A Practical Introduction to Minimum Secure Products

Transcript

1. Rosemary Wang
   A Practical Introduction to
   Minimum Secure Products
   

   View Slide

2. A USER STORY
   As a community member,
   I want to enter my email
   so that I can get a calendar invite for the
   Codemotion online tech
   conference.
   Improve user
   experience!
   2
   

   View Slide

3. A DEVELOPER STORY
   As a developer,
   I want to deploy my application in two minutes
   so that I do not affect conference attendees
   watching the Codemotion online
   tech conference.
   Improve developer
   experience!
   3
   

   View Slide

4. EVERY STORY HAS A CONFLICT
   Story
   A-1
   Product Timeline
   Story …
   Story
   A-N
   Go
   live!
   🎉
   Story
   B-1
   Bitcoin
   miner
   😱
   Rebuild Infrastructure
   Exposed user
   information
   😱
   Identify, Notify, and Remediate
   Story
   B-2
   Story
   B-3
   Remediate
   Vulnerability in
   logging library
   😱
   4
   

   View Slide

5. ROSEMARY WANG
   she/her
   @joatmon08
   5
   

   View Slide

6. REWRITE THE STORIES
   6
   

   View Slide

7. SHIFT SECURITY LEFT
   7
   

   View Slide

8. A USER STORY
   As a community member,
   I want to securely enter my email
   so that I can get a calendar invite for the
   Codemotion online tech
   conference.
   Secure user
   experience!
   8
   

   View Slide

9. A DEVELOPER STORY
   As a developer,
   I want to securely deploy my application in two
   minutes
   so that I do not affect conference attendees
   watching the Codemotion online tech
   conference.
   Secure developer
   experience!
   9
   

   View Slide

10. REWRITING THE STORY
    Product Timeline
    Go
    live!
    🎉
    Story
    A-1
    Secure
    Remediate
    Vulnerability in
    logging library
    😱
    10
    Story …
    Secure
    Story
    A-N
    Secure
    Story
    B-1
    Secure
    Story
    B-2
    Secure
    Story
    B-3
    Secure
    Story B-4
    Secure
    

    View Slide

11. WHAT IS THE MINIMUM SECURITY
    I SHOULD KNOW?
    11
    

    View Slide

12. MINIMUM SECURE PRODUCT
    The basic security requirements for
    any product
    (infrastructure, platform,
    software, delivery pipelines)
    that you deliver to production.
    12
    

    View Slide

13. Delivery Pipelines
    Automation
    Runners
    Software
    Applications
    Serverless
    Platforms
    Managed Services Infrastructure
    13
    

    View Slide

14. PLATFORMS
    Infrastructure & Managed Services
    14
    

    View Slide

15. INFRASTRUCTURE: THE MINIMUM
    • If you have publicly accessible endpoints…
    q Should they be publicly accessible from anywhere?
    q Are they secured by certificates?
    q Do they have access control or user authentication?
    • If you have infrastructure storing data…
    q Is it encrypted at rest?
    q Is it encrypted in transit by TLS or keys?
    • If you have secrets like usernames, passwords, or certificates…
    q Are you storing them in a secrets manager instead of hard-coding
    them?
    q Are they unique for each user or resource?
    • If you have virtual machines or containers…
    q Do they only use verified software that they need to run?
    q Do they have any high vulnerabilities that someone can exploit?
    • If you have network policies…
    q Do they only allow access from specific endpoints?
    q Which ones allow access from anywhere?
    • If you have users or services accessing your infrastructure
    provider…
    q Do you restrict them to the services or resources they require?
    q Are you logging user and machine identities accessing the services?
    • If you are using infrastructure as code…
    q Does your configuration use secure defaults?
    q Are you verifying their checksums and signatures?
    q Have you reviewed any 3rd party modules or dependencies for
    security issues (e.g., making unauthorized external calls)?
    q Can you reproduce a copy of your infrastructure in case of a
    security incident?
    15
    

    View Slide

16. MANAGED SERVICES: THE MINIMUM
    qCan you restrict your network policies to its endpoint(s)?
    qCan you set up user or service authentication and access control?
    qCan you retrieve its audit logs?
    qDo you know how the managed service remediates vulnerabilities?
    qCan you reproduce a copy of your managed service configuration in case of a
    security incident?
    16
    

    View Slide

17. Infrastructure & Managed
    Services
    Secure Infrastructure
    Configuration
    Configuration Scanning
    Private Endpoints as
    Default
    Encryption
    Data
    Services (mTLS)
    Secrets Management
    Auditing
    Access Logs
    Load Balancers
    Web Servers
    Infrastructure API Access
    Resource Monitoring
    Machine Processes
    Resource Usage
    Least Privilege Access
    Control
    Infrastructure Resource
    to Infrastructure API
    Identity & Access
    Management
    Network Policy
    Firewall / Security Group
    Rules
    Engineer to Infrastructure
    Resource / API
    Identity & Access
    Management
    Secure Access
    Management
    VPN
    Secure Machine
    Configuration
    User Privileges
    Vulnerability Scanning
    Virtual Machines
    Containers
    Security Hardening
    PLATFORM: THE LATER STAGE
    17
    

    View Slide

18. RESOURCES
    • National Checklist Program by U.S. NIST (https://ncp.nist.gov/)
    • Policy as code tools for infrastructure as code
    (https://github.com/joatmon08/tdd-infrastructure#policy-as-code-with-
    security-scanning)
    18
    

