Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automate All of the Things

Automate All of the Things

A talk about security automation.

Matt Konda

June 28, 2017
Tweet

More Decks by Matt Konda

Other Decks in Programming

Transcript

  1. Automate All The Things
    Matt Konda
    @mkonda

    View Slide

  2. View Slide

  3. Start with a big Thanks.

    View Slide

  4. Introduction
    90’s 2006 2014
    Consultant
    Engineer
    Software
    Architect
    Director of
    Engineering
    Rabble Rouser:
    Perl, Java
    Java Applet
    C++
    J2EE
    Spring
    Analytics
    Certificate Authority
    Vulnerability Scanner
    Penetration Test Manager
    Pricing
    Retail
    Banking
    Manufacturing
    Pharma
    Healthcare
    Research
    Ruby
    Rails
    Chicago BSides 2011, 2012
    Defcon Skytalk
    OWASP Chicago, MSP 2013
    AppSec USA 2012, 2013
    ChicagoRuby 2013
    Secure 360
    MS in CS
    Founder
    Consultant
    Agile
    Cloud
    Clojure
    Graph Database
    Independent.
    Focus developers.
    Consulting.
    Domains: Projects:
    DevOps / Automation
    Training
    Coaching
    Code Review
    Plugged in to SDLC
    Consulting
    Assessments
    @mkonda
    [email protected]
    CEO
    Services.
    Product.
    Teaching
    Growing Teams
    Forward
    OWASP Board
    Lone Star Ruby 2013
    WindyCityRails 2013
    Chicago JUG 2014
    RailsConf 2014
    Converge 2014
    Chicago Coder Conference 2015, 2016
    Goto Chicago 2016
    OWASP Chicago

    View Slide

  5. View Slide

  6. Natural reaction to
    asymmetry and resource
    constraints.
    Common Client Goal

    View Slide

  7. So open ended as to be
    meaningless and yet
    obviously a Good Thing™
    Automate All The Things

    View Slide

  8. Wait …
    Why automate?
    What are all the things?

    View Slide

  9. We automate because
    • We don’t have enough resources
    • Time == Money
    • Even if we have $ we can’t find people with skills
    • Survives attrition
    • We’re not very good at repetitive detailed work
    • Its actually possible now

    View Slide

  10. View Slide

  11. If we don’t, we’re behind.

    View Slide

  12. No panacea

    View Slide

  13. Automation Myths
    • Its easy and doesn’t take a lot of time
    • It solves the resource problem
    • Once its done it just runs

    View Slide

  14. Constant Change
    • Developer libraries
    • Security tools
    • Cloud capabilities
    • Your architecture

    View Slide

  15. Last mile

    View Slide

  16. Fixes

    View Slide

  17. Wait …
    Why automate?
    What are all the things?

    View Slide

  18. This is an exciting part.

    View Slide

  19. Because the list of
    things is growing so fast.

    View Slide

  20. Glue

    View Slide

  21. View Slide

  22. Intended to make it easy
    to do security automation.

    View Slide

  23. View Slide

  24. Mounter
    Currently: git repo, filesystem, iso, docker image

    View Slide

  25. Mounter
    Currently: clamav, hashdeep
    Files

    View Slide

  26. Mounter
    Currently: brakeman, bundler-audit,
    owasp-dependency-check, secrets in
    source, retire.js, scan.js
    Future: many more possible.
    Designed for extension.
    Files Code

    View Slide

  27. Mounter
    Currently: ZAP (in progress)
    Future: guantlt, etc.
    Files Code App

    View Slide

  28. Mounter
    Currently: Prevents false positives in JIRA.
    Files Code App Filter

    View Slide

  29. Mounter
    Currently: Reports to JIRA, csv, json, text.
    Files Code App Filter Reporter

    View Slide

  30. View Slide

  31. Extension Points
    • Mounters: mount, supports?
    • Tasks: run, analyze, supported?
    • Filters: filter
    • Reporter: run_report
    Mounter Files Code App Filter Reporter
    “Tasks”

    View Slide

  32. Other Internals
    • Within “Tasks”, each of the files, code and app
    phases of the pipeline can be run selectively.
    Mounter Files Code App Filter Reporter
    “Tasks”

    View Slide

  33. ruby bin/glue
    -l code (Code analysis)
    -d (Turn on debug)
    -f text (Output format)
    /area53/app/

