Shifting Application Security Left

S H I F T I N G A P P L I C A T I O N
S E C U R I T Y L E F T
Craig Stuntz ∈ Improving

View Slide

S H I F T I N G A P P L I C A T I O N
S E C U R I T Y L E F T
Craig Stuntz ∈ Improving
https://speakerdeck.com/craigstuntz

View Slide

2 0 1 2

View Slide

2 0 1 7

View Slide

2 0 1 8

View Slide

P R E V I E W
• What does application security mean?
• Developer checklists don’t work
• Threat modeling & security f rom f irst principles
• Security as a f irst class part of the software design &
development lifecycle

View Slide

– H i p p o c r a t i c O a t h ( 1 9 6 4 L o u i s L a s a g n a v e r s i o n )
“I will remember that I do not treat a fever chart, a
cancerous growth, but a sick human being, whose
illness may affect the person’s family and economic
stability.”

View Slide

View Slide

1. ummm… blockchain?
2. ???
3. prof it!

View Slide

http://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review-
a8130796.html

View Slide

W H A T W O U L D S O F T W A R E D E V E L O P M E N T
L O O K L I K E I F H U M A N S A F E T Y W A S
A LW A Y S T H E F I R S T C O N S I D E R A T I O N ?
https://www.flickr.com/photos/wocintechchat/25900776992/

View Slide

– A C M C o d e o f E t h i c s a n d P r o f e s s i o n a l C o n d u c t ( p r o p o s e d )
“A computing professional should contribute to
society and to human well-being, acknowledging
that all people are stakeholders in computing.”

View Slide

– A l l i s o n M i l l e r
“I don't think humans are the problem, the problem
is that humans are the target.”
https://www.scmagazineuk.com/news-feature-google-security-interview-human-solutions--the-way-to-go/article/701976/

View Slide

W H A T I S S E C U R I T Y , R E A L LY ?
https://commons.wikimedia.org/wiki/File:Airport_Frankfurt_-_Fraport_-_Flughafen_Frankfurt_-_barbed_wire_and_fence_-_Stacheldraht_und_Zaun_-_05.jpg
https://www.flickr.com/photos/captkodak/37054929956/

View Slide

D O M A I N S P E C I F I C Q A

View Slide

Behavior

View Slide

Behavior
Speciﬁcation

View Slide

Q A : D O E S T H E S O F T W A R E D O W H A T I T
S H O U L D ?

View Slide

S E C U R I T Y : D O E S I T A L S O D O A N Y T H I N G
E L S E ?

View Slide

D o We E v e n
K n o w W h a t t h e
S o f t w a r e I s
S u p p o s e d t o D o ?

View Slide

“In order to write secure applications, developers
must
• Take OWASP Top 10 training
• Use Veracode
• Have application pentested
• Use two factor authentication on source control
and hosts
• Use off-the-shelf crypto libraries
• Monitor production
• Use memory-safe languages
• Do code review
• HTTPS everywhere!

View Slide

B U I L D A R E C I P E ,
N O T A G R O C E R Y S T O R E

View Slide

L E A R N Y O U R D O M A I N
https://commons.wikimedia.org/wiki/File:Domain,_Atrium_(Hong_Kong).jpg

View Slide

– M a t t Ta i t
“The underlying problem is folks think in terms of
‘secure’ versus ‘insecure.’ But in reality, it's ‘in/secure
vs. X threat in Y threat model.’”
https://twitter.com/pwnallthethings/status/922009773352120320

View Slide

https://www.pbs.org/newshour/science/amazon-recalls-potentially-hazardous-solar-eclipse-glasses

View Slide

https://twitter.com/slatestarcodex/status/944739157988974592

View Slide

iT u n e s M o n e y
L a u n d e r i n g
https://www.thedailybeast.com/want-to-launder-bitcoins-how-crooks-are-hacking-itunes-and-getting-paid-by-apple

View Slide

“ I ’ m j u s t a
t o a s t e r . N o b o d y
w i l l e v e r t r y t o
h a c k m e ! ”

View Slide

– S e n . R i c h a r d B u r r
“You commented yesterday that
your company’s goal is bringing
people together. In this case,
people were brought together to
foment conflict, and Facebook
enabled that event to happen.”
https://www.texastribune.org/2017/11/01/russian-facebook-page-organized-protest-texas-different-russian-page-l/

View Slide

QA!
Security!

