A Practical Introduction to Minimum Secure Products

Transcript

1. Rosemary Wang A Practical Introduction to Minimum Secure Products

2. A USER STORY As a community member, I want to

   enter my email so that I can get a calendar invite for the Codemotion online tech conference. Improve user experience! 2

3. A DEVELOPER STORY As a developer, I want to deploy

   my application in two minutes so that I do not affect conference attendees watching the Codemotion online tech conference. Improve developer experience! 3

4. EVERY STORY HAS A CONFLICT Story A-1 Product Timeline Story

   … Story A-N Go live! 🎉 Story B-1 Bitcoin miner 😱 Rebuild Infrastructure Exposed user information 😱 Identify, Notify, and Remediate Story B-2 Story B-3 Remediate Vulnerability in logging library 😱 4

5. ROSEMARY WANG she/her @joatmon08 5

6. REWRITE THE STORIES 6

7. SHIFT SECURITY LEFT 7

8. A USER STORY As a community member, I want to

   securely enter my email so that I can get a calendar invite for the Codemotion online tech conference. Secure user experience! 8

9. A DEVELOPER STORY As a developer, I want to securely

   deploy my application in two minutes so that I do not affect conference attendees watching the Codemotion online tech conference. Secure developer experience! 9

10. REWRITING THE STORY Product Timeline Go live! 🎉 Story A-1

    Secure Remediate Vulnerability in logging library 😱 10 Story … Secure Story A-N Secure Story B-1 Secure Story B-2 Secure Story B-3 Secure Story B-4 Secure

11. WHAT IS THE MINIMUM SECURITY I SHOULD KNOW? 11

12. MINIMUM SECURE PRODUCT The basic security requirements for any product

    (infrastructure, platform, software, delivery pipelines) that you deliver to production. 12

13. Delivery Pipelines Automation Runners Software Applications Serverless Platforms Managed Services

    Infrastructure 13

14. PLATFORMS Infrastructure & Managed Services 14

15. INFRASTRUCTURE: THE MINIMUM • If you have publicly accessible endpoints…

    q Should they be publicly accessible from anywhere? q Are they secured by certificates? q Do they have access control or user authentication? • If you have infrastructure storing data… q Is it encrypted at rest? q Is it encrypted in transit by TLS or keys? • If you have secrets like usernames, passwords, or certificates… q Are you storing them in a secrets manager instead of hard-coding them? q Are they unique for each user or resource? • If you have virtual machines or containers… q Do they only use verified software that they need to run? q Do they have any high vulnerabilities that someone can exploit? • If you have network policies… q Do they only allow access from specific endpoints? q Which ones allow access from anywhere? • If you have users or services accessing your infrastructure provider… q Do you restrict them to the services or resources they require? q Are you logging user and machine identities accessing the services? • If you are using infrastructure as code… q Does your configuration use secure defaults? q Are you verifying their checksums and signatures? q Have you reviewed any 3rd party modules or dependencies for security issues (e.g., making unauthorized external calls)? q Can you reproduce a copy of your infrastructure in case of a security incident? 15

16. MANAGED SERVICES: THE MINIMUM qCan you restrict your network policies

    to its endpoint(s)? qCan you set up user or service authentication and access control? qCan you retrieve its audit logs? qDo you know how the managed service remediates vulnerabilities? qCan you reproduce a copy of your managed service configuration in case of a security incident? 16

17. Infrastructure & Managed Services Secure Infrastructure Configuration Configuration Scanning Private

    Endpoints as Default Encryption Data Services (mTLS) Secrets Management Auditing Access Logs Load Balancers Web Servers Infrastructure API Access Resource Monitoring Machine Processes Resource Usage Least Privilege Access Control Infrastructure Resource to Infrastructure API Identity & Access Management Network Policy Firewall / Security Group Rules Engineer to Infrastructure Resource / API Identity & Access Management Secure Access Management VPN Secure Machine Configuration User Privileges Vulnerability Scanning Virtual Machines Containers Security Hardening PLATFORM: THE LATER STAGE 17

18. RESOURCES • National Checklist Program by U.S. NIST (https://ncp.nist.gov/) •

    Policy as code tools for infrastructure as code (https://github.com/joatmon08/tdd-infrastructure#policy-as-code-with- security-scanning) 18

