Battle-tested code without the battle

Battle-tested code without the battle

Everyone knows that we need to harden our code before it goes into production, but very few actually test for security flaws in their delivery pipeline. We will show a basic continuous delivery pipeline that should be familiar to anyone who has worked with continuous integration, and then proceed to add steps to identify security issues in a typical web application stack.

Presented by @garethr and @wickett at Velocity 2014 in Santa Clara

98234c645fe8c935edc0fec0186d28b8?s=128

Gareth Rushgrove

June 24, 2014
Tweet

Transcript

  1. Velocity 2014 BATTLE-TESTED CODE WITHOUT THE BATTLE SECURITY TESTING AND

    CONTINUOUS INTEGRATION James Wickett and Gareth Rushgrove
  2. #secure-pipeline @garethr // @wickett THE INTRODUCTION Chapter 1

  3. #secure-pipeline @garethr // @wickett Goal: Equip you with the theory,

    examples and tools so that you can build a secure pipeline you can lovingly call your very own
  4. #secure-pipeline @garethr // @wickett #SECURE-PIPELINE

  5. #secure-pipeline @garethr // @wickett @garethr

  6. #secure-pipeline @garethr // @wickett UK Government Digital Service

  7. #secure-pipeline @garethr // @wickett

  8. #secure-pipeline @garethr // @wickett

  9. #secure-pipeline @garethr // @wickett @wickett

  10. #secure-pipeline @garethr // @wickett

  11. #secure-pipeline @garethr // @wickett THE THEORY Chapter 2

  12. #secure-pipeline @garethr // @wickett WHY DOES THIS MATTER?

  13. #secure-pipeline @garethr // @wickett YOU WANT TO DELIVER SECURE CODE

  14. #secure-pipeline @garethr // @wickett EVERYONE ELSE WANTS TO…

  15. #secure-pipeline @garethr // @wickett Just Ship It!

  16. #secure-pipeline @garethr // @wickett SOFTWARE AS A SERVICE

  17. #secure-pipeline @garethr // @wickett FRAGILE SOFTWARE AS A SERVICE

  18. #secure-pipeline @garethr // @wickett VULNERABLE CODE IS EVERYWHERE

  19. #secure-pipeline @garethr // @wickett White Hat Security: 2014 Website Security

    Statistics Report
  20. #secure-pipeline @garethr // @wickett YOUR CHOICE OF PROGRAMMING LANGUAGE DOESN'T

    MATTER
  21. #secure-pipeline @garethr // @wickett White Hat Security: 2014 Website Security

    Statistics Report
  22. #secure-pipeline @garethr // @wickett PROBLEMS GETS FIXED SLOWLY

  23. #secure-pipeline @garethr // @wickett White Hat Security: 2014 Website Security

    Statistics Report
  24. #secure-pipeline @garethr // @wickett HOW DID WE GET HERE?

  25. #secure-pipeline @garethr // @wickett RATIO PROBLEM DEV / OPS /

    SECURITY 100 / 10 / 1
  26. #secure-pipeline @garethr // @wickett RATIO PROBLEM DEV / OPS /

    SECURITY 100 / 10 / 1 ORDER OF MAGNITUDE
  27. #secure-pipeline @garethr // @wickett SECURITY TOOLS ARE RUN OUT-OF-BAND

  28. #secure-pipeline @garethr // @wickett WHAT CAN WE DO?

  29. #secure-pipeline @garethr // @wickett YOU SHOULD BE RUNNING SECURITY TESTS

    IN YOUR CONTINUOUS DELIVERY PIPELINE
  30. #secure-pipeline @garethr // @wickett AND IT’S NOT THAT HARD TO

    DO
  31. #secure-pipeline @garethr // @wickett PASSIVE SCANNING Static analysis Passive

  32. #secure-pipeline @garethr // @wickett ACTIVE SCANNING Testing the running application

    Active
  33. #secure-pipeline @garethr // @wickett INSECURE DEPENDENCIES Secure your supply chain

    Dependencies
  34. #secure-pipeline @garethr // @wickett SOURCE CODE INTEGRITY Is that really

    your code? Integrity
  35. #secure-pipeline @garethr // @wickett WHAT’S THE BENEFIT?

