Security and the self-contained unit of software

Transcript

1. (without introducing more risk) Security and the self- contained unit

   of software Puppet Gareth Rushgrove Security in an app-centic world

2. (without introducing more risk) @garethr

3. (without introducing more risk) Gareth Rushgrove

4. (without introducing more risk) What we’ll cover This talk

5. - The end of perimeter (only) security - From infrastructure

   to applications - The rise of the black box application - Pushing security concerns to the app Gareth Rushgrove

6. (without introducing more risk) An old model breaks down The

   end of security (only) at the edges

7. Gareth Rushgrove For much of network security, firewalls were the

   panacea. Got a security problem? Throw more firewall at it. James Wicket, Signal Sciences “

8. Gareth Rushgrove Through the 90’s and early 2000’s, buying an

   appliance to solve a problem was a common occurrence James Wicket, Signal Sciences “

9. Gareth Rushgrove Any problem in computer science can be solved

   with another layer of indirection David Wheeler (maybe) “

10. Adding something new on top was quicker than fixing the

    software Gareth Rushgrove

11. With modern approaches to software delivery we can change software

    quickly Gareth Rushgrove
12. None

13. 10

14. 2009

15. Gareth Rushgrove Jon Jenkins, VelocityConf, 2011 “Amazon deploys every 11.6

    seconds

16. Gareth Rushgrove

17. Gareth Rushgrove We do not rely on internal network segmentation

    or firewalling as our primary security mechanisms Google Infrastructure Security Design Overview “

18. Attacks are increasingly targeting application and business logic Gareth Rushgrove

19. So where does security go? Gareth Rushgrove

20. (without introducing more risk) Direction of travel in systems design

    From infrastructure to applications

21. The ability to change software quickly has seen functionality move

    from the infrastructure to the application Gareth Rushgrove

22. Built-in application healthchecks Gareth Rushgrove

23. (without introducing more risk) Gareth Rushgrove $ curl -i localhost:8080/health

    HTTP/1.1 200 OK X-Application-Context: application Content-Type: application/vnd.spring-boot.actuator.v1+json;charset=UTF- Content-Length: 221 { "status" : "UP", "diskSpace" : { "status" : "UP", "total" : 63251804160, "free" : 31316164608, "threshold" : 10485760 }, "db" : { /health from Spring Boot

24. (without introducing more risk) Gareth Rushgrove /metrics from Metrics $

    curl http://localhost:3000/metrics | jq { jvm.thread.deadlock.count: { type: "gauge", value: 0 }, ring.requests.rate.GET: { type: "meter", rates: { 1: 0.009626100280886805, 5: 0.008973894483657855, 15: 0.00939960671455037, total: 199 } },

25. Structured logging Gareth Rushgrove

26. (without introducing more risk) Gareth Rushgrove From something like syslog

    Dec 6 23:17:01 logstash CRON[5849]: (root) CMD (cd / && run- parts --report /etc/cron.hourly)

27. (without introducing more risk) Gareth Rushgrove To something like lograge

    { "method":"GET", "path":"/users", "format":"html", "controller":"users", "action":"index", "status":200, "duration":189.35, "view":186.35, "db":0.92, "@timestamp":"2015-12-11T13:35:47.062+00:00", "@version":"1", "message":"[200] GET /users (users#index)", "severity":"INFO", "host":"app1-web1",

28. From manual black-box testing to unit tests Gareth Rushgrove

29. From configuration files to environment variables Gareth Rushgrove

30. From external manual testing to unit tests Gareth Rushgrove

31. From static configuration to service discovery Gareth Rushgrove

32. 12 factor applications Gareth Rushgrove

33. (without introducing more risk) And implications for security The rise

    of the black box application

34. With all these applications we seek out a platform to

    run them on Gareth Rushgrove

35. The platform might be Docker, Kubernetes, AWS Lambda, Azure Functions,

    Heroku, CloudFoundry, EC2 or something else Gareth Rushgrove

36. From a security perspective, the platform is a great place

    to introduce central security features Gareth Rushgrove

37. But general purpose platforms often treat the application as a

    black box Gareth Rushgrove

38. The implementation of that black box might be a containers,

    a virtual machine, a serverless function or something else Gareth Rushgrove

39. From a security perspective, the black box application sounds like

    a very bad idea Gareth Rushgrove

40. What’s inside that container? Gareth Rushgrove

41. (without introducing more risk) You don’t know, and that’s a

    problem

42. Gareth Rushgrove Image downloads

43. Gareth Rushgrove Image GitHub popularity

44. Gareth Rushgrove Image contents

45. (without introducing more risk) Vulnerable images in repositories

46. - Most containers have OS user space - Most containers

    have lots of unmanaged packages at unspecified versions - Some containers are not immutable - Some containers will have vulnerabilities Gareth Rushgrove

47. What about Serverless? Gareth Rushgrove

48. Gareth Rushgrove These code packages are like little pieces of

    infrastructure embedded inside your application. Application dependencies are similar to the oft-exploited server dependencies Guy Podjarny, Snyk “

