Security and the self-contained unit of software

Security and the self-contained unit of software

A talk from AppSec EU, the OWASP conference, all about moving security to the application in the face of platforms, containers and serverless

98234c645fe8c935edc0fec0186d28b8?s=128

Gareth Rushgrove

May 11, 2017
Tweet

Transcript

  1. (without introducing more risk) Security and the self- contained unit

    of software Puppet Gareth Rushgrove Security in an app-centic world
  2. (without introducing more risk) @garethr

  3. (without introducing more risk) Gareth Rushgrove

  4. (without introducing more risk) What we’ll cover This talk

  5. - The end of perimeter (only) security - From infrastructure

    to applications - The rise of the black box application - Pushing security concerns to the app Gareth Rushgrove
  6. (without introducing more risk) An old model breaks down The

    end of security (only) at the edges
  7. Gareth Rushgrove For much of network security, firewalls were the

    panacea. Got a security problem? Throw more firewall at it. James Wicket, Signal Sciences “
  8. Gareth Rushgrove Through the 90’s and early 2000’s, buying an

    appliance to solve a problem was a common occurrence James Wicket, Signal Sciences “
  9. Gareth Rushgrove Any problem in computer science can be solved

    with another layer of indirection David Wheeler (maybe) “
  10. Adding something new on top was quicker than fixing the

    software Gareth Rushgrove
  11. With modern approaches to software delivery we can change software

    quickly Gareth Rushgrove
  12. None
  13. 10

  14. 2009

  15. Gareth Rushgrove Jon Jenkins, VelocityConf, 2011 “Amazon deploys every 11.6

    seconds
  16. Gareth Rushgrove

  17. Gareth Rushgrove We do not rely on internal network segmentation

    or firewalling as our primary security mechanisms Google Infrastructure Security Design Overview “
  18. Attacks are increasingly targeting application and business logic Gareth Rushgrove

  19. So where does security go? Gareth Rushgrove

  20. (without introducing more risk) Direction of travel in systems design

    From infrastructure to applications
  21. The ability to change software quickly has seen functionality move

    from the infrastructure to the application Gareth Rushgrove
  22. Built-in application healthchecks Gareth Rushgrove

  23. (without introducing more risk) Gareth Rushgrove $ curl -i localhost:8080/health

    HTTP/1.1 200 OK X-Application-Context: application Content-Type: application/vnd.spring-boot.actuator.v1+json;charset=UTF- Content-Length: 221 { "status" : "UP", "diskSpace" : { "status" : "UP", "total" : 63251804160, "free" : 31316164608, "threshold" : 10485760 }, "db" : { /health from Spring Boot
  24. (without introducing more risk) Gareth Rushgrove /metrics from Metrics $

    curl http://localhost:3000/metrics | jq { jvm.thread.deadlock.count: { type: "gauge", value: 0 }, ring.requests.rate.GET: { type: "meter", rates: { 1: 0.009626100280886805, 5: 0.008973894483657855, 15: 0.00939960671455037, total: 199 } },
  25. Structured logging Gareth Rushgrove

  26. (without introducing more risk) Gareth Rushgrove From something like syslog

    Dec 6 23:17:01 logstash CRON[5849]: (root) CMD (cd / && run- parts --report /etc/cron.hourly)
  27. (without introducing more risk) Gareth Rushgrove To something like lograge

    { "method":"GET", "path":"/users", "format":"html", "controller":"users", "action":"index", "status":200, "duration":189.35, "view":186.35, "db":0.92, "@timestamp":"2015-12-11T13:35:47.062+00:00", "@version":"1", "message":"[200] GET /users (users#index)", "severity":"INFO", "host":"app1-web1",
  28. From manual black-box testing to unit tests Gareth Rushgrove

  29. From configuration files to environment variables Gareth Rushgrove

  30. From external manual testing to unit tests Gareth Rushgrove

  31. From static configuration to service discovery Gareth Rushgrove

  32. 12 factor applications Gareth Rushgrove

  33. (without introducing more risk) And implications for security The rise

    of the black box application
  34. With all these applications we seek out a platform to

    run them on Gareth Rushgrove
  35. The platform might be Docker, Kubernetes, AWS Lambda, Azure Functions,

    Heroku, CloudFoundry, EC2 or something else Gareth Rushgrove
  36. From a security perspective, the platform is a great place

    to introduce central security features Gareth Rushgrove
  37. But general purpose platforms often treat the application as a

    black box Gareth Rushgrove
  38. The implementation of that black box might be a containers,

    a virtual machine, a serverless function or something else Gareth Rushgrove
  39. From a security perspective, the black box application sounds like

    a very bad idea Gareth Rushgrove
  40. What’s inside that container? Gareth Rushgrove

  41. (without introducing more risk) You don’t know, and that’s a

    problem
  42. Gareth Rushgrove Image downloads

  43. Gareth Rushgrove Image GitHub popularity

  44. Gareth Rushgrove Image contents

  45. (without introducing more risk) Vulnerable images in repositories

  46. - Most containers have OS user space - Most containers

    have lots of unmanaged packages at unspecified versions - Some containers are not immutable - Some containers will have vulnerabilities Gareth Rushgrove
  47. What about Serverless? Gareth Rushgrove

  48. Gareth Rushgrove These code packages are like little pieces of

    infrastructure embedded inside your application. Application dependencies are similar to the oft-exploited server dependencies Guy Podjarny, Snyk “
  49. Platform security brings improvements Gareth Rushgrove Guy Podjarny, Snyk