  36. #secure-pipeline @garethr // @wickett CATCH EASY PROBLEMS QUICKLY

  37. #secure-pipeline @garethr // @wickett FOCUS PENETRATION TESTING ON ATTACK SIMULATIONS

    OR OTHER HARD PROBLEMS
  38. #secure-pipeline @garethr // @wickett RUGGED JOURNEY

  39. #secure-pipeline @garethr // @wickett RUGGEDDEV.ORG

  40. #secure-pipeline @garethr // @wickett QUALITY TRANSPARENCY VALUE CREATION CULTURE INFUSION

  41. #secure-pipeline @garethr // @wickett USING TRAVIS Chapter 3

  42. #secure-pipeline @garethr // @wickett LAB 0

  43. #secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab0

  44. #secure-pipeline @garethr // @wickett YOU NEED: GITHUB ACCOUNT TRAVIS CI

    ACCOUNT
  45. #secure-pipeline @garethr // @wickett FORK THE REPO

  46. #secure-pipeline @garethr // @wickett

  47. #secure-pipeline @garethr // @wickett

  48. #secure-pipeline @garethr // @wickett

  49. #secure-pipeline @garethr // @wickett LAB 0 REVIEW YOU SHOULD HAVE:

    A FORK OF THE REPO UNDERSTANDING OF TRAVIS.YML
  50. #secure-pipeline @garethr // @wickett GAUNTLT Be mean to your code

    Active
  51. #secure-pipeline @garethr // @wickett BUILT ON CUCUMBER

  52. #secure-pipeline @garethr // @wickett GAUNTLT PRINCIPLES AND PHILOSOPHY Gauntlt comes

    with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt can be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr MIT Open Source License
  53. #secure-pipeline @garethr // @wickett

  54. #secure-pipeline @garethr // @wickett GAUNTLT RESOURCES Google Group https://groups.google.com/d/forum/gauntlt Wiki

    https://github.com/gauntlt/gauntlt/wiki Twitter @gauntlt IRC #gauntlt on freenode Issue tracking http://github.com/gauntlt/gauntlt
  55. #secure-pipeline @garethr // @wickett THE GAUNTLT BOOK book@gauntlt.org FREE!

  56. #secure-pipeline @garethr // @wickett LAB 1

  57. #secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab1

  58. #secure-pipeline @garethr // @wickett In Travis CI set the repo

    to ‘ON’
  59. #secure-pipeline @garethr // @wickett Add the Travis badge in README.md

  60. #secure-pipeline @garethr // @wickett Add the Travis badge in README.md

  61. #secure-pipeline @garethr // @wickett

  62. #secure-pipeline @garethr // @wickett

  63. #secure-pipeline @garethr // @wickett READ THE TRAVIS CONFIG! lab_1/.travis.yml

  64. #secure-pipeline @garethr // @wickett

  65. #secure-pipeline @garethr // @wickett

  66. #secure-pipeline @garethr // @wickett READ THE RAKEFILE! rails-travis-example/Rakefile

  67. #secure-pipeline @garethr // @wickett

  68. #secure-pipeline @garethr // @wickett

  69. #secure-pipeline @garethr // @wickett FINALLY, ATTACKS!

  70. #secure-pipeline @garethr // @wickett

  71. #secure-pipeline @garethr // @wickett NMAP

  72. #secure-pipeline @garethr // @wickett ./test/attacks/assert-ports.attack

  73. #secure-pipeline @garethr // @wickett ./test/attacks/assert-ports.attack

  74. #secure-pipeline @garethr // @wickett ./test/attacks/assert-ports.attack

  75. #secure-pipeline @garethr // @wickett HEARTBLEED AND SSLYZE

  76. #secure-pipeline @garethr // @wickett ./test/attacks/ssl.attack

  77. #secure-pipeline @garethr // @wickett ./test/attacks/ssl.attack

  78. #secure-pipeline @garethr // @wickett ./test/attacks/ssl.attack

  79. #secure-pipeline @garethr // @wickett Copy text from lab_1/.travis.yml and paste

    into the main .travis.yml
  80. #secure-pipeline @garethr // @wickett LAB 1 REVIEW YOU SHOULD HAVE:

    TRAVIS CI SETUP WITH 2 RUNNING ATTACKS
  81. #secure-pipeline @garethr // @wickett

  82. #secure-pipeline @garethr // @wickett http://localhost:3000

  83. #secure-pipeline @garethr // @wickett <script>alert('The Obligatory XSS Popup');</script>

  84. #secure-pipeline @garethr // @wickett <script>alert('The Obligatory XSS Popup');</script>

  85. #secure-pipeline @garethr // @wickett arachni http://localhost:3000 \ --plugin=autologin:url=http://localhost:3000/users/ sign_in,params='user[email]=test@test.com&user[passwo rd]=testtest',check='Logout

    test@test.com' \ -e /users/sign_out
  86. #secure-pipeline @garethr // @wickett arachni http://localhost:3000 \ --plugin=autologin:url=http://localhost:3000/users/ sign_in,params='user[email]=test@test.com&user[passwo rd]=testtest',check='Logout

