVE-2015-7941
    CVE-2015-7942
    CVE-2015-8035

    View full-size slide

  7. Confidential & proprietary © Sqreen, 2015
    sqreen.io
    Detect attacks as they occur
    raise
    So we can to block them

    View full-size slide

  8. Confidential & proprietary © Sqreen, 2015
    sqreen.io
    And that’s only for SQL injection
    Everything can be done inside the
    app

    View full-size slide

  9. 9 Confidential & Proprietary © Sqreen
    0a448b | Slide sqreen.io
    "Oh man, I f***ing hate security" - Kevin, Rails dev
    Ops
    Let's begin
    the security
    assessment...
    We keep on
    developing!
    We found so
    many breaches!
    We identified
    breaches in...
    Can we punt
    the release?
    The assessed
    product is too old!
    No way!
    Okay,
    let's ship
    like this...
    Assessment
    v1 v2
    Hey, where are
    the fixes?
    Sec team
    Dev

    View full-size slide

  10. © Sqreen
    sqreen.io
    Jean-Baptiste Aviat
    CTO @SqreenIO (https://sqreen.io)
    Former hacker at

    Apple (Red Team)
    @JbAviat
    [email protected]

    View full-size slide

  11. Confidential & proprietary sqreen.io
    Every product should embed 

    its own security logic

    View full-size slide