Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Battle-tested code without the battle

Battle-tested code without the battle

Everyone knows that we need to harden our code before it goes into production, but very few actually test for security flaws in their delivery pipeline. We will show a basic continuous delivery pipeline that should be familiar to anyone who has worked with continuous integration, and then proceed to add steps to identify security issues in a typical web application stack.

Presented by @garethr and @wickett at Velocity 2014 in Santa Clara

Gareth Rushgrove

June 24, 2014
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. Velocity 2014
    BATTLE-TESTED CODE
    WITHOUT THE BATTLE
    SECURITY TESTING AND
    CONTINUOUS INTEGRATION
    James Wickett and Gareth Rushgrove

    View full-size slide

  2. #secure-pipeline @garethr // @wickett
    THE INTRODUCTION
    Chapter 1

    View full-size slide

  3. #secure-pipeline @garethr // @wickett
    Goal: Equip you with the theory, examples
    and tools so that you can build a secure
    pipeline you can lovingly call your very own

    View full-size slide

  4. #secure-pipeline @garethr // @wickett
    #SECURE-PIPELINE

    View full-size slide

  5. #secure-pipeline @garethr // @wickett
    @garethr

    View full-size slide

  6. #secure-pipeline @garethr // @wickett
    UK Government
    Digital Service

    View full-size slide

  7. #secure-pipeline @garethr // @wickett

    View full-size slide

  8. #secure-pipeline @garethr // @wickett

    View full-size slide

  9. #secure-pipeline @garethr // @wickett
    @wickett

    View full-size slide

  10. #secure-pipeline @garethr // @wickett

    View full-size slide

  11. #secure-pipeline @garethr // @wickett
    THE THEORY
    Chapter 2

    View full-size slide

  12. #secure-pipeline @garethr // @wickett
    WHY DOES THIS MATTER?

    View full-size slide

  13. #secure-pipeline @garethr // @wickett
    YOU WANT TO DELIVER SECURE CODE

    View full-size slide

  14. #secure-pipeline @garethr // @wickett
    EVERYONE ELSE WANTS TO…

    View full-size slide

  15. #secure-pipeline @garethr // @wickett
    Just Ship It!

    View full-size slide

  16. #secure-pipeline @garethr // @wickett
    SOFTWARE AS A SERVICE

    View full-size slide

  17. #secure-pipeline @garethr // @wickett
    FRAGILE SOFTWARE AS A SERVICE

    View full-size slide

  18. #secure-pipeline @garethr // @wickett
    VULNERABLE CODE IS EVERYWHERE

    View full-size slide

  19. #secure-pipeline @garethr // @wickett
    White Hat Security: 2014 Website Security Statistics Report

    View full-size slide

  20. #secure-pipeline @garethr // @wickett
    YOUR CHOICE OF PROGRAMMING
    LANGUAGE DOESN'T MATTER

    View full-size slide

  21. #secure-pipeline @garethr // @wickett
    White Hat Security: 2014 Website Security Statistics Report

    View full-size slide

  22. #secure-pipeline @garethr // @wickett
    PROBLEMS GETS FIXED
    SLOWLY

    View full-size slide

  23. #secure-pipeline @garethr // @wickett
    White Hat Security: 2014 Website Security Statistics Report

    View full-size slide

  24. #secure-pipeline @garethr // @wickett
    HOW DID WE GET HERE?

    View full-size slide

  25. #secure-pipeline @garethr // @wickett
    RATIO PROBLEM
    DEV / OPS / SECURITY
    100 / 10 / 1

    View full-size slide

  26. #secure-pipeline @garethr // @wickett
    RATIO PROBLEM
    DEV / OPS / SECURITY
    100 / 10 / 1
    ORDER OF MAGNITUDE

    View full-size slide

  27. #secure-pipeline @garethr // @wickett
    SECURITY TOOLS ARE RUN
    OUT-OF-BAND

    View full-size slide

  28. #secure-pipeline @garethr // @wickett
    WHAT CAN WE DO?