    \test@test.com' \ -e /users/sign_out http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session
  87. #secure-pipeline @garethr // @wickett WANT XSS PAYLOADS? ! beefproject.com

  88. #secure-pipeline @garethr // @wickett LAB 2

  89. #secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab2

  90. #secure-pipeline @garethr // @wickett READ THE TRAVIS CONFIG lab_2/.travis.yml

  91. #secure-pipeline @garethr // @wickett ./velocity/lab_2/.travis.yml

  92. #secure-pipeline @garethr // @wickett ./Gemfile

  93. #secure-pipeline @garethr // @wickett ./velocity/lab_2/.travis.yml

  94. #secure-pipeline @garethr // @wickett ./Rakefile

  95. #secure-pipeline @garethr // @wickett ./test/attacks/xss.attack

  96. #secure-pipeline @garethr // @wickett ./test/attacks/xss.attack

  97. #secure-pipeline @garethr // @wickett Copy text from lab_2/.travis.yml and paste

    into the main .travis.yml
  98. #secure-pipeline @garethr // @wickett LAB 2 REVIEW 2-3 Travis CI

    Passing Builds
  99. #secure-pipeline @garethr // @wickett LAB 3

  100. #secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab3

  101. #secure-pipeline @garethr // @wickett ./velocity/lab_3/.travis.yml

  102. #secure-pipeline @garethr // @wickett ./velocity/lab_3/.travis.yml

  103. #secure-pipeline @garethr // @wickett ./Rakefile

  104. #secure-pipeline @garethr // @wickett ./test/attacks/email_leakage.attack

  105. #secure-pipeline @garethr // @wickett ./test/attacks/email_leakage.attack

  106. #secure-pipeline @garethr // @wickett ./test/attacks/backdoors.attack

  107. #secure-pipeline @garethr // @wickett ./test/attacks/sql_injection.attack

  108. #secure-pipeline @garethr // @wickett ./test/attacks/sql_injection.attack

  109. #secure-pipeline @garethr // @wickett ./test/attacks/sql_injection.attack

  110. #secure-pipeline @garethr // @wickett Copy text from lab_3/.travis.yml and paste

    into the main .travis.yml
  111. #secure-pipeline @garethr // @wickett LAB 3 REVIEW 3 Travis CI

    Passing Builds
  112. #secure-pipeline @garethr // @wickett CODE CLIMATE Passive

  113. #secure-pipeline @garethr // @wickett

  114. #secure-pipeline @garethr // @wickett USING JENKINS Chapter 4

  115. #secure-pipeline @garethr // @wickett VIRTUAL MACHINES FOR THE WORKSHOP KINDLY

    PROVIDED BY
  116. #secure-pipeline @garethr // @wickett EVERYONE GETS AN INSTANCE

  117. #secure-pipeline @garethr // @wickett domains.secure-pipeline.com

  118. #secure-pipeline @garethr // @wickett WHY JENKINS?

  119. #secure-pipeline @garethr // @wickett POPULARITY AND FAMILIARITY

  120. #secure-pipeline @garethr // @wickett ALL THE BASICS OUT OF THE

    BOX
  121. #secure-pipeline @garethr // @wickett LIST JOBS

  122. #secure-pipeline @garethr // @wickett

  123. #secure-pipeline @garethr // @wickett SEE INDIVIDUAL TEST RUNS

  124. #secure-pipeline @garethr // @wickett

  125. #secure-pipeline @garethr // @wickett HIGHLY EXTENSIBLE

  126. #secure-pipeline @garethr // @wickett GATHER METRICS

  127. Requires Sloccount

  128. #secure-pipeline @garethr // @wickett CRAFT PIPELINES Jenkins Build Flow, a

    DSL for Jenkins pipelines
  129. #secure-pipeline @garethr // @wickett build(“first job") build(“second job") !

  130. #secure-pipeline @garethr // @wickett build("download-and-test") parallel ( { build("zapr") },

    { build("static-analysis") }, { build("code-metrics") }, { build("virus-scan") }, { ignore(FAILURE) { build("bundler-audit") }} ) ignore(FAILURE) { build("integration-test") }
  131. Requires Jenkins Build Graph

  132. #secure-pipeline @garethr // @wickett CONFIGURATION AS CODE Jenkins Job Builder

  133. #secure-pipeline @garethr // @wickett BECAUSE SHARING PRACTICES IS IMPORTANT

  134. #secure-pipeline @garethr // @wickett Jenkins Job Builder From OpenStack Domain

    specific language for jobs Uses Jenkins API
  135. #secure-pipeline @garethr // @wickett - job: name: download-and-test display-name: 'Download

    and unit test' builders: - shell: | export NOKOGIRI_USE_SYSTEM_LIBRARIES=true bundle install --path ../cache/vendor bundle exec rake db:setup bundle exec rake test ! scm: - git: url: https://github.com/OWASP/railsgoat.git branches: - master
  136. #secure-pipeline @garethr // @wickett Easily automated Puppet module from Opentable