  50. Guy Podjarny, Snyk Application security still an issue Gareth Rushgrove

  51. Guy Podjarny, Snyk Existing approaches not always relevant Gareth Rushgrove

  52. (without introducing more risk) Because the platform can’t do everything

    Pushing security concerns to the application
  53. In this new world we need to push security to

    the application Gareth Rushgrove
  54. (without introducing more risk) Security testing at build time

  55. OWASP ZAP Gareth Rushgrove

  56. (without introducing more risk) Gareth Rushgrove BDD Security Scenario: The

    application should not contain SQL injection vulnerabilities Meta: @id scan_sql_injection @cwe-89 Given a scanner with all policies disabled And the SQL-Injection policy is enabled And the attack strength is set to High And the alert threshold is set to Low When the scanner is run And the XML report is written to the file sql_injection.xml Then no Medium or higher risk vulnerabilities should be present Testing for SQL Injection vulnerabilities in the CI pipeline
  57. (without introducing more risk) Gareth Rushgrove Lynis #!/bin/bash -e yum

    install -y lynis touch /etc/lynis/custom.prf lynis configure settings error-on-warnings=yes:quick=yes:skip-test=FIRE-4512 lynis audit system Scanning for vulnerabilities during VM image build
  58. (without introducing more risk) Assuring dependencies

  59. OWASP Dependency-Check Gareth Rushgrove

  60. (without introducing more risk) Gareth Rushgrove Bundler audit $ bundle-audit

    Name: actionpack Version: 3.2.10 Advisory: OSVDB-91452 Criticality: Medium URL: http://www.osvdb.org/show/osvdb/91452 Title: XSS vulnerability in sanitize_css in Action Pack Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13 Name: actionpack Version: 3.2.10 Checking for disclosed Ruby vulnerabilities in Gemfile.lock
  61. Snyk Gareth Rushgrove

  62. (without introducing more risk) Gareth Rushgrove Checking application dependencies $

    snyk test ionic ... ✗ High severity vulnerability found on shelljs@0.2.6 - desc: Command Injection - info: https://snyk.io/vuln/npm:shelljs:20140723 - from: ionic@2.2.3 > ionic-app-lib@2.2.1 > shelljs@0.2.6 Fix: None available. Consider removing this dependency. ✗ High severity vulnerability found on shelljs@0.3.0 - desc: Command Injection - info: https://snyk.io/vuln/npm:shelljs:20140723 - from: ionic@2.2.3 > ionic-app-lib@2.2.1 > cordova-lib@6.1.0 > shelljs Fix: None available. Consider removing this dependency.
  63. (without introducing more risk) Gareth Rushgrove $ scan-image-for-cves garethr/myapp --->

    Scanning package: python ---> CVEs found for python-2.7.5-34.el7 +---------------+----------+------------+-------------------+ | CVE | Severity | CVSS score | Date | +---------------+----------+------------+-------------------+ | CVE-2014-4650 | moderate | 5.0 | 23 June 2014 | | CVE-2013-1752 | moderate | 4.3 | 25 September 2012 | | CVE-2013-1753 | moderate | 4.3 | 25 September 2012 | | CVE-2014-7185 | low | 4.0 | 23 June 2014 | | CVE-2014-4616 | moderate | 4.0 | 19 May 2014 | +---------------+----------+------------+-------------------+ ---> Scanning package: python ---> CVEs found for python-2.7.5-34.el7 +---------------+----------+------------+-------------------+ | CVE | Severity | CVSS score | Date | Checking Docker containers for CVEs
  64. (without introducing more risk) Testing in production

  65. The only source of truth is the network Gareth Rushgrove

  66. (without introducing more risk) Gareth Rushgrove Making sure selinux is

    enabled (expect running-on-all-clients? "selinux") Using PuppetDB as a CMDB to make assertions against
  67. (without introducing more risk) Gareth Rushgrove Making sure you’re using

    the approved OS def test_os(inventory): host_info = inventory['capabilities']['host']['payload'] family = host_info['platformfamily'] assert "debian" == family Querying the state of running Docker containers
  68. (without introducing more risk) Visibility

  69. osquery Gareth Rushgrove

  70. (without introducing more risk) Gareth Rushgrove Checking for processes listening

    on ports SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid; SQL for asking questions of your system
  71. (without introducing more risk) Gareth Rushgrove inventory { facts.osfamily =

    "Debian" and facts.datacentre = "Lon1" and resources { type = "Package" and title = "npm" and parameters.version = "1.03" } } Quering against your CMBD Find versions of an installed software package with PQL
  72. (without introducing more risk) Letting the runtime protect us

  73. Runtime Application Self-Protection (RASP) Gareth Rushgrove

  74. Gareth Rushgrove RASP comes into play when the application is

    executed (runtime), causing the program to monitor itself and detect malicious input and behaviour. Veracode “
  75. OWASP AppSensor Gareth Rushgrove

  76. Gareth Rushgrove The AppSensor project defines a conceptual framework and

    methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications “ OWASP AppSensor
  77. Gareth Rushgrove The best place to identify malicious activity against

    the application is within the application itself “ OWASP AppSensor
  78. (without introducing more risk) If all you remember is Conclusions

  79. We need secure applications, not just secure platforms Gareth Rushgrove

  80. Gareth Rushgrove App developers are conquering the world

  81. - Push security into the CI pipelines - Provide assurance

    of app dependencies - Build visibility into the application - Get reactive security into the runtime Gareth Rushgrove
  82. We need to move away from security tools and towards

    development tools with security features Gareth Rushgrove
  83. (without introducing more risk) Questions? And thanks for listening