Battle-tested code without the battle

Transcript

1. Velocity 2014 BATTLE-TESTED CODE WITHOUT THE BATTLE SECURITY TESTING AND

   CONTINUOUS INTEGRATION James Wickett and Gareth Rushgrove

2. #secure-pipeline @garethr // @wickett THE INTRODUCTION Chapter 1

3. #secure-pipeline @garethr // @wickett Goal: Equip you with the theory,

   examples and tools so that you can build a secure pipeline you can lovingly call your very own

4. #secure-pipeline @garethr // @wickett #SECURE-PIPELINE

5. #secure-pipeline @garethr // @wickett @garethr

6. #secure-pipeline @garethr // @wickett UK Government Digital Service

7. #secure-pipeline @garethr // @wickett

8. #secure-pipeline @garethr // @wickett

9. #secure-pipeline @garethr // @wickett @wickett

10. #secure-pipeline @garethr // @wickett

11. #secure-pipeline @garethr // @wickett THE THEORY Chapter 2

12. #secure-pipeline @garethr // @wickett WHY DOES THIS MATTER?

13. #secure-pipeline @garethr // @wickett YOU WANT TO DELIVER SECURE CODE

14. #secure-pipeline @garethr // @wickett EVERYONE ELSE WANTS TO…

15. #secure-pipeline @garethr // @wickett Just Ship It!

16. #secure-pipeline @garethr // @wickett SOFTWARE AS A SERVICE

17. #secure-pipeline @garethr // @wickett FRAGILE SOFTWARE AS A SERVICE

18. #secure-pipeline @garethr // @wickett VULNERABLE CODE IS EVERYWHERE

19. #secure-pipeline @garethr // @wickett White Hat Security: 2014 Website Security

    Statistics Report

20. #secure-pipeline @garethr // @wickett YOUR CHOICE OF PROGRAMMING LANGUAGE DOESN'T

    MATTER

21. #secure-pipeline @garethr // @wickett White Hat Security: 2014 Website Security

    Statistics Report

22. #secure-pipeline @garethr // @wickett PROBLEMS GETS FIXED SLOWLY

23. #secure-pipeline @garethr // @wickett White Hat Security: 2014 Website Security

    Statistics Report

24. #secure-pipeline @garethr // @wickett HOW DID WE GET HERE?

25. #secure-pipeline @garethr // @wickett RATIO PROBLEM DEV / OPS /

    SECURITY 100 / 10 / 1

26. #secure-pipeline @garethr // @wickett RATIO PROBLEM DEV / OPS /

    SECURITY 100 / 10 / 1 ORDER OF MAGNITUDE

27. #secure-pipeline @garethr // @wickett SECURITY TOOLS ARE RUN OUT-OF-BAND

28. #secure-pipeline @garethr // @wickett WHAT CAN WE DO?

29. #secure-pipeline @garethr // @wickett YOU SHOULD BE RUNNING SECURITY TESTS

    IN YOUR CONTINUOUS DELIVERY PIPELINE

30. #secure-pipeline @garethr // @wickett AND IT’S NOT THAT HARD TO

    DO

31. #secure-pipeline @garethr // @wickett PASSIVE SCANNING Static analysis Passive

32. #secure-pipeline @garethr // @wickett ACTIVE SCANNING Testing the running application

    Active

33. #secure-pipeline @garethr // @wickett INSECURE DEPENDENCIES Secure your supply chain

    Dependencies

34. #secure-pipeline @garethr // @wickett SOURCE CODE INTEGRITY Is that really

    your code? Integrity

35. #secure-pipeline @garethr // @wickett WHAT’S THE BENEFIT?

36. #secure-pipeline @garethr // @wickett CATCH EASY PROBLEMS QUICKLY

37. #secure-pipeline @garethr // @wickett FOCUS PENETRATION TESTING ON ATTACK SIMULATIONS

    OR OTHER HARD PROBLEMS

38. #secure-pipeline @garethr // @wickett RUGGED JOURNEY

39. #secure-pipeline @garethr // @wickett RUGGEDDEV.ORG

40. #secure-pipeline @garethr // @wickett QUALITY TRANSPARENCY VALUE CREATION CULTURE INFUSION

