- The end of perimeter (only) security - From infrastructure to applications - The rise of the black box application - Pushing security concerns to the app Gareth Rushgrove
Gareth Rushgrove For much of network security, firewalls were the panacea. Got a security problem? Throw more firewall at it. James Wicket, Signal Sciences “
Gareth Rushgrove We do not rely on internal network segmentation or firewalling as our primary security mechanisms Google Infrastructure Security Design Overview “
(without introducing more risk) Gareth Rushgrove From something like syslog Dec 6 23:17:01 logstash CRON[5849]: (root) CMD (cd / && run- parts --report /etc/cron.hourly)
- Most containers have OS user space - Most containers have lots of unmanaged packages at unspecified versions - Some containers are not immutable - Some containers will have vulnerabilities Gareth Rushgrove
Gareth Rushgrove These code packages are like little pieces of infrastructure embedded inside your application. Application dependencies are similar to the oft-exploited server dependencies Guy Podjarny, Snyk “
(without introducing more risk) Gareth Rushgrove BDD Security Scenario: The application should not contain SQL injection vulnerabilities Meta: @id scan_sql_injection @cwe-89 Given a scanner with all policies disabled And the SQL-Injection policy is enabled And the attack strength is set to High And the alert threshold is set to Low When the scanner is run And the XML report is written to the file sql_injection.xml Then no Medium or higher risk vulnerabilities should be present Testing for SQL Injection vulnerabilities in the CI pipeline
(without introducing more risk) Gareth Rushgrove Making sure selinux is enabled (expect running-on-all-clients? "selinux") Using PuppetDB as a CMDB to make assertions against
(without introducing more risk) Gareth Rushgrove Making sure you’re using the approved OS def test_os(inventory): host_info = inventory['capabilities']['host']['payload'] family = host_info['platformfamily'] assert "debian" == family Querying the state of running Docker containers
(without introducing more risk) Gareth Rushgrove Checking for processes listening on ports SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid; SQL for asking questions of your system
(without introducing more risk) Gareth Rushgrove inventory { facts.osfamily = "Debian" and facts.datacentre = "Lon1" and resources { type = "Package" and title = "npm" and parameters.version = "1.03" } } Quering against your CMBD Find versions of an installed software package with PQL
Gareth Rushgrove RASP comes into play when the application is executed (runtime), causing the program to monitor itself and detect malicious input and behaviour. Veracode “
Gareth Rushgrove The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications “ OWASP AppSensor
- Push security into the CI pipelines - Provide assurance of app dependencies - Build visibility into the application - Get reactive security into the runtime Gareth Rushgrove