    View full-size slide

  29. #secure-pipeline @garethr // @wickett
    YOU SHOULD BE RUNNING SECURITY TESTS IN
    YOUR CONTINUOUS DELIVERY PIPELINE

    View full-size slide

  30. #secure-pipeline @garethr // @wickett
    AND IT’S NOT THAT HARD TO DO

    View full-size slide

  31. #secure-pipeline @garethr // @wickett
    PASSIVE SCANNING
    Static analysis
    Passive

    View full-size slide

  32. #secure-pipeline @garethr // @wickett
    ACTIVE SCANNING
    Testing the running application
    Active

    View full-size slide

  33. #secure-pipeline @garethr // @wickett
    INSECURE DEPENDENCIES
    Secure your supply chain
    Dependencies

    View full-size slide

  34. #secure-pipeline @garethr // @wickett
    SOURCE CODE INTEGRITY
    Is that really your code?
    Integrity

    View full-size slide

  35. #secure-pipeline @garethr // @wickett
    WHAT’S THE BENEFIT?

    View full-size slide

  36. #secure-pipeline @garethr // @wickett
    CATCH EASY PROBLEMS
    QUICKLY

    View full-size slide

  37. #secure-pipeline @garethr // @wickett
    FOCUS PENETRATION TESTING
    ON ATTACK SIMULATIONS OR
    OTHER HARD PROBLEMS

    View full-size slide

  38. #secure-pipeline @garethr // @wickett
    RUGGED JOURNEY

    View full-size slide

  39. #secure-pipeline @garethr // @wickett
    RUGGEDDEV.ORG

    View full-size slide

  40. #secure-pipeline @garethr // @wickett
    QUALITY
    TRANSPARENCY
    VALUE CREATION
    CULTURE INFUSION

    View full-size slide

  41. #secure-pipeline @garethr // @wickett
    USING TRAVIS
    Chapter 3

    View full-size slide

  42. #secure-pipeline @garethr // @wickett
    LAB 0

    View full-size slide

  43. #secure-pipeline @garethr // @wickett
    bit.ly/secure-pipeline-lab0

    View full-size slide

  44. #secure-pipeline @garethr // @wickett
    YOU NEED:
    GITHUB ACCOUNT
    TRAVIS CI ACCOUNT

    View full-size slide

  45. #secure-pipeline @garethr // @wickett
    FORK THE REPO

    View full-size slide

  46. #secure-pipeline @garethr // @wickett

    View full-size slide

  47. #secure-pipeline @garethr // @wickett

    View full-size slide

  48. #secure-pipeline @garethr // @wickett

    View full-size slide

  49. #secure-pipeline @garethr // @wickett
    LAB 0 REVIEW
    YOU SHOULD HAVE:
    A FORK OF THE REPO
    UNDERSTANDING OF TRAVIS.YML

    View full-size slide

  50. #secure-pipeline @garethr // @wickett
    GAUNTLT
    Be mean to your code
    Active

    View full-size slide

  51. #secure-pipeline @garethr // @wickett
    BUILT ON CUCUMBER

    View full-size slide

  52. #secure-pipeline @garethr // @wickett
    GAUNTLT PRINCIPLES AND PHILOSOPHY
    Gauntlt comes with pre-canned steps that hook security testing tools
    Gauntlt does not install tools
    Gauntlt can be part of the CI/CD pipeline
    Be a good citizen of exit status and stdout/stderr
    MIT Open Source License

    View full-size slide

  53. #secure-pipeline @garethr // @wickett

    View full-size slide

  54. #secure-pipeline @garethr // @wickett
    GAUNTLT RESOURCES
    Google Group https://groups.google.com/d/forum/gauntlt
    Wiki https://github.com/gauntlt/gauntlt/wiki
    Twitter @gauntlt
    IRC #gauntlt on freenode
    Issue tracking http://github.com/gauntlt/gauntlt

    View full-size slide

  55. #secure-pipeline @garethr // @wickett
    THE GAUNTLT BOOK
    [email protected]
    FREE!