    View Slide

  34. Some valid…

    View Slide

  35. Still noisy … but you can
    dismiss and move on and
    hopefully rarely see them.

    View Slide

  36. What if it just automatically
    ran against every
    company github project?

    View Slide

  37. View Slide

  38. View Slide

  39. Lab 1: Running Glue from Docker
    1. docker-machine create --driver
    virtualbox default
    2. eval $(docker-machine env default)
    3. docker pull owasp/glue:0.9
    4. docker run —rm owasp/glue:0.9 -h
    5. docker run —rm owasp/glue:0.9 -t
    brakeman https://github.com/Jemurai/
    triage.git

    View Slide

  40. Lab 2: Running Glue on Your Project
    docker run —rm
    -v /Users/mk/code/loca:/tmp/target/
    owasp/glue:0.9 \
    -d \
    -t owaspdependencycheck \
    -f csv \
    /tmp/target/
    * Due to docker ease of setup, please use a directory within your home directory. It is
    possible to do this in other ways, but it requires further setup of shared folders in
    virtual box which we want to avoid for the purposes of this workshop.

    View Slide

  41. Lab 2: Running Glue on Your Project
    1. docker run —name glue owasp/glue:0.9
    2.docker exec -it glue bash
    docker ps
    FIND YOUR IMAGE NAME
    * Due to docker ease of setup, please use a directory within your home directory. It is
    possible to do this in other ways, but it requires further setup of shared folders in
    virtual box which we want to avoid for the purposes of this workshop.

    View Slide

  42. Lab 3: Getting into the Glue Docker Image
    1. docker run -rm —i -t —entrypoint=/
    bin/bash owasp/glue:0.9
    2. cd lib
    3. ../bin/glue -h
    Now you’re running from source.
    We can change anything …

    View Slide

  43. Key Takeaways
    • Make it portable
    • Put results in JIRA (or Pivotal or wherever
    developers are working)
    • Minimize / reduce noise
    • Start small and grow into it

    View Slide

  44. Stage 0
    • Hope your dev teams are using some kind of
    continuous integration eg. Jenkins
    • Hope your dev teams have a process you can
    build into.
    • Hope your team has some coding skills.

    View Slide

  45. Goal: Usability

    View Slide

  46. Goal: Continuous

    View Slide

  47. Goal: Pipelines

    View Slide

  48. Stage 1
    • Detect vulnerable dependencies
    • Glue: Dependency Check
    • Glue: Retire.js
    • Glue: Bundle Audit
    • Detect secrets in source
    • Glue: SFL
    • Glue: Trufflehog

    View Slide

  49. Stage 2
    • Full static analysis
    • Brakeman / Dawn
    • PMD / Checkstyle / FindSecBugs (Weak sauce)
    • Implemented Checkmarx via API
    • ESLint / Synk / Node Security Project
    • Bandit

    View Slide

  50. Stop for visibility.

    View Slide

  51. Metrics and Inventory

    View Slide

  52. Automating the
    inventory and metrics …

    View Slide

  53. Stage 3
    • Full dynamic analysis
    • ZAP
    • Burp
    • AWS Scout

    View Slide

  54. Goal: Extensibility

    View Slide

  55. Stage 4
    • Extending Glue
    • Docker image analysis
    • Mesos
    • SSL/TLS
    • Building a custom UI
    • Self service
    • Better GitHub integration

    View Slide

  56. Other opportunities

    View Slide

  57. Testing
    • Security Unit/Functional
    • Great way to test for authorization flows
    • Business logic abuse cases

    View Slide

  58. Vault
    • Passwords out of source code
    • Expiring credentials
    • Postgres
    • AWS
    • Transit (encryption as a service)
    • CA
    • CA for OpenSSH
    • TOTP

    View Slide

  59. Certbot
    • Certificate expiring monkey
    • No that’s not a real thing … yet
    • But we can use Let’sEncrypt or Vault and some
    scripting to ensure our internal net is all mutually
    authenticated TLS.

    View Slide

  60. Data Cleansing
    • Copying data to test …

    View Slide

  61. Audit
    • Map real events to audit
    areas.
    • Build reporting.
    • Easily produce
    evidence.
    • By control id.

    View Slide

  62. View Slide

  63. Cloud API
    • Lamba’s / Functions to review logs
    • Auto provision WAF in front of any 80, 443
    • Scout

    View Slide

  64. Use API to Analyze
    https://github.com/nccgroup/Scout2

    View Slide

  65. Automation can do a lot
    more for us than it used
    to be able to do.

    View Slide

  66. Secrets Dependencies
    Config Issues
    Static Analysis
    Assured TLS
    Dynamic
    Audit
    Security Testing

    View Slide

  67. The Jemurai Point of View

    View Slide

  68. It is not a panacea.

    View Slide

  69. Remember the
    last mile

    View Slide

  70. EVIL
    False
    Positives
    Are

    View Slide

  71. But then …
    Automate all the things!

    View Slide