View Slide

F O U N D A T I O N S
Secure Design
Secure Lifecycle
Empowered Developers
Threat Model
Security Fundamentals
Human Safety Priority
Domain Knowledge
Safer
Applications
and Infrastructure

View Slide

Deﬁne
Design
Develop
QA
Security
Deploy

View Slide

N I S T 8 0 0 - 6 4
Security Considerations in the System Development Life Cycle
(2008)
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf

View Slide

C I S C O S E C U R E D E V E L O P M E N T L I F E C Y C L E
https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/building-trustworthy-systems-with-CSDL.pdf

View Slide

M I C R O S O F T S D L C
http://www.microsoft.com/en-us/SDL

View Slide

O W A S P S D L C
DRAFT
https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project

View Slide

View Slide

https://twitter.com/petecheslock/status/595617204273618944?lang=en

View Slide

G R E A T I D E A S … O N T H E R I G H T

View Slide

G R E A T I D E A S … O N T H E R I G H T
Bug
Bounties
Canaries
Full
Packet
Capture
Fuzzing
Asset
Identiﬁcation
Attack
Simulation

View Slide

S L A C K S L C
https://www.youtube.com/watch?v=eBwluaTaenI

View Slide

S L A C K S L C
https://github.com/slackhq/goSDL

View Slide

S E C U R I T Y I N A N A G I L E P R O C E S S
https://www.scrum.org/resources/scrum-framework-poster

View Slide

S E C U R I T Y I N A N A G I L E P R O C E S S
https://www.scrum.org/resources/scrum-framework-poster
Fundamental
Principles
Threat
Model
Automated
Analysis
Manual
Review

View Slide

T H R E A T M O D E L I N G

View Slide

S I X D E G R E E S
Who is affected by the software you create?

View Slide

U s e r s

View Slide

C u s t o m e r s

View Slide

Yo u r Te a m

View Slide

S t a k e h o l d e r s

View Slide

P a r t n e r s

View Slide

Yo u r
C o m m u n i t y

View Slide

W H A T D O Y O U H A V E ?

View Slide

I n f r a s t r u c t u r e
• Servers
• Software
• Clients
• Gateways
• Third Parties

View Slide

D a t a
• Databases
• Metadata
• Logs
• Credentials
• Files on client
machines

View Slide

T r u s t
B o u n d a r i e s
• Implicit
• Explicit

View Slide

W H A T C O U L D G O W R O N G ?

View Slide

D O M A I N - S P E C I F I C
R I S K S

View Slide

T a k e C a r e o f
P e o p l e F i r s t

View Slide

L e a r n f r o m
H i s t o r y
https://commons.wikimedia.org/wiki/File:Maginot_line_1.jpg

View Slide

E x i s t e n t i a l
T h r e a t s
http://money.cnn.com/2012/08/09/technology/knight-expensive-computer-bug/index.html

View Slide

R e g u l a t o r y

View Slide

B A C K T O
B A S I C S

View Slide

C O M P R E H E N S I V I T Y
Security f rom First Principles
Am I covering all of my bases?
Craig Jackson, Scott Russell, and Susan Sons
https://upload.wikimedia.org/wikipedia/commons/7/72/Agoncillo_-
_W%C3%BCrth_Rioja%2C_Museo_30_-_Christo.JPG

View Slide

O P P O R T U N I T Y
Am I taking advantage of my environment?
https://commons.wikimedia.org/wiki/File:Amazing_Bhutan_Monastery.jpg Craig Jackson, Scott Russell, and Susan Sons

View Slide

R I G O R
What is correct behavior, and how am I ensuring it?
https://commons.wikimedia.org/wiki/File:Turnstile_state_machine_colored.svg Craig Jackson, Scott Russell, and Susan Sons

View Slide

M I N I M I Z A T I O N
Can this be a smaller target?

View Slide

C O M P A R T M E N T A L I Z A T I O N
Is this made of distinct parts with limited
interactions?
https://en.wikipedia.org/wiki/Bulkhead_(partition)#/media/
File:Compartments_and_watertight_subdivision_of_a_ship%27s_hull_(Seaman%27s_Pocket-
Book,_1943).jpg

View Slide

F A U LT T O L E R A N C E
What happens if this fails?
https://commons.wikimedia.org/wiki/
File:A_U.S._Soldier,_right,_looks_on_as_a_U.S._Army_Garrison_Ansbach_Junior_ROTC_cadet_negotia
tes_a_high_rope_obstacle_6.jpg Craig Jackson, Scott Russell, and Susan Sons

View Slide

P R O P O R T I O N A L I T Y
Is this worth it?
https://twitter.com/jwgoerlich/status/939268098699550720?s=09 Craig Jackson, Scott Russell, and Susan Sons

View Slide

T H E B A S I C P R I N C I P L E S I N A C T I O N

View Slide

B U S I N E S S P R O B L E M
• A hotel chain needs to capture credit card numbers for
potential incidental charges when the cardholder will
not be present at check in
• Example: A parent wants to authorize incidental
charges for a traveling school sports team member
• Current process is a paper form. Company would like to
automate

View Slide

N A Ï V E S O L U T I O N
“Type a quote here.”

