Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Practical Introduction to Minimum Secure Products

A Practical Introduction to Minimum Secure Products

Originally presented at Codemotion Spring: Spanish Edition.

Whether you are a developer, operator, or other kind of engineer, you will need to secure your applications, platforms, continuous integration frameworks, and data. Rosemary Wang provides a list of practices and patterns to build minimum secure applications, infrastructure, and automation. Knowing the basics will help you build security into your systems instead of adding them after deployment. From access control considerations to encryption, you’ll learn and teach others to better secure systems as they scale to support applications and users.

Rosemary Wang

May 11, 2022
Tweet

More Decks by Rosemary Wang

Other Decks in Technology

Transcript

  1. Rosemary Wang
    A Practical Introduction to
    Minimum Secure Products

    View Slide

  2. A USER STORY
    As a community member,
    I want to enter my email
    so that I can get a calendar invite for the
    Codemotion online tech
    conference.
    Improve user
    experience!
    2

    View Slide

  3. A DEVELOPER STORY
    As a developer,
    I want to deploy my application in two minutes
    so that I do not affect conference attendees
    watching the Codemotion online
    tech conference.
    Improve developer
    experience!
    3

    View Slide

  4. EVERY STORY HAS A CONFLICT
    Story
    A-1
    Product Timeline
    Story …
    Story
    A-N
    Go
    live!
    🎉
    Story
    B-1
    Bitcoin
    miner
    😱
    Rebuild Infrastructure
    Exposed user
    information
    😱
    Identify, Notify, and Remediate
    Story
    B-2
    Story
    B-3
    Remediate
    Vulnerability in
    logging library
    😱
    4

    View Slide

  5. ROSEMARY WANG
    she/her
    @joatmon08
    5

    View Slide

  6. REWRITE THE STORIES
    6

    View Slide

  7. SHIFT SECURITY LEFT
    7

    View Slide

  8. A USER STORY
    As a community member,
    I want to securely enter my email
    so that I can get a calendar invite for the
    Codemotion online tech
    conference.
    Secure user
    experience!
    8

    View Slide

  9. A DEVELOPER STORY
    As a developer,
    I want to securely deploy my application in two
    minutes
    so that I do not affect conference attendees
    watching the Codemotion online tech
    conference.
    Secure developer
    experience!
    9

    View Slide

  10. REWRITING THE STORY
    Product Timeline
    Go
    live!
    🎉
    Story
    A-1
    Secure
    Remediate
    Vulnerability in
    logging library
    😱
    10
    Story …
    Secure
    Story
    A-N
    Secure
    Story
    B-1
    Secure
    Story
    B-2
    Secure
    Story
    B-3
    Secure
    Story B-4
    Secure

    View Slide

  11. WHAT IS THE MINIMUM SECURITY
    I SHOULD KNOW?
    11

    View Slide

  12. MINIMUM SECURE PRODUCT
    The basic security requirements for
    any product
    (infrastructure, platform,
    software, delivery pipelines)
    that you deliver to production.
    12

    View Slide

  13. Delivery Pipelines
    Automation
    Runners
    Software
    Applications
    Serverless
    Platforms
    Managed Services Infrastructure
    13

    View Slide

  14. PLATFORMS
    Infrastructure & Managed Services
    14

    View Slide

  15. INFRASTRUCTURE: THE MINIMUM
    • If you have publicly accessible endpoints…
    q Should they be publicly accessible from anywhere?
    q Are they secured by certificates?
    q Do they have access control or user authentication?
    • If you have infrastructure storing data…
    q Is it encrypted at rest?
    q Is it encrypted in transit by TLS or keys?
    • If you have secrets like usernames, passwords, or certificates…
    q Are you storing them in a secrets manager instead of hard-coding
    them?
    q Are they unique for each user or resource?
    • If you have virtual machines or containers…
    q Do they only use verified software that they need to run?
    q Do they have any high vulnerabilities that someone can exploit?
    • If you have network policies…
    q Do they only allow access from specific endpoints?
    q Which ones allow access from anywhere?
    • If you have users or services accessing your infrastructure
    provider…
    q Do you restrict them to the services or resources they require?
    q Are you logging user and machine identities accessing the services?
    • If you are using infrastructure as code…
    q Does your configuration use secure defaults?
    q Are you verifying their checksums and signatures?
    q Have you reviewed any 3rd party modules or dependencies for
    security issues (e.g., making unauthorized external calls)?
    q Can you reproduce a copy of your infrastructure in case of a
    security incident?
    15

    View Slide

  16. MANAGED SERVICES: THE MINIMUM
    qCan you restrict your network policies to its endpoint(s)?
    qCan you set up user or service authentication and access control?
    qCan you retrieve its audit logs?
    qDo you know how the managed service remediates vulnerabilities?
    qCan you reproduce a copy of your managed service configuration in case of a
    security incident?
    16

    View Slide

  17. Infrastructure & Managed
    Services
    Secure Infrastructure
    Configuration
    Configuration Scanning
    Private Endpoints as
    Default
    Encryption
    Data
    Services (mTLS)
    Secrets Management
    Auditing
    Access Logs
    Load Balancers
    Web Servers
    Infrastructure API Access
    Resource Monitoring
    Machine Processes
    Resource Usage
    Least Privilege Access
    Control
    Infrastructure Resource
    to Infrastructure API
    Identity & Access
    Management
    Network Policy
    Firewall / Security Group
    Rules
    Engineer to Infrastructure
    Resource / API
    Identity & Access
    Management
    Secure Access
    Management
    VPN
    Secure Machine
    Configuration
    User Privileges
    Vulnerability Scanning
    Virtual Machines
    Containers
    Security Hardening
    PLATFORM: THE LATER STAGE
    17

