Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dev Sec Oops: How Agile Security increases Atta...

Denis Makrushin
February 05, 2020
Technology
0
75

Dev Sec Oops: How Agile Security increases Attack Surface

In today's reality, security engineers are the guards of products and its users. But who guards the guards? Based on real scenarios of supply chain attacks, we'll demonstrate the weakest points of the “Agile Security” paradigm and redefine Code of Conduct for Security Engineer.

Denis Makrushin

February 05, 2020
Tweet

More Decks by Denis Makrushin

See All by Denis Makrushin
The Way from App to Brain: Attack Surface of Smart Medical Infrastructure
makrushin
0
67
The Connected World has been disconnected: Survival Guide in IoThreats Era
makrushin
0
56

Other Decks in Technology

See All in Technology
Road to Single Activity
yurihondo
1
200
AI でアップデートする既存テクノロジーと、クラウドエンジニアの生きる道
soracom
PRO
2
440
技術ブログや登壇資料を秒で作るコツ伝授します
minorun365
PRO
23
5.5k
LandingZoneAccelerator と学ぶ 「スケーラブルで安全なマルチアカウントAWS環境」と 私たちにもできるベストプラクティス
maimyyym
1
130
DuckDB雑紹介(1.1対応版)@DuckDB座談会
ktz
6
1.3k
Mocking in Rust Applications
taiki45
1
390
音声AIエージェントの世界とRetell AI入門 / Introduction to the World of Voice AI Agents and Retell AI
rkaga
5
920
サプライチェーン攻撃に備える
ryunen344
0
180
OCI で始める!! Red Hat OpenShift / Get Started OpenShift on OCI
oracle4engineer
PRO
1
140
Autonomous Database Serverless 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
15
40k
Oracle Exadata Database Service(Dedicated Infrastructure):サービス概要のご紹介
oracle4engineer
PRO
0
9.5k
Agile in Automotive Industry, puzzles and lights.
hiranabe
2
800

Featured

See All Featured
RailsConf 2023
tenderlove
28
810
No one is an island. Learnings from fostering a developers community.
thoeni
18
2.9k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Art, The Web, and Tiny UX
lynnandtonic
294
20k
How To Stay Up To Date on Web Technology
chriscoyier
786
250k
Atom: Resistance is Futile
akmur
261
25k
Embracing the Ebb and Flow
colly
83
4.4k
Bootstrapping a Software Product
garrettdimon
PRO
304
110k
Code Review Best Practice
trishagee
62
16k
Code Reviewing Like a Champion
maltzj
518
39k
Producing Creativity
orderedlist
PRO
340
39k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k

Transcript

  1. DEV, SEC, OOPS: HOW AGILE SECURITY INCRESES ATTACK SURFACE Denis

    Makrushin https://twitter.com/makrushind

  2. Red Team Blue Team

  3. Blue Team Success Attacker’s Success

  4. We showed that Healthcare fails as a Developer…

  5. …but the Healthcare is a User! https://www.bsimm.com/

  6. Agile Security: key principles • Don’t reinvent it • Do

    it incrementally • Automate it

  7. Agile Security: key principles • Don’t reinvent it • Do

    it incrementally • Automate it • Process (CI/CD) • People (DevSecOps) • Tools

  8. CI/CD from Researcher’s perspective

  9. Automation from Researcher’s perspective

  10. What is “attack surface”. Formally.

  11. The attack graphs situations when the firewall is disabled (upper

    one) and enabled (lower one)

  12. Example of the unknown attack graph

  13. Product Security Touchpoints

  14. Attack Surface Graph of Enterprise-network

  15. Attack Surface Graph of Enterprise-network

  16. Security activities during Product Development Stages

  17. HOW TO COMPROMISE PRODUCT DEVELOPMENT PIPELINE USING COMMERCIAL SECURITY ASSETS?

  18. SonarQube: code quality and security

  19. SonarQube: Installations Shodan query: ”port:9000 sonarqube”

  20. SonarQube: deployment with Secrets

  21. SonarQube: CLI integration

  22. SonarQube: CLI integration with Secrets

  23. Checkmarx: Installations Shodan query: ”CxWebClient” Google dork: “inurl:CxWebClient”

  24. “Try the Demo”

  25. Checkmarx: CLI integration with Secrets

  26. Control your Attack Surface. The pipeline.

  27. WAIT. WHAT ABOUT OPEN SOURCE SOLUTIONS?

  28. Task management for Microservices: Flower

  29. Task management for Microservices: Flower

  30. Flower: Installations Shodan query: ”port:5555 flower”

  31. One field for user input…

  32. One field for user input… dejavue

  33. One field for user input… dejavue (#CVE20186210, #CVE20186213)

  34. One field for user input… Stored XSS

  35. PatrOwl: Security Operations Orchestration Platform

  36. PatrOwl: RCE in NMAP container

  37. PatrOwl: RCE in NMAP container

  38. Host Header Injection in official Docker-image

  39. Cache Poisoning via Host Header Injection

  40. Security folks are humans too

  41. Security folks are humans too

  42. Security folks are humans too

  43. Security folks are humans too

  44. How to fix it • Secure SDLC • Educate your

    User • OSINT your product If you are Security Vendor: If you are Security Engineer: • Know your Attack Surface • Do not click on links • Follow your Code of Conduct • Scan your Open Source

  45. CodeQL

  46. IF YOU ARE ATTACKER, ONE DAY SOMEONE WILL PUT THE

    BASKET ON YOUR HEAD…

  47. [email protected] TWITTER.COM/MAKRUSHIND THANK YOU.