$30 off During Our Annual Pro Sale. View Details »

Security and the self-contained unit of software

Security and the self-contained unit of software

A talk from AppSec EU, the OWASP conference, all about moving security to the application in the face of platforms, containers and serverless

Gareth Rushgrove

May 11, 2017
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. (without introducing more risk)
    Security and the self-
    contained unit of software
    Puppet
    Gareth Rushgrove
    Security in an app-centic world

    View Slide

  2. (without introducing more risk)
    @garethr

    View Slide

  3. (without introducing more risk)
    Gareth Rushgrove

    View Slide

  4. (without introducing more risk)
    What we’ll cover
    This talk

    View Slide

  5. - The end of perimeter (only) security
    - From infrastructure to applications
    - The rise of the black box application
    - Pushing security concerns to the app
    Gareth Rushgrove

    View Slide

  6. (without introducing more risk)
    An old model breaks down
    The end of security
    (only) at the edges

    View Slide

  7. Gareth Rushgrove
    For much of network security, firewalls
    were the panacea. Got a security
    problem? Throw more firewall at it.
    James Wicket, Signal Sciences

    View Slide

  8. Gareth Rushgrove
    Through the 90’s and early 2000’s, buying
    an appliance to solve a problem was a
    common occurrence
    James Wicket, Signal Sciences

    View Slide

  9. Gareth Rushgrove
    Any problem in computer science can be
    solved with another layer of indirection
    David Wheeler (maybe)

    View Slide

  10. Adding something new on top was quicker
    than fixing the software
    Gareth Rushgrove

    View Slide

  11. With modern approaches to software
    delivery we can change software quickly
    Gareth Rushgrove

    View Slide

  12. View Slide

  13. 10

    View Slide

  14. 2009

    View Slide

  15. Gareth Rushgrove
    Jon Jenkins, VelocityConf, 2011
    “Amazon deploys every 11.6 seconds

    View Slide

  16. Gareth Rushgrove

    View Slide

  17. Gareth Rushgrove
    We do not rely on internal network
    segmentation or firewalling as our primary
    security mechanisms
    Google Infrastructure Security Design Overview

    View Slide

  18. Attacks are increasingly targeting
    application and business logic
    Gareth Rushgrove

    View Slide

  19. So where does security go?
    Gareth Rushgrove

    View Slide

  20. (without introducing more risk)
    Direction of travel in systems design
    From infrastructure to
    applications

    View Slide

  21. The ability to change software quickly has
    seen functionality move from the
    infrastructure to the application
    Gareth Rushgrove

    View Slide

  22. Built-in application healthchecks
    Gareth Rushgrove

    View Slide

  23. (without introducing more risk)
    Gareth Rushgrove
    $ curl -i localhost:8080/health
    HTTP/1.1 200 OK
    X-Application-Context: application
    Content-Type: application/vnd.spring-boot.actuator.v1+json;charset=UTF-
    Content-Length: 221
    {
    "status" : "UP",
    "diskSpace" : {
    "status" : "UP",
    "total" : 63251804160,
    "free" : 31316164608,
    "threshold" : 10485760
    },
    "db" : {
    /health from Spring Boot

    View Slide

  24. (without introducing more risk)
    Gareth Rushgrove
    /metrics from Metrics
    $ curl http://localhost:3000/metrics | jq
    {
    jvm.thread.deadlock.count: {
    type: "gauge",
    value: 0
    },
    ring.requests.rate.GET: {
    type: "meter",
    rates: {
    1: 0.009626100280886805,
    5: 0.008973894483657855,
    15: 0.00939960671455037,
    total: 199
    }
    },

    View Slide

  25. Structured logging
    Gareth Rushgrove

    View Slide

  26. (without introducing more risk)
    Gareth Rushgrove
    From something like syslog
    Dec 6 23:17:01 logstash CRON[5849]: (root) CMD (cd / && run-
    parts --report /etc/cron.hourly)

    View Slide

  27. (without introducing more risk)
    Gareth Rushgrove
    To something like lograge
    {
    "method":"GET",
    "path":"/users",
    "format":"html",
    "controller":"users",
    "action":"index",
    "status":200,
    "duration":189.35,
    "view":186.35,
    "db":0.92,
    "@timestamp":"2015-12-11T13:35:47.062+00:00",
    "@version":"1",
    "message":"[200] GET /users (users#index)",
    "severity":"INFO",
    "host":"app1-web1",