19. SOFTWARE Applications, Serverless, & More 19

20. SOFTWARE: THE MINIMUM • If your code accesses another service

    (e.g., database, queue, application)… q Does it only have least-privilege access to the services it needs? q Does it authenticate to the service with a unique set of credentials? • If your code processes data... q Does it mask or omit personally identifiable information? q Does it encrypt the data (using keys and TLS)? q Can you track transactions or failed logins with logs or metrics? • If you are using 3rd party dependencies… q Are you verifying their checksums and signatures? q Have you scanned them for potential security issues (e.g., making unauthorized external calls)? q Are the dependencies updated and pinned to a version? q Is your code secured by authentication? q Did you do static application security testing (SAST) on your code? q Did you do dynamic application security testing (DAST) on your code? 20

21. Software Secure Code Static Application Security Testing Dynamic Application Security

    Testing Verify 3rd Party Dependencies Data Personal Identifying Information (PII) Encryption Mask / Omit TLS Secrets Management Auditing Application Logs Transactions Events Application Monitoring Least Privilege Access Control Application to Application Identity & Access Management API Authorization User to Application Authentication TLS Engineer to Application Identity & Access Management Secure Access Management VPN Secure Deployment Network Policy Web Application Firewalls (WAFs) Traffic Management DDoS Protection SOFTWARE: THE LATER STAGE 21

22. RESOURCES • OWASP Top Ten (https://owasp.org/www-project-top-ten/) • OWASP Mobile Security

    Testing Guide (https://owasp.org/www-project- mobile-security-testing-guide/) • OWASP Zed Attack Proxy (ZAP) (https://www.zaproxy.org/) 22

23. DELIVERY PIPELINES Automation, Runners, and Supply Chain 23

24. DELIVERY PIPELINES: THE MINIMUM • If you use credentials in

    your delivery pipelines… q Can you easily rotate them if they are compromised? q Are they masked or omitted from pipeline outputs? q Does your pipeline use separate credentials for production deployment? • If you use a managed continuous integration framework… q Did you restrict access to your application and infrastructure to its known public endpoints? q Does it have access control to check authorized users for debugging or troubleshooting pipelines? • If you use pipelines as code… q Do you control changes to pipeline configurations through version control? q Does your pipeline have stages that require remote code execution? q Do you scan and verify use 3rd party pipeline plugins? • If you have standard stages in your pipeline… q Do you have a security testing stage before you release? q Do you have a signing or verification stage before you release an artifact? q Do you keep a history of pipeline runs for auditing? 24

25. Software Secure Pipeline Configuration Test Configuration Standardize Stages Security Testing

    Release Signing & Verification Secrets Management Mask / Omit in Output Auditing Pipeline Runs Least Privilege Access Control Pipeline to Platform/Applications Identity & Access Management Network Policy Engineer to Pipeline Identity & Access Management Secure Access Management VPN DELIVERY PIPELINES: THE LATER STAGE 25

26. RESOURCES • An Overview of Securing CI/CD Pipelines (https://youtu.be/Ljof-WI0C8I) •

    OWASP Pipeline Tools (https://owasp.org/www-project-appsec- pipeline/pipeline-tools) 26

27. SO MANY REQUIREMENTS… 27

28. • Running code or infrastructure resources • Requires active resources

    • Can be tested in a non-production environment • i.e., Integration tests DYNAMIC ANALYSIS AUTOMATE WITH TESTS 28 STATIC ANALYSIS • Configuration or code in version control • Does not require active resources • Can be tested before production deployment • i.e., Unit tests

29. AUTOMATE WITH TESTS Static Analysis (Unit Tests) Test Runtime Analysis

    (Integration tests) Production Runtime Analysis (Remediation) 29 Dynamic Analysis

30. 30 Unknown knowns (siloed knowledge) Known knowns (testing) Unknown knowns

    (observability) Known unknowns (monitoring) Convert unknown knowns to testing, observability, or monitoring.

31. SUMMARY • Rewrite stories with minimum security requirements. • Learn

    from your community. • Contribute your security knowledge. • Always be securing. 31

32. THANK YOU! Rosemary Wang joatmon08.github.io/03_speaking.html