    View Slide

19. SOFTWARE
    Applications, Serverless, & More
    19
    

    View Slide

20. SOFTWARE: THE MINIMUM
    • If your code accesses another service (e.g.,
    database, queue, application)…
    q Does it only have least-privilege access to the
    services it needs?
    q Does it authenticate to the service with a unique
    set of credentials?
    • If your code processes data...
    q Does it mask or omit personally identifiable
    information?
    q Does it encrypt the data (using keys and TLS)?
    q Can you track transactions or failed logins with
    logs or metrics?
    • If you are using 3rd party dependencies…
    q Are you verifying their checksums and signatures?
    q Have you scanned them for potential security
    issues (e.g., making unauthorized external calls)?
    q Are the dependencies updated and pinned to a
    version?
    q Is your code secured by authentication?
    q Did you do static application security testing
    (SAST) on your code?
    q Did you do dynamic application security
    testing (DAST) on your code?
    20
    

    View Slide

21. Software
    Secure Code
    Static Application
    Security Testing
    Dynamic Application
    Security Testing
    Verify 3rd Party
    Dependencies
    Data
    Personal Identifying
    Information (PII)
    Encryption
    Mask / Omit
    TLS
    Secrets Management
    Auditing
    Application Logs
    Transactions
    Events
    Application
    Monitoring
    Least Privilege Access
    Control
    Application to
    Application
    Identity & Access
    Management
    API Authorization
    User to Application
    Authentication
    TLS
    Engineer to
    Application
    Identity & Access
    Management
    Secure Access
    Management
    VPN
    Secure Deployment
    Network Policy
    Web Application
    Firewalls (WAFs)
    Traffic Management DDoS Protection
    SOFTWARE: THE LATER STAGE
    21
    

    View Slide

22. RESOURCES
    • OWASP Top Ten (https://owasp.org/www-project-top-ten/)
    • OWASP Mobile Security Testing Guide (https://owasp.org/www-project-
    mobile-security-testing-guide/)
    • OWASP Zed Attack Proxy (ZAP) (https://www.zaproxy.org/)
    22
    

    View Slide

23. DELIVERY PIPELINES
    Automation, Runners, and Supply Chain
    23
    

    View Slide

24. DELIVERY PIPELINES: THE MINIMUM
    • If you use credentials in your delivery pipelines…
    q Can you easily rotate them if they are compromised?
    q Are they masked or omitted from pipeline outputs?
    q Does your pipeline use separate credentials for production
    deployment?
    • If you use a managed continuous integration
    framework…
    q Did you restrict access to your application and infrastructure to
    its known public endpoints?
    q Does it have access control to check authorized users for
    debugging or troubleshooting pipelines?
    • If you use pipelines as code…
    q Do you control changes to pipeline configurations through
    version control?
    q Does your pipeline have stages that require remote code
    execution?
    q Do you scan and verify use 3rd party pipeline plugins?
    • If you have standard stages in your pipeline…
    q Do you have a security testing stage before you release?
    q Do you have a signing or verification stage before you release
    an artifact?
    q Do you keep a history of pipeline runs for auditing?
    24
    

    View Slide

25. Software
    Secure Pipeline
    Configuration
    Test Configuration
    Standardize Stages
    Security Testing
    Release Signing &
    Verification
    Secrets Management Mask / Omit in Output
    Auditing Pipeline Runs
    Least Privilege Access
    Control
    Pipeline to
    Platform/Applications
    Identity & Access
    Management
    Network Policy
    Engineer to Pipeline
    Identity & Access
    Management
    Secure Access
    Management
    VPN
    DELIVERY PIPELINES: THE LATER STAGE
    25
    

    View Slide

26. RESOURCES
    • An Overview of Securing CI/CD Pipelines (https://youtu.be/Ljof-WI0C8I)
    • OWASP Pipeline Tools (https://owasp.org/www-project-appsec-
    pipeline/pipeline-tools)
    26
    

    View Slide

27. SO MANY REQUIREMENTS…
    27
    

    View Slide

28. • Running code or infrastructure resources
    • Requires active resources
    • Can be tested in a non-production
    environment
    • i.e., Integration tests
    DYNAMIC ANALYSIS
    AUTOMATE WITH TESTS
    28
    STATIC ANALYSIS
    • Configuration or code in version control
    • Does not require active resources
    • Can be tested before production
    deployment
    • i.e., Unit tests
    

    View Slide

29. AUTOMATE WITH TESTS
    Static Analysis
    (Unit Tests)
    Test Runtime
    Analysis
    (Integration tests)
    Production
    Runtime Analysis
    (Remediation)
    29
    Dynamic Analysis
    

    View Slide

30. 30
    Unknown
    knowns
    (siloed
    knowledge)
    Known
    knowns
    (testing)
    Unknown
    knowns
    (observability)
    Known
    unknowns
    (monitoring)
    Convert unknown
    knowns to testing,
    observability, or
    monitoring.
    

    View Slide

31. SUMMARY
    • Rewrite stories with minimum security
    requirements.
    • Learn from your community.
    • Contribute your security knowledge.
    • Always be securing.
    31
    

    View Slide

32. THANK YOU!
    Rosemary Wang
    joatmon08.github.io/03_speaking.html
    

    View Slide