Application Security in the time of Containers

Transcript

1. APPSEC IN A CONTAINER WORLD AKASH MAHAJAN - DIRECTOR APPSECCO

2. WE NOW LIVE IN A CONTAINER WORLD # Container(Camp|Conf|World)

3. IT/OPS AND DEVS ARE COMING TOGETHER # devops

4. THERE IS A MAJOR SHIFT IN SECURITY #SHIFTLEFT Shannon Lietz

   (Keynote at DevSecCon Asia 2017)

5. APPSEC TESTING HAS TO BECOME PART OF THE DEVOPS OR

   BE LEFT BEHIND The reality is, Microsoft Security Dev Lifecycle is about 17 Years Old!

6. CONTAINERS ENABLE SELF-SERVICE AN IMPORTANT ASPECT OF DEVOPS

7. CONTINUOUS * PIPELINE MODE ON CONTAINERS ENABLE INTEGRATION AND DEPLOYMENT

   ON TAP

8. From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment CHECK FOR SECURITY 1 2 3 4

9. CONTAINERS, APP SEC & OWASP

10. RELEVANT APPSEC RISKS FROM THE POINT OF VIEW OF CONTAINERS

    OWASP Top 10 Issue What is that? A1 Injection Stuff that harms the server A2 Broken AuthN Stuff that lets attackers access parts of the application, which allows them to upload stuff that harms the server A4 Insecure Direct Object Reference A5 Security Misconfiguration Stuff that makes the infra supporting the app insecure A9 Using components with Known Vulnerabilities Stuff that possibly enables any or all of the above, due to using 3rd party stuff

11. A5 IS A SOLVED PROBLEM, MAYBE!! OWASP A5 - SECURITY

    MISCONFIGURATION

12. PATCHED UN-PATCHED

13. IMMUTABLE INFRASTRUCTURE FTW!!! Akash Mahajan THERE IS NO REASON TO

    HARDEN EVERY TIME, WE JUST START FROM SCRATCH AND TAKE THE LATEST PATCHED VERSION EVERY SINGLE TIME

14. A9 CAN BE SOLVED WITH PRIVATE REPOS & REGISTRIES MAYBE

    OWASP A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES

15. SO WHAT IS YOUR SECURITY NIGHTMARE, KEEPING YOU AWAKE?

16. WHAT ABOUT APPLICATION’S SECURITY?

17. WHAT IS THIS THAT IS GOING TO BURST OUR BUBBLE?

    15,000,000 RECORDS FOUND BECAUSE MANAGEMENT HAD WEAK PASSWORD ON APPLICATION 3000 PASSPORTS AND DRIVER’S LICENSES LEAKED BECAUSE THE CONTRACTOR DIDN’T RESET THE CEO’S WEAK PASSWORD ROOT ON RETAIL E-COMMERCE SERVER BECAUSE OUTSOURCED VENDOR ALWAYS USES COMPANY NAME AS CMS ADMIN PASSWORD

18. TYPICALLY AT THIS POINT PEOPLE TRY TO SOLVE SECURITY BY

19. MONITORING IS NOT SECURITY MONITORING IS NOT SECURITY MONITORING IS

    NOT SECURITY

20. WHILE AUTHN AND AUTHZ GO A LONG WAY IN ENSURING

    SECURITY OF ACCESS

21. NO AMOUNT OF AUTOMATION CAN SOLVE BIZ LOGIC ISSUES

22. IF ALL YOUR PROCESS ALLOWS FOR IS A FINAL SECURITY

    REVIEW, THEN

23. From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment CHECK FOR SECURITY 1 2 3 4 AUTOMATED

    AUTOMATED AUTOMATED NOT-AUTOMATED

24. WHAT CAN THIS NON-AUTOMATED APPROACH LOOK LIKE? IS THERE A

    CHECKLIST WE CAN FOLLOW?

25. Issues OWASP Top 10 Input based A1, A3, A4, A8,

    A10 Logic & Design based A2, A5, A6, A7 Access Control A2, A5, A6, A7 Any other A9 API Testing Can span multiple TAKEAWAY

26. THAT APPLICATION SECURITY GUY

27. None

28. QUESTIONS @makash | https://linkd.in/webappsecguy | [email protected]