41. #secure-pipeline @garethr // @wickett USING TRAVIS Chapter 3

42. #secure-pipeline @garethr // @wickett LAB 0

43. #secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab0

44. #secure-pipeline @garethr // @wickett YOU NEED: GITHUB ACCOUNT TRAVIS CI

    ACCOUNT

45. #secure-pipeline @garethr // @wickett FORK THE REPO

46. #secure-pipeline @garethr // @wickett

47. #secure-pipeline @garethr // @wickett

48. #secure-pipeline @garethr // @wickett

49. #secure-pipeline @garethr // @wickett LAB 0 REVIEW YOU SHOULD HAVE:

    A FORK OF THE REPO UNDERSTANDING OF TRAVIS.YML

50. #secure-pipeline @garethr // @wickett GAUNTLT Be mean to your code

    Active

51. #secure-pipeline @garethr // @wickett BUILT ON CUCUMBER

52. #secure-pipeline @garethr // @wickett GAUNTLT PRINCIPLES AND PHILOSOPHY Gauntlt comes

    with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt can be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr MIT Open Source License

53. #secure-pipeline @garethr // @wickett

54. #secure-pipeline @garethr // @wickett GAUNTLT RESOURCES Google Group https://groups.google.com/d/forum/gauntlt Wiki

    https://github.com/gauntlt/gauntlt/wiki Twitter @gauntlt IRC #gauntlt on freenode Issue tracking http://github.com/gauntlt/gauntlt

55. #secure-pipeline @garethr // @wickett THE GAUNTLT BOOK [email protected] FREE!

56. #secure-pipeline @garethr // @wickett LAB 1

57. #secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab1

58. #secure-pipeline @garethr // @wickett In Travis CI set the repo

    to ‘ON’

59. #secure-pipeline @garethr // @wickett Add the Travis badge in README.md

60. #secure-pipeline @garethr // @wickett Add the Travis badge in README.md

61. #secure-pipeline @garethr // @wickett

62. #secure-pipeline @garethr // @wickett

63. #secure-pipeline @garethr // @wickett READ THE TRAVIS CONFIG! lab_1/.travis.yml

64. #secure-pipeline @garethr // @wickett

65. #secure-pipeline @garethr // @wickett

66. #secure-pipeline @garethr // @wickett READ THE RAKEFILE! rails-travis-example/Rakefile

67. #secure-pipeline @garethr // @wickett

68. #secure-pipeline @garethr // @wickett

69. #secure-pipeline @garethr // @wickett FINALLY, ATTACKS!

70. #secure-pipeline @garethr // @wickett

71. #secure-pipeline @garethr // @wickett NMAP

72. #secure-pipeline @garethr // @wickett ./test/attacks/assert-ports.attack

73. #secure-pipeline @garethr // @wickett ./test/attacks/assert-ports.attack

74. #secure-pipeline @garethr // @wickett ./test/attacks/assert-ports.attack

75. #secure-pipeline @garethr // @wickett HEARTBLEED AND SSLYZE

76. #secure-pipeline @garethr // @wickett ./test/attacks/ssl.attack

77. #secure-pipeline @garethr // @wickett ./test/attacks/ssl.attack

78. #secure-pipeline @garethr // @wickett ./test/attacks/ssl.attack

79. #secure-pipeline @garethr // @wickett Copy text from lab_1/.travis.yml and paste

    into the main .travis.yml

80. #secure-pipeline @garethr // @wickett LAB 1 REVIEW YOU SHOULD HAVE:

    TRAVIS CI SETUP WITH 2 RUNNING ATTACKS

81. #secure-pipeline @garethr // @wickett

82. #secure-pipeline @garethr // @wickett http://localhost:3000

83. #secure-pipeline @garethr // @wickett <script>alert('The Obligatory XSS Popup');</script>

84. #secure-pipeline @garethr // @wickett <script>alert('The Obligatory XSS Popup');</script>

85. #secure-pipeline @garethr // @wickett arachni http://localhost:3000 \ --plugin=autologin:url=http://localhost:3000/users/ sign_in,params='user[email][email protected]&user[passwo rd]=testtest',check='Logout

    [email protected]' \ -e /users/sign_out

86. #secure-pipeline @garethr // @wickett arachni http://localhost:3000 \ --plugin=autologin:url=http://localhost:3000/users/ sign_in,params='user[email][email protected]&user[passwo rd]=testtest',check='Logout

    \[email protected]' \ -e /users/sign_out http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session

87. #secure-pipeline @garethr // @wickett WANT XSS PAYLOADS? ! beefproject.com

88. #secure-pipeline @garethr // @wickett LAB 2

89. #secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab2

90. #secure-pipeline @garethr // @wickett READ THE TRAVIS CONFIG lab_2/.travis.yml