View Slide

N A Ï V E S O L U T I O N , R E V I S I T E D
Comprehensivity

View Slide

N A Ï V E S O L U T I O N , R E - R E V I S I T E D
Comprehensivity

View Slide

N A Ï V E S O L U T I O N , R E - R E - R E V I S I T E D
Comprehensivity

View Slide

D E S I G N E D I N T O P R O C E S S
Comprehensivity
https://jeremylong.github.io/DependencyCheck/

View Slide

T R A I N I N G
Comprehensivity
https://twitter.com/chrisrohlf/status/925846092184477698

View Slide

O P P O R T U N I T Y

View Slide

P A T C H A L L O F T H E T H I N G S
Opportunity

View Slide

R I G O R

View Slide

S T A T I C A N A LY S I S
Rigor
“The most important thing I have done as a
programmer in recent years is to aggressively pursue
static code analysis. Even more valuable than the
hundreds of serious bugs I have prevented with it is
the change in mindset about the way I view software
reliability and code quality.”
- J o h n C a r m a c k
https://www.gamasutra.com/view/news/128836/InDepth_Static_Code_Analysis.php

View Slide

View Slide

M I N I M I Z E A T T A C K S U R F A C E
( a n d e v e r y t h i n g e l s e )
https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet

View Slide

S T O R E L E S S
Minimization
“Limit cardholder data storage and retention time to that
which is required for business, legal, and/ or regulatory
purposes, as documented in your data retention policy.
Purge unnecessary stored data at least quarterly.”
P C I - D S S § 3 . 1
https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf

View Slide

C O M P A R T M E N T A L I Z E I T !

View Slide

D O U B L E E D G E D S W O R D
Compartmentalization
“Your perimeter is not the boundary of your network
it’s the boundary of your telemetry.”
http://grugq.github.io/presentations/comae-blackhat-year-of-the-worm.pdf
- T h e G r u g q

View Slide

L E A S T P R I V I L E G E
Compartmentalization
EncryptionServiceIAMRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Sid: "AllowLambdaServiceToAssumeRole"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Principal:
Service:
- "lambda.amazonaws.com"

View Slide

C O M P A R T M E N T A L I Z E I T !
• Networks
• Public ingress (CloudFront), WAF rules
• Private ingress (Jump server)
• Roles for public, hotel staff, site admin, developer, ops
• Restrict data by property
• Archive old data to encrypted cold storage
• Use key management (KMS, HSM, etc.) for secrets

View Slide

https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys

View Slide

• User safety
• Stop the exf iltration
• Assess the scope
• Proactively prevent further damage to users
• Listen
• Technical
• Engage DF/IR professionals to assess how it happened and how to
prevent
• Design system for secure storage and rotation of secrets

View Slide

P R O P O R T I O N A L I T Y

View Slide

L A T H E R , R I N S E , R E P E A T
• Plan on enumerating the f irst principles at least twice
in initial app design
• Enumerate again in sprint planning for each sprint
• Following f irst principles does not mean “big design
upf ront”

View Slide

C O N T I N U O U S S E C U R I T Y
Initially
•Human safety review
•Review principles at least
twice
•Begin threat modeling
•Security controls in CI
Periodically
•Pentest
•Regulatory review
•Incident response plan
Continuously
•Use principles in backlog
grooming
•Update threat model
•Usability testing
•Static/dynamic analysis
•Training
•Patch All of the Things

View Slide

F U R T H E R R E A D I N G
• The Information Security Practice Principles, Center for
Applied Cybersecurity Research, Indiana University
• Threat Modeling, Designing for Security, by Adam
Shostack

View Slide

C R E D I T S
• Some stock photography f rom wocintechchat.com, CC-
BY 2.0
• Creative Commons photography credited on each slide

View Slide

C O N T A C T
[email protected]
@craigstuntz
http://paperswelove.org/chapter/columbus/
https://speakerdeck.com/craigstuntz

View Slide

Shifting Application Security Left

Shifting Application Security Left

Craig Stuntz

More Decks by Craig Stuntz

Other Decks in Programming

Featured

Transcript