    View Slide

  28. From manual black-box testing to unit tests
    Gareth Rushgrove

    View Slide

  29. From configuration files to
    environment variables
    Gareth Rushgrove

    View Slide

  30. From external manual testing to unit tests
    Gareth Rushgrove

    View Slide

  31. From static configuration to service discovery
    Gareth Rushgrove

    View Slide

  32. 12 factor applications
    Gareth Rushgrove

    View Slide

  33. (without introducing more risk)
    And implications for security
    The rise of the black
    box application

    View Slide

  34. With all these applications we seek out a
    platform to run them on
    Gareth Rushgrove

    View Slide

  35. The platform might be Docker, Kubernetes,
    AWS Lambda, Azure Functions, Heroku,
    CloudFoundry, EC2 or something else
    Gareth Rushgrove

    View Slide

  36. From a security perspective, the
    platform is a great place to introduce
    central security features
    Gareth Rushgrove

    View Slide

  37. But general purpose platforms often treat
    the application as a black box
    Gareth Rushgrove

    View Slide

  38. The implementation of that black box might
    be a containers, a virtual machine, a
    serverless function or something else
    Gareth Rushgrove

    View Slide

  39. From a security perspective, the black box
    application sounds like a very bad idea
    Gareth Rushgrove

    View Slide

  40. What’s inside that container?
    Gareth Rushgrove

    View Slide

  41. (without introducing more risk)
    You don’t know, and that’s a problem

    View Slide

  42. Gareth Rushgrove
    Image downloads

    View Slide

  43. Gareth Rushgrove
    Image GitHub popularity

    View Slide

  44. Gareth Rushgrove
    Image contents

    View Slide

  45. (without introducing more risk)
    Vulnerable images in repositories

    View Slide

  46. - Most containers have OS user space
    - Most containers have lots of unmanaged
    packages at unspecified versions
    - Some containers are not immutable
    - Some containers will have vulnerabilities
    Gareth Rushgrove

    View Slide

  47. What about Serverless?
    Gareth Rushgrove

    View Slide

  48. Gareth Rushgrove
    These code packages are like little
    pieces of infrastructure embedded inside
    your application.
    Application dependencies are similar to
    the oft-exploited server dependencies
    Guy Podjarny, Snyk

    View Slide

  49. Platform security brings improvements
    Gareth Rushgrove
    Guy Podjarny, Snyk

    View Slide

  50. Guy Podjarny, Snyk
    Application security still an issue
    Gareth Rushgrove

    View Slide

  51. Guy Podjarny, Snyk
    Existing approaches not always relevant
    Gareth Rushgrove

    View Slide

  52. (without introducing more risk)
    Because the platform can’t do everything
    Pushing security concerns
    to the application

    View Slide

  53. In this new world we need to push
    security to the application
    Gareth Rushgrove

    View Slide

  54. (without introducing more risk)
    Security testing at
    build time

    View Slide

  55. OWASP ZAP
    Gareth Rushgrove

    View Slide

  56. (without introducing more risk)
    Gareth Rushgrove
    BDD Security
    Scenario: The application should not contain SQL injection vulnerabilities
    Meta: @id scan_sql_injection @cwe-89
    Given a scanner with all policies disabled
    And the SQL-Injection policy is enabled
    And the attack strength is set to High
    And the alert threshold is set to Low
    When the scanner is run
    And the XML report is written to the file sql_injection.xml
    Then no Medium or higher risk vulnerabilities should be present
    Testing for SQL Injection vulnerabilities in the CI pipeline

    View Slide

  57. (without introducing more risk)
    Gareth Rushgrove
    Lynis
    #!/bin/bash -e
    yum install -y lynis
    touch /etc/lynis/custom.prf
    lynis configure settings error-on-warnings=yes:quick=yes:skip-test=FIRE-4512
    lynis audit system
    Scanning for vulnerabilities during VM image build

    View Slide

  58. (without introducing more risk)
    Assuring
    dependencies

    View Slide

  59. OWASP Dependency-Check
    Gareth Rushgrove

    View Slide

  60. (without introducing more risk)
    Gareth Rushgrove
    Bundler audit
    $ bundle-audit
    Name: actionpack
    Version: 3.2.10
    Advisory: OSVDB-91452
    Criticality: Medium
    URL: http://www.osvdb.org/show/osvdb/91452
    Title: XSS vulnerability in sanitize_css in Action Pack
    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
    Name: actionpack
    Version: 3.2.10
    Checking for disclosed Ruby vulnerabilities in Gemfile.lock

    View Slide

  61. Snyk
    Gareth Rushgrove

    View Slide

  62. (without introducing more risk)
    Gareth Rushgrove
    Checking application dependencies
    $ snyk test ionic
    ...
    ✗ High severity vulnerability found on [email protected]
    - desc: Command Injection
    - info: https://snyk.io/vuln/npm:shelljs:20140723
    - from: [email protected] > [email protected] > [email protected]
    Fix: None available. Consider removing this dependency.
    ✗ High severity vulnerability found on [email protected]
    - desc: Command Injection
    - info: https://snyk.io/vuln/npm:shelljs:20140723
    - from: [email protected] > [email protected] > [email protected] > shelljs
    Fix: None available. Consider removing this dependency.