91. #secure-pipeline @garethr // @wickett ./velocity/lab_2/.travis.yml

92. #secure-pipeline @garethr // @wickett ./Gemfile

93. #secure-pipeline @garethr // @wickett ./velocity/lab_2/.travis.yml

94. #secure-pipeline @garethr // @wickett ./Rakefile

95. #secure-pipeline @garethr // @wickett ./test/attacks/xss.attack

96. #secure-pipeline @garethr // @wickett ./test/attacks/xss.attack

97. #secure-pipeline @garethr // @wickett Copy text from lab_2/.travis.yml and paste

    into the main .travis.yml

98. #secure-pipeline @garethr // @wickett LAB 2 REVIEW 2-3 Travis CI

    Passing Builds

99. #secure-pipeline @garethr // @wickett LAB 3

100. #secure-pipeline @garethr // @wickett bit.ly/secure-pipeline-lab3

101. #secure-pipeline @garethr // @wickett ./velocity/lab_3/.travis.yml

102. #secure-pipeline @garethr // @wickett ./velocity/lab_3/.travis.yml

103. #secure-pipeline @garethr // @wickett ./Rakefile

104. #secure-pipeline @garethr // @wickett ./test/attacks/email_leakage.attack

105. #secure-pipeline @garethr // @wickett ./test/attacks/email_leakage.attack

106. #secure-pipeline @garethr // @wickett ./test/attacks/backdoors.attack

107. #secure-pipeline @garethr // @wickett ./test/attacks/sql_injection.attack

108. #secure-pipeline @garethr // @wickett ./test/attacks/sql_injection.attack

109. #secure-pipeline @garethr // @wickett ./test/attacks/sql_injection.attack

110. #secure-pipeline @garethr // @wickett Copy text from lab_3/.travis.yml and paste

     into the main .travis.yml

111. #secure-pipeline @garethr // @wickett LAB 3 REVIEW 3 Travis CI

     Passing Builds

112. #secure-pipeline @garethr // @wickett CODE CLIMATE Passive

113. #secure-pipeline @garethr // @wickett

114. #secure-pipeline @garethr // @wickett USING JENKINS Chapter 4

115. #secure-pipeline @garethr // @wickett VIRTUAL MACHINES FOR THE WORKSHOP KINDLY

     PROVIDED BY

116. #secure-pipeline @garethr // @wickett EVERYONE GETS AN INSTANCE

117. #secure-pipeline @garethr // @wickett domains.secure-pipeline.com

118. #secure-pipeline @garethr // @wickett WHY JENKINS?

119. #secure-pipeline @garethr // @wickett POPULARITY AND FAMILIARITY

120. #secure-pipeline @garethr // @wickett ALL THE BASICS OUT OF THE

     BOX

121. #secure-pipeline @garethr // @wickett LIST JOBS

122. #secure-pipeline @garethr // @wickett

123. #secure-pipeline @garethr // @wickett SEE INDIVIDUAL TEST RUNS

124. #secure-pipeline @garethr // @wickett

125. #secure-pipeline @garethr // @wickett HIGHLY EXTENSIBLE

126. #secure-pipeline @garethr // @wickett GATHER METRICS

127. Requires Sloccount

128. #secure-pipeline @garethr // @wickett CRAFT PIPELINES Jenkins Build Flow, a

     DSL for Jenkins pipelines

129. #secure-pipeline @garethr // @wickett build(“first job") build(“second job") !

130. #secure-pipeline @garethr // @wickett build("download-and-test") parallel ( { build("zapr") },

     { build("static-analysis") }, { build("code-metrics") }, { build("virus-scan") }, { ignore(FAILURE) { build("bundler-audit") }} ) ignore(FAILURE) { build("integration-test") }

131. Requires Jenkins Build Graph

132. #secure-pipeline @garethr // @wickett CONFIGURATION AS CODE Jenkins Job Builder

133. #secure-pipeline @garethr // @wickett BECAUSE SHARING PRACTICES IS IMPORTANT

134. #secure-pipeline @garethr // @wickett Jenkins Job Builder From OpenStack Domain

     specific language for jobs Uses Jenkins API

135. #secure-pipeline @garethr // @wickett - job: name: download-and-test display-name: 'Download

     and unit test' builders: - shell: | export NOKOGIRI_USE_SYSTEM_LIBRARIES=true bundle install --path ../cache/vendor bundle exec rake db:setup bundle exec rake test ! scm: - git: url: https://github.com/OWASP/railsgoat.git branches: - master