    View full-size slide

  56. #secure-pipeline @garethr // @wickett
    LAB 1

    View full-size slide

  57. #secure-pipeline @garethr // @wickett
    bit.ly/secure-pipeline-lab1

    View full-size slide

  58. #secure-pipeline @garethr // @wickett
    In Travis CI set the repo to ‘ON’

    View full-size slide

  59. #secure-pipeline @garethr // @wickett
    Add the Travis badge in README.md

    View full-size slide

  60. #secure-pipeline @garethr // @wickett
    Add the Travis badge in README.md

    View full-size slide

  61. #secure-pipeline @garethr // @wickett

    View full-size slide

  62. #secure-pipeline @garethr // @wickett

    View full-size slide

  63. #secure-pipeline @garethr // @wickett
    READ THE TRAVIS CONFIG!
    lab_1/.travis.yml

    View full-size slide

  64. #secure-pipeline @garethr // @wickett

    View full-size slide

  65. #secure-pipeline @garethr // @wickett

    View full-size slide

  66. #secure-pipeline @garethr // @wickett
    READ THE RAKEFILE!
    rails-travis-example/Rakefile

    View full-size slide

  67. #secure-pipeline @garethr // @wickett

    View full-size slide

  68. #secure-pipeline @garethr // @wickett

    View full-size slide

  69. #secure-pipeline @garethr // @wickett
    FINALLY, ATTACKS!

    View full-size slide

  70. #secure-pipeline @garethr // @wickett

    View full-size slide

  71. #secure-pipeline @garethr // @wickett
    NMAP

    View full-size slide

  72. #secure-pipeline @garethr // @wickett
    ./test/attacks/assert-ports.attack

    View full-size slide

  73. #secure-pipeline @garethr // @wickett
    ./test/attacks/assert-ports.attack

    View full-size slide

  74. #secure-pipeline @garethr // @wickett
    ./test/attacks/assert-ports.attack

    View full-size slide

  75. #secure-pipeline @garethr // @wickett
    HEARTBLEED AND SSLYZE

    View full-size slide

  76. #secure-pipeline @garethr // @wickett
    ./test/attacks/ssl.attack

    View full-size slide

  77. #secure-pipeline @garethr // @wickett
    ./test/attacks/ssl.attack

    View full-size slide

  78. #secure-pipeline @garethr // @wickett
    ./test/attacks/ssl.attack

    View full-size slide

  79. #secure-pipeline @garethr // @wickett
    Copy text from lab_1/.travis.yml
    and paste into the main .travis.yml

    View full-size slide

  80. #secure-pipeline @garethr // @wickett
    LAB 1 REVIEW
    YOU SHOULD HAVE:
    TRAVIS CI SETUP WITH
    2 RUNNING ATTACKS

    View full-size slide

  81. #secure-pipeline @garethr // @wickett

    View full-size slide

  82. #secure-pipeline @garethr // @wickett
    http://localhost:3000

    View full-size slide

  83. #secure-pipeline @garethr // @wickett
    alert('The Obligatory XSS Popup');

    View full-size slide

  84. #secure-pipeline @garethr // @wickett
    alert('The Obligatory XSS Popup');

    View full-size slide

  85. #secure-pipeline @garethr // @wickett
    arachni http://localhost:3000 \
    --plugin=autologin:url=http://localhost:3000/users/
    sign_in,params='user[email][email protected]&user[passwo
    rd]=testtest',check='Logout [email protected]' \
    -e /users/sign_out

    View full-size slide

  86. #secure-pipeline @garethr // @wickett
    arachni http://localhost:3000 \
    --plugin=autologin:url=http://localhost:3000/users/
    sign_in,params='user[email][email protected]&user[passwo
    rd]=testtest',check='Logout \[email protected]' \
    -e /users/sign_out
    http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session

    View full-size slide

  87. #secure-pipeline @garethr // @wickett
    WANT XSS PAYLOADS?
    !
    beefproject.com

