Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and the self-contained unit of software

Security and the self-contained unit of software

A talk from AppSec EU, the OWASP conference, all about moving security to the application in the face of platforms, containers and serverless

Gareth Rushgrove

May 11, 2017
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. (without introducing more risk) Security and the self- contained unit

    of software Puppet Gareth Rushgrove Security in an app-centic world
  2. - The end of perimeter (only) security - From infrastructure

    to applications - The rise of the black box application - Pushing security concerns to the app Gareth Rushgrove
  3. Gareth Rushgrove For much of network security, firewalls were the

    panacea. Got a security problem? Throw more firewall at it. James Wicket, Signal Sciences “
  4. Gareth Rushgrove Through the 90’s and early 2000’s, buying an

    appliance to solve a problem was a common occurrence James Wicket, Signal Sciences “
  5. Gareth Rushgrove Any problem in computer science can be solved

    with another layer of indirection David Wheeler (maybe) “
  6. 10

  7. Gareth Rushgrove We do not rely on internal network segmentation

    or firewalling as our primary security mechanisms Google Infrastructure Security Design Overview “
  8. The ability to change software quickly has seen functionality move

    from the infrastructure to the application Gareth Rushgrove
  9. (without introducing more risk) Gareth Rushgrove $ curl -i localhost:8080/health

    HTTP/1.1 200 OK X-Application-Context: application Content-Type: application/vnd.spring-boot.actuator.v1+json;charset=UTF- Content-Length: 221 { "status" : "UP", "diskSpace" : { "status" : "UP", "total" : 63251804160, "free" : 31316164608, "threshold" : 10485760 }, "db" : { /health from Spring Boot
  10. (without introducing more risk) Gareth Rushgrove /metrics from Metrics $

    curl http://localhost:3000/metrics | jq { jvm.thread.deadlock.count: { type: "gauge", value: 0 }, ring.requests.rate.GET: { type: "meter", rates: { 1: 0.009626100280886805, 5: 0.008973894483657855, 15: 0.00939960671455037, total: 199 } },
  11. (without introducing more risk) Gareth Rushgrove From something like syslog

    Dec 6 23:17:01 logstash CRON[5849]: (root) CMD (cd / && run- parts --report /etc/cron.hourly)
  12. (without introducing more risk) Gareth Rushgrove To something like lograge

    { "method":"GET", "path":"/users", "format":"html", "controller":"users", "action":"index", "status":200, "duration":189.35, "view":186.35, "db":0.92, "@timestamp":"2015-12-11T13:35:47.062+00:00", "@version":"1", "message":"[200] GET /users (users#index)", "severity":"INFO", "host":"app1-web1",
  13. The platform might be Docker, Kubernetes, AWS Lambda, Azure Functions,

    Heroku, CloudFoundry, EC2 or something else Gareth Rushgrove
  14. From a security perspective, the platform is a great place

    to introduce central security features Gareth Rushgrove
  15. The implementation of that black box might be a containers,

    a virtual machine, a serverless function or something else Gareth Rushgrove
  16. - Most containers have OS user space - Most containers

    have lots of unmanaged packages at unspecified versions - Some containers are not immutable - Some containers will have vulnerabilities Gareth Rushgrove
  17. Gareth Rushgrove These code packages are like little pieces of

    infrastructure embedded inside your application. Application dependencies are similar to the oft-exploited server dependencies Guy Podjarny, Snyk “
  18. In this new world we need to push security to

    the application Gareth Rushgrove
  19. (without introducing more risk) Gareth Rushgrove BDD Security Scenario: The

    application should not contain SQL injection vulnerabilities Meta: @id scan_sql_injection @cwe-89 Given a scanner with all policies disabled And the SQL-Injection policy is enabled And the attack strength is set to High And the alert threshold is set to Low When the scanner is run And the XML report is written to the file sql_injection.xml Then no Medium or higher risk vulnerabilities should be present Testing for SQL Injection vulnerabilities in the CI pipeline
  20. (without introducing more risk) Gareth Rushgrove Lynis #!/bin/bash -e yum

    install -y lynis touch /etc/lynis/custom.prf lynis configure settings error-on-warnings=yes:quick=yes:skip-test=FIRE-4512 lynis audit system Scanning for vulnerabilities during VM image build
  21. (without introducing more risk) Gareth Rushgrove Bundler audit $ bundle-audit

    Name: actionpack Version: 3.2.10 Advisory: OSVDB-91452 Criticality: Medium URL: http://www.osvdb.org/show/osvdb/91452 Title: XSS vulnerability in sanitize_css in Action Pack Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13 Name: actionpack Version: 3.2.10 Checking for disclosed Ruby vulnerabilities in Gemfile.lock
  22. (without introducing more risk) Gareth Rushgrove Checking application dependencies $

    snyk test ionic ... ✗ High severity vulnerability found on [email protected] - desc: Command Injection - info: https://snyk.io/vuln/npm:shelljs:20140723 - from: [email protected] > [email protected] > [email protected] Fix: None available. Consider removing this dependency. ✗ High severity vulnerability found on [email protected] - desc: Command Injection - info: https://snyk.io/vuln/npm:shelljs:20140723 - from: [email protected] > [email protected] > [email protected] > shelljs Fix: None available. Consider removing this dependency.
  23. (without introducing more risk) Gareth Rushgrove $ scan-image-for-cves garethr/myapp --->

    Scanning package: python ---> CVEs found for python-2.7.5-34.el7 +---------------+----------+------------+-------------------+ | CVE | Severity | CVSS score | Date | +---------------+----------+------------+-------------------+ | CVE-2014-4650 | moderate | 5.0 | 23 June 2014 | | CVE-2013-1752 | moderate | 4.3 | 25 September 2012 | | CVE-2013-1753 | moderate | 4.3 | 25 September 2012 | | CVE-2014-7185 | low | 4.0 | 23 June 2014 | | CVE-2014-4616 | moderate | 4.0 | 19 May 2014 | +---------------+----------+------------+-------------------+ ---> Scanning package: python ---> CVEs found for python-2.7.5-34.el7 +---------------+----------+------------+-------------------+ | CVE | Severity | CVSS score | Date | Checking Docker containers for CVEs
  24. (without introducing more risk) Gareth Rushgrove Making sure selinux is

    enabled (expect running-on-all-clients? "selinux") Using PuppetDB as a CMDB to make assertions against
  25. (without introducing more risk) Gareth Rushgrove Making sure you’re using

    the approved OS def test_os(inventory): host_info = inventory['capabilities']['host']['payload'] family = host_info['platformfamily'] assert "debian" == family Querying the state of running Docker containers
  26. (without introducing more risk) Gareth Rushgrove Checking for processes listening

    on ports SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid; SQL for asking questions of your system
  27. (without introducing more risk) Gareth Rushgrove inventory { facts.osfamily =

    "Debian" and facts.datacentre = "Lon1" and resources { type = "Package" and title = "npm" and parameters.version = "1.03" } } Quering against your CMBD Find versions of an installed software package with PQL
  28. Gareth Rushgrove RASP comes into play when the application is

    executed (runtime), causing the program to monitor itself and detect malicious input and behaviour. Veracode “
  29. Gareth Rushgrove The AppSensor project defines a conceptual framework and

    methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications “ OWASP AppSensor
  30. Gareth Rushgrove The best place to identify malicious activity against

    the application is within the application itself “ OWASP AppSensor
  31. - Push security into the CI pipelines - Provide assurance

    of app dependencies - Build visibility into the application - Get reactive security into the runtime Gareth Rushgrove
  32. We need to move away from security tools and towards

    development tools with security features Gareth Rushgrove