49. Platform security brings improvements Gareth Rushgrove Guy Podjarny, Snyk

50. Guy Podjarny, Snyk Application security still an issue Gareth Rushgrove

51. Guy Podjarny, Snyk Existing approaches not always relevant Gareth Rushgrove

52. (without introducing more risk) Because the platform can’t do everything

    Pushing security concerns to the application

53. In this new world we need to push security to

    the application Gareth Rushgrove

54. (without introducing more risk) Security testing at build time

55. OWASP ZAP Gareth Rushgrove

56. (without introducing more risk) Gareth Rushgrove BDD Security Scenario: The

    application should not contain SQL injection vulnerabilities Meta: @id scan_sql_injection @cwe-89 Given a scanner with all policies disabled And the SQL-Injection policy is enabled And the attack strength is set to High And the alert threshold is set to Low When the scanner is run And the XML report is written to the file sql_injection.xml Then no Medium or higher risk vulnerabilities should be present Testing for SQL Injection vulnerabilities in the CI pipeline

57. (without introducing more risk) Gareth Rushgrove Lynis #!/bin/bash -e yum

    install -y lynis touch /etc/lynis/custom.prf lynis configure settings error-on-warnings=yes:quick=yes:skip-test=FIRE-4512 lynis audit system Scanning for vulnerabilities during VM image build

58. (without introducing more risk) Assuring dependencies

59. OWASP Dependency-Check Gareth Rushgrove

60. (without introducing more risk) Gareth Rushgrove Bundler audit $ bundle-audit

    Name: actionpack Version: 3.2.10 Advisory: OSVDB-91452 Criticality: Medium URL: http://www.osvdb.org/show/osvdb/91452 Title: XSS vulnerability in sanitize_css in Action Pack Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13 Name: actionpack Version: 3.2.10 Checking for disclosed Ruby vulnerabilities in Gemfile.lock

61. Snyk Gareth Rushgrove

62. (without introducing more risk) Gareth Rushgrove Checking application dependencies $

    snyk test ionic ... ✗ High severity vulnerability found on [email protected] - desc: Command Injection - info: https://snyk.io/vuln/npm:shelljs:20140723 - from: [email protected] > [email protected] > [email protected] Fix: None available. Consider removing this dependency. ✗ High severity vulnerability found on [email protected] - desc: Command Injection - info: https://snyk.io/vuln/npm:shelljs:20140723 - from: [email protected] > [email protected] > [email protected] > shelljs Fix: None available. Consider removing this dependency.

63. (without introducing more risk) Gareth Rushgrove $ scan-image-for-cves garethr/myapp --->

    Scanning package: python ---> CVEs found for python-2.7.5-34.el7 +---------------+----------+------------+-------------------+ | CVE | Severity | CVSS score | Date | +---------------+----------+------------+-------------------+ | CVE-2014-4650 | moderate | 5.0 | 23 June 2014 | | CVE-2013-1752 | moderate | 4.3 | 25 September 2012 | | CVE-2013-1753 | moderate | 4.3 | 25 September 2012 | | CVE-2014-7185 | low | 4.0 | 23 June 2014 | | CVE-2014-4616 | moderate | 4.0 | 19 May 2014 | +---------------+----------+------------+-------------------+ ---> Scanning package: python ---> CVEs found for python-2.7.5-34.el7 +---------------+----------+------------+-------------------+ | CVE | Severity | CVSS score | Date | Checking Docker containers for CVEs

64. (without introducing more risk) Testing in production

65. The only source of truth is the network Gareth Rushgrove

66. (without introducing more risk) Gareth Rushgrove Making sure selinux is

    enabled (expect running-on-all-clients? "selinux") Using PuppetDB as a CMDB to make assertions against

67. (without introducing more risk) Gareth Rushgrove Making sure you’re using

    the approved OS def test_os(inventory): host_info = inventory['capabilities']['host']['payload'] family = host_info['platformfamily'] assert "debian" == family Querying the state of running Docker containers

68. (without introducing more risk) Visibility

69. osquery Gareth Rushgrove

70. (without introducing more risk) Gareth Rushgrove Checking for processes listening

    on ports SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid; SQL for asking questions of your system

71. (without introducing more risk) Gareth Rushgrove inventory { facts.osfamily =

    "Debian" and facts.datacentre = "Lon1" and resources { type = "Package" and title = "npm" and parameters.version = "1.03" } } Quering against your CMBD Find versions of an installed software package with PQL

72. (without introducing more risk) Letting the runtime protect us

73. Runtime Application Self-Protection (RASP) Gareth Rushgrove

74. Gareth Rushgrove RASP comes into play when the application is

    executed (runtime), causing the program to monitor itself and detect malicious input and behaviour. Veracode “

75. OWASP AppSensor Gareth Rushgrove

76. Gareth Rushgrove The AppSensor project defines a conceptual framework and

    methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications “ OWASP AppSensor

77. Gareth Rushgrove The best place to identify malicious activity against

    the application is within the application itself “ OWASP AppSensor

78. (without introducing more risk) If all you remember is Conclusions

79. We need secure applications, not just secure platforms Gareth Rushgrove

80. Gareth Rushgrove App developers are conquering the world

81. - Push security into the CI pipelines - Provide assurance

    of app dependencies - Build visibility into the application - Get reactive security into the runtime Gareth Rushgrove

82. We need to move away from security tools and towards

    development tools with security features Gareth Rushgrove

83. (without introducing more risk) Questions? And thanks for listening