    View full-size slide

  88. #secure-pipeline @garethr // @wickett
    LAB 2

    View full-size slide

  89. #secure-pipeline @garethr // @wickett
    bit.ly/secure-pipeline-lab2

    View full-size slide

  90. #secure-pipeline @garethr // @wickett
    READ THE TRAVIS CONFIG
    lab_2/.travis.yml

    View full-size slide

  91. #secure-pipeline @garethr // @wickett
    ./velocity/lab_2/.travis.yml

    View full-size slide

  92. #secure-pipeline @garethr // @wickett
    ./Gemfile

    View full-size slide

  93. #secure-pipeline @garethr // @wickett
    ./velocity/lab_2/.travis.yml

    View full-size slide

  94. #secure-pipeline @garethr // @wickett
    ./Rakefile

    View full-size slide

  95. #secure-pipeline @garethr // @wickett
    ./test/attacks/xss.attack

    View full-size slide

  96. #secure-pipeline @garethr // @wickett
    ./test/attacks/xss.attack

    View full-size slide

  97. #secure-pipeline @garethr // @wickett
    Copy text from lab_2/.travis.yml
    and paste into the main .travis.yml

    View full-size slide

  98. #secure-pipeline @garethr // @wickett
    LAB 2 REVIEW
    2-3 Travis CI Passing Builds

    View full-size slide

  99. #secure-pipeline @garethr // @wickett
    LAB 3

    View full-size slide

  100. #secure-pipeline @garethr // @wickett
    bit.ly/secure-pipeline-lab3

    View full-size slide

  101. #secure-pipeline @garethr // @wickett
    ./velocity/lab_3/.travis.yml

    View full-size slide

  102. #secure-pipeline @garethr // @wickett
    ./velocity/lab_3/.travis.yml

    View full-size slide

  103. #secure-pipeline @garethr // @wickett
    ./Rakefile

    View full-size slide

  104. #secure-pipeline @garethr // @wickett
    ./test/attacks/email_leakage.attack

    View full-size slide

  105. #secure-pipeline @garethr // @wickett
    ./test/attacks/email_leakage.attack

    View full-size slide

  106. #secure-pipeline @garethr // @wickett
    ./test/attacks/backdoors.attack

    View full-size slide

  107. #secure-pipeline @garethr // @wickett
    ./test/attacks/sql_injection.attack

    View full-size slide

  108. #secure-pipeline @garethr // @wickett
    ./test/attacks/sql_injection.attack

    View full-size slide

  109. #secure-pipeline @garethr // @wickett
    ./test/attacks/sql_injection.attack

    View full-size slide

  110. #secure-pipeline @garethr // @wickett
    Copy text from lab_3/.travis.yml and paste
    into the main .travis.yml

    View full-size slide

  111. #secure-pipeline @garethr // @wickett
    LAB 3 REVIEW
    3 Travis CI Passing Builds

    View full-size slide

  112. #secure-pipeline @garethr // @wickett
    CODE CLIMATE
    Passive

    View full-size slide

  113. #secure-pipeline @garethr // @wickett

    View full-size slide

  114. #secure-pipeline @garethr // @wickett
    USING JENKINS
    Chapter 4

    View full-size slide

  115. #secure-pipeline @garethr // @wickett
    VIRTUAL MACHINES FOR THE WORKSHOP KINDLY PROVIDED BY

    View full-size slide

  116. #secure-pipeline @garethr // @wickett
    EVERYONE GETS AN INSTANCE

    View full-size slide

  117. #secure-pipeline @garethr // @wickett
    domains.secure-pipeline.com

    View full-size slide

  118. #secure-pipeline @garethr // @wickett
    WHY JENKINS?

