Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automate All of the Things

Automate All of the Things

A talk about security automation.

Matt Konda

June 28, 2017

More Decks by Matt Konda

Other Decks in Programming


  1. Automate All The Things Matt Konda @mkonda

  2. None
  3. Start with a big Thanks.

  4. Introduction 90’s 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl, Java Java Applet C++ J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 MS in CS Founder Consultant Agile Cloud Clojure Graph Database Independent. Focus developers. Consulting. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] CEO Services. Product. Teaching Growing Teams Forward OWASP Board Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015, 2016 Goto Chicago 2016 OWASP Chicago
  5. None
  6. Natural reaction to asymmetry and resource constraints. Common Client Goal

  7. So open ended as to be meaningless and yet obviously

    a Good Thing™ Automate All The Things
  8. Wait … Why automate? What are all the things?

  9. We automate because • We don’t have enough resources •

    Time == Money • Even if we have $ we can’t find people with skills • Survives attrition • We’re not very good at repetitive detailed work • Its actually possible now
  10. None
  11. If we don’t, we’re behind.

  12. No panacea

  13. Automation Myths • Its easy and doesn’t take a lot

    of time • It solves the resource problem • Once its done it just runs
  14. Constant Change • Developer libraries • Security tools • Cloud

    capabilities • Your architecture
  15. Last mile

  16. Fixes

  17. Wait … Why automate? What are all the things?

  18. This is an exciting part.

  19. Because the list of things is growing so fast.

  20. Glue

  21. None
  22. Intended to make it easy to do security automation.

  23. None
  24. Mounter Currently: git repo, filesystem, iso, docker image

  25. Mounter Currently: clamav, hashdeep Files

  26. Mounter Currently: brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, scan.js

    Future: many more possible. Designed for extension. Files Code
  27. Mounter Currently: ZAP (in progress) Future: guantlt, etc. Files Code

  28. Mounter Currently: Prevents false positives in JIRA. Files Code App

  29. Mounter Currently: Reports to JIRA, csv, json, text. Files Code

    App Filter Reporter
  30. None
  31. Extension Points • Mounters: mount, supports? • Tasks: run, analyze,

    supported? • Filters: filter • Reporter: run_report Mounter Files Code App Filter Reporter “Tasks”
  32. Other Internals • Within “Tasks”, each of the files, code

    and app phases of the pipeline can be run selectively. Mounter Files Code App Filter Reporter “Tasks”
  33. ruby bin/glue -l code (Code analysis) -d (Turn on debug)

    -f text (Output format) /area53/app/
  34. Some valid…

  35. Still noisy … but you can dismiss and move on

    and hopefully rarely see them.
  36. What if it just automatically ran against every company github

  37. None
  38. None
  39. Lab 1: Running Glue from Docker 1. docker-machine create --driver

    virtualbox default 2. eval $(docker-machine env default) 3. docker pull owasp/glue:0.9 4. docker run —rm owasp/glue:0.9 -h 5. docker run —rm owasp/glue:0.9 -t brakeman https://github.com/Jemurai/ triage.git
  40. Lab 2: Running Glue on Your Project docker run —rm

    -v /Users/mk/code/loca:/tmp/target/ owasp/glue:0.9 \ -d \ -t owaspdependencycheck \ -f csv \ /tmp/target/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
  41. Lab 2: Running Glue on Your Project 1. docker run

    —name glue owasp/glue:0.9 2.docker exec -it glue bash docker ps FIND YOUR IMAGE NAME * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
  42. Lab 3: Getting into the Glue Docker Image 1. docker

    run -rm —i -t —entrypoint=/ bin/bash owasp/glue:0.9 2. cd lib 3. ../bin/glue -h Now you’re running from source. We can change anything …
  43. Key Takeaways • Make it portable • Put results in

    JIRA (or Pivotal or wherever developers are working) • Minimize / reduce noise • Start small and grow into it
  44. Stage 0 • Hope your dev teams are using some

    kind of continuous integration eg. Jenkins • Hope your dev teams have a process you can build into. • Hope your team has some coding skills.
  45. Goal: Usability

  46. Goal: Continuous

  47. Goal: Pipelines

  48. Stage 1 • Detect vulnerable dependencies • Glue: Dependency Check

    • Glue: Retire.js • Glue: Bundle Audit • Detect secrets in source • Glue: SFL • Glue: Trufflehog
  49. Stage 2 • Full static analysis • Brakeman / Dawn

    • PMD / Checkstyle / FindSecBugs (Weak sauce) • Implemented Checkmarx via API • ESLint / Synk / Node Security Project • Bandit
  50. Stop for visibility.

  51. Metrics and Inventory

  52. Automating the inventory and metrics …

  53. Stage 3 • Full dynamic analysis • ZAP • Burp

    • AWS Scout
  54. Goal: Extensibility

  55. Stage 4 • Extending Glue • Docker image analysis •

    Mesos • SSL/TLS • Building a custom UI • Self service • Better GitHub integration
  56. Other opportunities

  57. Testing • Security Unit/Functional • Great way to test for

    authorization flows • Business logic abuse cases
  58. Vault • Passwords out of source code • Expiring credentials

    • Postgres • AWS • Transit (encryption as a service) • CA • CA for OpenSSH • TOTP
  59. Certbot • Certificate expiring monkey • No that’s not a

    real thing … yet • But we can use Let’sEncrypt or Vault and some scripting to ensure our internal net is all mutually authenticated TLS.
  60. Data Cleansing • Copying data to test …

  61. Audit • Map real events to audit areas. • Build

    reporting. • Easily produce evidence. • By control id.
  62. None
  63. Cloud API • Lamba’s / Functions to review logs •

    Auto provision WAF in front of any 80, 443 • Scout
  64. Use API to Analyze https://github.com/nccgroup/Scout2

  65. Automation can do a lot more for us than it

    used to be able to do.
  66. Secrets Dependencies Config Issues Static Analysis Assured TLS Dynamic Audit

    Security Testing
  67. The Jemurai Point of View

  68. It is not a panacea.

  69. Remember the last mile

  70. EVIL False Positives Are

  71. But then … Automate all the things!