136. #secure-pipeline @garethr // @wickett Easily automated Puppet module from Opentable

137. #secure-pipeline @garethr // @wickett SECURITY TESTING WITH JENKINS

138. #secure-pipeline @garethr // @wickett WE NEED AN APP TO TEST

139. #secure-pipeline @garethr // @wickett A vulnerable Rails application RailsGoat Designed

     for testing

140. #secure-pipeline @garethr // @wickett A vulnerable PHP application WackoPicko

141. #secure-pipeline @garethr // @wickett A vulnerable Node application NodeGoat You

     get the idea

142. #secure-pipeline @garethr // @wickett BRAKEMAN Static analysis Passive

143. #secure-pipeline @garethr // @wickett Brakeman Requires

144. #secure-pipeline @garethr // @wickett Get warnings of potential security vulnerabilities

     See new warnings as well as fixed ones

145. #secure-pipeline @garethr // @wickett Dig down into the line of

     code that triggered the warning

146. #secure-pipeline @garethr // @wickett BUNDLER AUDIT Finding insecure dependencies Dependecies

147. #secure-pipeline @garethr // @wickett Based on work by rubysec.com

148. #secure-pipeline @garethr // @wickett Would be nice to see a

     standard emerge here to make a nice plugin more likely

149. #secure-pipeline @garethr // @wickett Name: actionpack Version: 3.2.11 Advisory: OSVDB-103440

     Criticality: Unknown URL: http://osvdb.org/show/osvdb/103440 Title: Denial of Service Vulnerability in Action View when using render :text Solution: upgrade to >= 3.2.17

150. #secure-pipeline @garethr // @wickett Alternatives for other languages SafeNuGet OWASP

     Dependency Check NSP (Node.js)

151. #secure-pipeline @garethr // @wickett Also available in SaaS Gemnasium Supports

     Ruby, Node, Python, PHP

152. #secure-pipeline @garethr // @wickett CLAMAV Virus scanning Integrity

153. #secure-pipeline @garethr // @wickett Open source virus scanner

154. #secure-pipeline @garethr // @wickett clamscan dir-name

155. #secure-pipeline @garethr // @wickett test/test.exe: OK ! ----------- SCAN SUMMARY

     ----------- Known viruses: 3419706 Engine version: 0.98.1 Scanned directories: 1 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 10.247 sec (0 m 10 s)

156. #secure-pipeline @garethr // @wickett Requires ClamAV

157. #secure-pipeline @garethr // @wickett GIT SIGNING Integrity (not implemented in

     our example)

158. #secure-pipeline @garethr // @wickett Git supports GPG signing Sign every

     commit Squash commits Sign merge commits

159. #secure-pipeline @garethr // @wickett ZAPR Active security scanner Active

160. #secure-pipeline @garethr // @wickett OWASP ZAP Web interface HTTP proxy

     API

161. #secure-pipeline @garethr // @wickett Zapr Command line scanner based on

     ZAP

162. #secure-pipeline @garethr // @wickett zapr --summary http://example.com/

163. #secure-pipeline @garethr // @wickett Also provides JSON output

164. #secure-pipeline @garethr // @wickett +----------------------------------+--------+-----------------------------------------+ | Alert | Risk |

     URL | +----------------------------------+--------+-----------------------------------------+ | Cross Site Scripting (Reflected) | High | http://localhost:3000/forgot_password | +----------------------------------+--------+-----------------------------------------+

165. #secure-pipeline @garethr // @wickett BASIC SECURITY TESTING IS NOW EASY

166. #secure-pipeline @garethr // @wickett A working example github.com/secure-pipeline/node-travis-example Zapr testing

     NodeGoat

167. #secure-pipeline @garethr // @wickett Other scanners skipfish nikto w3af arachni

     github.com/garethr/pentesting-playground

168. #secure-pipeline @garethr // @wickett CONCLUSIONS Chapter 5

169. #secure-pipeline @garethr // @wickett BASIC SECURITY TESTING IS NOW EASY

170. #secure-pipeline @garethr // @wickett ADD ONE STEP TO YOUR CI

     PIPELINE TODAY

171. #secure-pipeline @garethr // @wickett GET INVOLVED AT github.com/secure-pipeline

172. #secure-pipeline @garethr // @wickett OFFICE HOURS WED, 11:30AM, TABLE 3

173. #secure-pipeline @garethr // @wickett ANY QUESTIONS? The End