    View full-size slide

  119. #secure-pipeline @garethr // @wickett
    POPULARITY AND FAMILIARITY

    View full-size slide

  120. #secure-pipeline @garethr // @wickett
    ALL THE BASICS OUT OF THE BOX

    View full-size slide

  121. #secure-pipeline @garethr // @wickett
    LIST JOBS

    View full-size slide

  122. #secure-pipeline @garethr // @wickett

    View full-size slide

  123. #secure-pipeline @garethr // @wickett
    SEE INDIVIDUAL TEST RUNS

    View full-size slide

  124. #secure-pipeline @garethr // @wickett

    View full-size slide

  125. #secure-pipeline @garethr // @wickett
    HIGHLY EXTENSIBLE

    View full-size slide

  126. #secure-pipeline @garethr // @wickett
    GATHER METRICS

    View full-size slide

  127. Requires
    Sloccount

    View full-size slide

  128. #secure-pipeline @garethr // @wickett
    CRAFT PIPELINES
    Jenkins Build Flow, a DSL for Jenkins pipelines

    View full-size slide

  129. #secure-pipeline @garethr // @wickett
    build(“first job")
    build(“second job")
    !

    View full-size slide

  130. #secure-pipeline @garethr // @wickett
    build("download-and-test")
    parallel (
    { build("zapr") },
    { build("static-analysis") },
    { build("code-metrics") },
    { build("virus-scan") },
    { ignore(FAILURE) {
    build("bundler-audit")
    }}
    )
    ignore(FAILURE) {
    build("integration-test")
    }

    View full-size slide

  131. Requires
    Jenkins Build Graph

    View full-size slide

  132. #secure-pipeline @garethr // @wickett
    CONFIGURATION AS CODE
    Jenkins Job Builder

    View full-size slide

  133. #secure-pipeline @garethr // @wickett
    BECAUSE SHARING PRACTICES IS
    IMPORTANT

    View full-size slide

  134. #secure-pipeline @garethr // @wickett
    Jenkins Job Builder
    From OpenStack
    Domain specific
    language for jobs
    Uses Jenkins API

    View full-size slide

  135. #secure-pipeline @garethr // @wickett
    - job:
    name: download-and-test
    display-name: 'Download and unit test'
    builders:
    - shell: |
    export NOKOGIRI_USE_SYSTEM_LIBRARIES=true
    bundle install --path ../cache/vendor
    bundle exec rake db:setup
    bundle exec rake test
    !
    scm:
    - git:
    url: https://github.com/OWASP/railsgoat.git
    branches:
    - master

    View full-size slide

  136. #secure-pipeline @garethr // @wickett
    Easily automated
    Puppet module
    from Opentable

    View full-size slide

  137. #secure-pipeline @garethr // @wickett
    SECURITY TESTING
    WITH JENKINS

    View full-size slide

  138. #secure-pipeline @garethr // @wickett
    WE NEED AN APP TO TEST

    View full-size slide

  139. #secure-pipeline @garethr // @wickett
    A vulnerable Rails
    application
    RailsGoat
    Designed for testing

    View full-size slide

  140. #secure-pipeline @garethr // @wickett
    A vulnerable PHP
    application
    WackoPicko

    View full-size slide

  141. #secure-pipeline @garethr // @wickett
    A vulnerable Node
    application
    NodeGoat
    You get the idea

    View full-size slide

  142. #secure-pipeline @garethr // @wickett
    BRAKEMAN
    Static analysis
    Passive

    View full-size slide

  143. #secure-pipeline @garethr // @wickett
    Brakeman
    Requires

    View full-size slide

  144. #secure-pipeline @garethr // @wickett
    Get warnings of
    potential security
    vulnerabilities
    See new warnings
    as well as fixed ones

    View full-size slide

  145. #secure-pipeline @garethr // @wickett
    Dig down into the line
    of code that triggered
    the warning

    View full-size slide

  146. #secure-pipeline @garethr // @wickett
    BUNDLER AUDIT
    Finding insecure dependencies
    Dependecies

    View full-size slide

  147. #secure-pipeline @garethr // @wickett
    Based on work by
    rubysec.com

    View full-size slide

  148. #secure-pipeline @garethr // @wickett
    Would be nice to see
    a standard emerge
    here to make a nice
    plugin more likely