    View Slide

  63. (without introducing more risk)
    Gareth Rushgrove
    $ scan-image-for-cves garethr/myapp
    ---> Scanning package: python
    ---> CVEs found for python-2.7.5-34.el7
    +---------------+----------+------------+-------------------+
    | CVE | Severity | CVSS score | Date |
    +---------------+----------+------------+-------------------+
    | CVE-2014-4650 | moderate | 5.0 | 23 June 2014 |
    | CVE-2013-1752 | moderate | 4.3 | 25 September 2012 |
    | CVE-2013-1753 | moderate | 4.3 | 25 September 2012 |
    | CVE-2014-7185 | low | 4.0 | 23 June 2014 |
    | CVE-2014-4616 | moderate | 4.0 | 19 May 2014 |
    +---------------+----------+------------+-------------------+
    ---> Scanning package: python
    ---> CVEs found for python-2.7.5-34.el7
    +---------------+----------+------------+-------------------+
    | CVE | Severity | CVSS score | Date |
    Checking Docker containers for CVEs

    View Slide

  64. (without introducing more risk)
    Testing in production

    View Slide

  65. The only source of truth is the network
    Gareth Rushgrove

    View Slide

  66. (without introducing more risk)
    Gareth Rushgrove
    Making sure selinux is enabled
    (expect running-on-all-clients? "selinux")
    Using PuppetDB as a CMDB to make assertions against

    View Slide

  67. (without introducing more risk)
    Gareth Rushgrove
    Making sure you’re using the approved OS
    def test_os(inventory):
    host_info = inventory['capabilities']['host']['payload']
    family = host_info['platformfamily']
    assert "debian" == family
    Querying the state of running Docker containers

    View Slide

  68. (without introducing more risk)
    Visibility

    View Slide

  69. osquery
    Gareth Rushgrove

    View Slide

  70. (without introducing more risk)
    Gareth Rushgrove
    Checking for processes listening on ports
    SELECT DISTINCT process.name,
    listening.port,
    listening.address,
    process.pid
    FROM processes AS process
    JOIN listening_ports AS listening ON process.pid =
    listening.pid;
    SQL for asking questions of your system

    View Slide

  71. (without introducing more risk)
    Gareth Rushgrove
    inventory { facts.osfamily = "Debian" and
    facts.datacentre = "Lon1" and
    resources { type = "Package" and
    title = "npm" and
    parameters.version = "1.03" } }
    Quering against your CMBD
    Find versions of an installed software package with PQL

    View Slide

  72. (without introducing more risk)
    Letting the runtime
    protect us

    View Slide

  73. Runtime Application Self-Protection (RASP)
    Gareth Rushgrove

    View Slide

  74. Gareth Rushgrove
    RASP comes into play when the
    application is executed (runtime), causing
    the program to monitor itself and detect
    malicious input and behaviour.
    Veracode

    View Slide

  75. OWASP AppSensor
    Gareth Rushgrove

    View Slide

  76. Gareth Rushgrove
    The AppSensor project defines a
    conceptual framework and methodology
    that offers prescriptive guidance to
    implement intrusion detection and
    automated response into applications

    OWASP AppSensor

    View Slide

  77. Gareth Rushgrove
    The best place to identify malicious
    activity against the application is within
    the application itself

    OWASP AppSensor

    View Slide

  78. (without introducing more risk)
    If all you remember is
    Conclusions

    View Slide

  79. We need secure applications, not just
    secure platforms
    Gareth Rushgrove

    View Slide

  80. Gareth Rushgrove
    App developers are conquering the world

    View Slide

  81. - Push security into the CI pipelines
    - Provide assurance of app dependencies
    - Build visibility into the application
    - Get reactive security into the runtime
    Gareth Rushgrove

    View Slide

  82. We need to move away from security
    tools and towards development tools
    with security features
    Gareth Rushgrove

    View Slide

  83. (without introducing more risk)
    Questions?
    And thanks for listening

    View Slide