  137. #secure-pipeline @garethr // @wickett SECURITY TESTING WITH JENKINS

  138. #secure-pipeline @garethr // @wickett WE NEED AN APP TO TEST

  139. #secure-pipeline @garethr // @wickett A vulnerable Rails application RailsGoat Designed

    for testing
  140. #secure-pipeline @garethr // @wickett A vulnerable PHP application WackoPicko

  141. #secure-pipeline @garethr // @wickett A vulnerable Node application NodeGoat You

    get the idea
  142. #secure-pipeline @garethr // @wickett BRAKEMAN Static analysis Passive

  143. #secure-pipeline @garethr // @wickett Brakeman Requires

  144. #secure-pipeline @garethr // @wickett Get warnings of potential security vulnerabilities

    See new warnings as well as fixed ones
  145. #secure-pipeline @garethr // @wickett Dig down into the line of

    code that triggered the warning
  146. #secure-pipeline @garethr // @wickett BUNDLER AUDIT Finding insecure dependencies Dependecies

  147. #secure-pipeline @garethr // @wickett Based on work by rubysec.com

  148. #secure-pipeline @garethr // @wickett Would be nice to see a

    standard emerge here to make a nice plugin more likely
  149. #secure-pipeline @garethr // @wickett Name: actionpack Version: 3.2.11 Advisory: OSVDB-103440

    Criticality: Unknown URL: http://osvdb.org/show/osvdb/103440 Title: Denial of Service Vulnerability in Action View when using render :text Solution: upgrade to >= 3.2.17
  150. #secure-pipeline @garethr // @wickett Alternatives for other languages SafeNuGet OWASP

    Dependency Check NSP (Node.js)
  151. #secure-pipeline @garethr // @wickett Also available in SaaS Gemnasium Supports

    Ruby, Node, Python, PHP
  152. #secure-pipeline @garethr // @wickett CLAMAV Virus scanning Integrity

  153. #secure-pipeline @garethr // @wickett Open source virus scanner

  154. #secure-pipeline @garethr // @wickett clamscan dir-name

  155. #secure-pipeline @garethr // @wickett test/test.exe: OK ! ----------- SCAN SUMMARY

    ----------- Known viruses: 3419706 Engine version: 0.98.1 Scanned directories: 1 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 10.247 sec (0 m 10 s)
  156. #secure-pipeline @garethr // @wickett Requires ClamAV

  157. #secure-pipeline @garethr // @wickett GIT SIGNING Integrity (not implemented in

    our example)
  158. #secure-pipeline @garethr // @wickett Git supports GPG signing Sign every

    commit Squash commits Sign merge commits
  159. #secure-pipeline @garethr // @wickett ZAPR Active security scanner Active

  160. #secure-pipeline @garethr // @wickett OWASP ZAP Web interface HTTP proxy

    API
  161. #secure-pipeline @garethr // @wickett Zapr Command line scanner based on

    ZAP
  162. #secure-pipeline @garethr // @wickett zapr --summary http://example.com/

  163. #secure-pipeline @garethr // @wickett Also provides JSON output

  164. #secure-pipeline @garethr // @wickett +----------------------------------+--------+-----------------------------------------+ | Alert | Risk |

    URL | +----------------------------------+--------+-----------------------------------------+ | Cross Site Scripting (Reflected) | High | http://localhost:3000/forgot_password | +----------------------------------+--------+-----------------------------------------+
  165. #secure-pipeline @garethr // @wickett BASIC SECURITY TESTING IS NOW EASY

  166. #secure-pipeline @garethr // @wickett A working example github.com/secure-pipeline/node-travis-example Zapr testing

    NodeGoat
  167. #secure-pipeline @garethr // @wickett Other scanners skipfish nikto w3af arachni

    github.com/garethr/pentesting-playground
  168. #secure-pipeline @garethr // @wickett CONCLUSIONS Chapter 5

  169. #secure-pipeline @garethr // @wickett BASIC SECURITY TESTING IS NOW EASY

  170. #secure-pipeline @garethr // @wickett ADD ONE STEP TO YOUR CI

    PIPELINE TODAY
  171. #secure-pipeline @garethr // @wickett GET INVOLVED AT github.com/secure-pipeline

  172. #secure-pipeline @garethr // @wickett OFFICE HOURS WED, 11:30AM, TABLE 3

  173. #secure-pipeline @garethr // @wickett ANY QUESTIONS? The End