    View full-size slide

  149. #secure-pipeline @garethr // @wickett
    Name: actionpack
    Version: 3.2.11
    Advisory: OSVDB-103440
    Criticality: Unknown
    URL: http://osvdb.org/show/osvdb/103440
    Title: Denial of Service Vulnerability in Action View
    when using render :text
    Solution: upgrade to >= 3.2.17

    View full-size slide

  150. #secure-pipeline @garethr // @wickett
    Alternatives for
    other languages
    SafeNuGet
    OWASP Dependency
    Check
    NSP (Node.js)

    View full-size slide

  151. #secure-pipeline @garethr // @wickett
    Also available
    in SaaS
    Gemnasium
    Supports Ruby, Node,
    Python, PHP

    View full-size slide

  152. #secure-pipeline @garethr // @wickett
    CLAMAV
    Virus scanning
    Integrity

    View full-size slide

  153. #secure-pipeline @garethr // @wickett
    Open source virus
    scanner

    View full-size slide

  154. #secure-pipeline @garethr // @wickett
    clamscan dir-name

    View full-size slide

  155. #secure-pipeline @garethr // @wickett
    test/test.exe: OK
    !
    ----------- SCAN SUMMARY -----------
    Known viruses: 3419706
    Engine version: 0.98.1
    Scanned directories: 1
    Scanned files: 1
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 10.247 sec (0 m 10 s)

    View full-size slide

  156. #secure-pipeline @garethr // @wickett
    Requires
    ClamAV

    View full-size slide

  157. #secure-pipeline @garethr // @wickett
    GIT SIGNING
    Integrity
    (not implemented in our example)

    View full-size slide

  158. #secure-pipeline @garethr // @wickett
    Git supports
    GPG signing
    Sign every commit
    Squash commits
    Sign merge commits

    View full-size slide

  159. #secure-pipeline @garethr // @wickett
    ZAPR
    Active security scanner
    Active

    View full-size slide

  160. #secure-pipeline @garethr // @wickett
    OWASP ZAP
    Web interface
    HTTP proxy
    API

    View full-size slide

  161. #secure-pipeline @garethr // @wickett
    Zapr
    Command line
    scanner based on ZAP

    View full-size slide

  162. #secure-pipeline @garethr // @wickett
    zapr --summary http://example.com/

    View full-size slide

  163. #secure-pipeline @garethr // @wickett
    Also provides JSON
    output

    View full-size slide

  164. #secure-pipeline @garethr // @wickett
    +----------------------------------+--------+-----------------------------------------+
    | Alert | Risk | URL |
    +----------------------------------+--------+-----------------------------------------+
    | Cross Site Scripting (Reflected) | High | http://localhost:3000/forgot_password |
    +----------------------------------+--------+-----------------------------------------+

    View full-size slide

  165. #secure-pipeline @garethr // @wickett
    BASIC SECURITY TESTING
    IS NOW EASY

    View full-size slide

  166. #secure-pipeline @garethr // @wickett
    A working
    example
    github.com/secure-pipeline/node-travis-example
    Zapr testing NodeGoat

    View full-size slide

  167. #secure-pipeline @garethr // @wickett
    Other scanners
    skipfish
    nikto
    w3af
    arachni
    github.com/garethr/pentesting-playground

    View full-size slide

  168. #secure-pipeline @garethr // @wickett
    CONCLUSIONS
    Chapter 5

    View full-size slide

  169. #secure-pipeline @garethr // @wickett
    BASIC SECURITY TESTING
    IS NOW EASY

    View full-size slide

  170. #secure-pipeline @garethr // @wickett
    ADD ONE STEP TO YOUR
    CI PIPELINE TODAY

    View full-size slide

  171. #secure-pipeline @garethr // @wickett
    GET INVOLVED AT
    github.com/secure-pipeline

    View full-size slide

  172. #secure-pipeline @garethr // @wickett
    OFFICE HOURS
    WED, 11:30AM, TABLE 3

    View full-size slide

  173. #secure-pipeline @garethr // @wickett
    ANY QUESTIONS?
    The End

    View full-size slide