    View Slide

  18. RESOURCES
    • National Checklist Program by U.S. NIST (https://ncp.nist.gov/)
    • Policy as code tools for infrastructure as code
    (https://github.com/joatmon08/tdd-infrastructure#policy-as-code-with-
    security-scanning)
    18

    View Slide

  19. SOFTWARE
    Applications, Serverless, & More
    19

    View Slide

  20. SOFTWARE: THE MINIMUM
    • If your code accesses another service (e.g.,
    database, queue, application)…
    q Does it only have least-privilege access to the
    services it needs?
    q Does it authenticate to the service with a unique
    set of credentials?
    • If your code processes data...
    q Does it mask or omit personally identifiable
    information?
    q Does it encrypt the data (using keys and TLS)?
    q Can you track transactions or failed logins with
    logs or metrics?
    • If you are using 3rd party dependencies…
    q Are you verifying their checksums and signatures?
    q Have you scanned them for potential security
    issues (e.g., making unauthorized external calls)?
    q Are the dependencies updated and pinned to a
    version?
    q Is your code secured by authentication?
    q Did you do static application security testing
    (SAST) on your code?
    q Did you do dynamic application security
    testing (DAST) on your code?
    20

    View Slide

  21. Software
    Secure Code
    Static Application
    Security Testing
    Dynamic Application
    Security Testing
    Verify 3rd Party
    Dependencies
    Data
    Personal Identifying
    Information (PII)
    Encryption
    Mask / Omit
    TLS
    Secrets Management
    Auditing
    Application Logs
    Transactions
    Events
    Application
    Monitoring
    Least Privilege Access
    Control
    Application to
    Application
    Identity & Access
    Management
    API Authorization
    User to Application
    Authentication
    TLS
    Engineer to
    Application
    Identity & Access
    Management
    Secure Access
    Management
    VPN
    Secure Deployment
    Network Policy
    Web Application
    Firewalls (WAFs)
    Traffic Management DDoS Protection
    SOFTWARE: THE LATER STAGE
    21

    View Slide

  22. RESOURCES
    • OWASP Top Ten (https://owasp.org/www-project-top-ten/)
    • OWASP Mobile Security Testing Guide (https://owasp.org/www-project-
    mobile-security-testing-guide/)
    • OWASP Zed Attack Proxy (ZAP) (https://www.zaproxy.org/)
    22

    View Slide

  23. DELIVERY PIPELINES
    Automation, Runners, and Supply Chain
    23

    View Slide

  24. DELIVERY PIPELINES: THE MINIMUM
    • If you use credentials in your delivery pipelines…
    q Can you easily rotate them if they are compromised?
    q Are they masked or omitted from pipeline outputs?
    q Does your pipeline use separate credentials for production
    deployment?
    • If you use a managed continuous integration
    framework…
    q Did you restrict access to your application and infrastructure to
    its known public endpoints?
    q Does it have access control to check authorized users for
    debugging or troubleshooting pipelines?
    • If you use pipelines as code…
    q Do you control changes to pipeline configurations through
    version control?
    q Does your pipeline have stages that require remote code
    execution?
    q Do you scan and verify use 3rd party pipeline plugins?
    • If you have standard stages in your pipeline…
    q Do you have a security testing stage before you release?
    q Do you have a signing or verification stage before you release
    an artifact?
    q Do you keep a history of pipeline runs for auditing?
    24

    View Slide

  25. Software
    Secure Pipeline
    Configuration
    Test Configuration
    Standardize Stages
    Security Testing
    Release Signing &
    Verification
    Secrets Management Mask / Omit in Output
    Auditing Pipeline Runs
    Least Privilege Access
    Control
    Pipeline to
    Platform/Applications
    Identity & Access
    Management
    Network Policy
    Engineer to Pipeline
    Identity & Access
    Management
    Secure Access
    Management
    VPN
    DELIVERY PIPELINES: THE LATER STAGE
    25

    View Slide

  26. RESOURCES
    • An Overview of Securing CI/CD Pipelines (https://youtu.be/Ljof-WI0C8I)
    • OWASP Pipeline Tools (https://owasp.org/www-project-appsec-
    pipeline/pipeline-tools)
    26

    View Slide

  27. SO MANY REQUIREMENTS…
    27

    View Slide

  28. • Running code or infrastructure resources
    • Requires active resources
    • Can be tested in a non-production
    environment
    • i.e., Integration tests
    DYNAMIC ANALYSIS
    AUTOMATE WITH TESTS
    28
    STATIC ANALYSIS
    • Configuration or code in version control
    • Does not require active resources
    • Can be tested before production
    deployment
    • i.e., Unit tests

    View Slide

  29. AUTOMATE WITH TESTS
    Static Analysis
    (Unit Tests)
    Test Runtime
    Analysis
    (Integration tests)
    Production
    Runtime Analysis
    (Remediation)
    29
    Dynamic Analysis

    View Slide

  30. 30
    Unknown
    knowns
    (siloed
    knowledge)
    Known
    knowns
    (testing)
    Unknown
    knowns
    (observability)
    Known
    unknowns
    (monitoring)
    Convert unknown
    knowns to testing,
    observability, or
    monitoring.

    View Slide

  31. SUMMARY
    • Rewrite stories with minimum security
    requirements.
    • Learn from your community.
    • Contribute your security knowledge.
    • Always be securing.
    31

    View Slide

  32. THANK YOU!
    Rosemary Wang
    joatmon08.github.io/03_speaking.html

    View Slide