Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security and DevOps

Security and DevOps

Talks about DevOps and how security teams can be part of it.

Matt Konda

October 14, 2015
Tweet

More Decks by Matt Konda

Other Decks in Programming

Transcript

  1. Implementing Security
    with DevOps
    Matt Konda
    Jemurai

    View Slide

  2. Agenda
    • Introductions
    • What is DevOps to Security
    • Case Study 1
    • Case Study 2
    • Pipeline
    • Conceptual framework
    • Maturity Model
    • OWASP Projects
    • How to Get Involved

    View Slide

  3. Introduction
    1997 2006 2014
    Consultant
    Engineer
    Software
    Architect
    Director of
    Engineering
    Rabble Rouser:
    Perl
    Java Applet
    C++
    J2EE
    J2EE

    Spring
    Analytics
    Certificate Authority
    Vulnerability Scanner
    Penetration Test Manager
    Pricing
    Retail
    Banking
    Manufacturing
    Pharma
    Healthcare
    Research
    Ruby
    Rails
    Chicago BSides 2011, 2012
    Defcon Skytalk
    OWASP Chicago, MSP 2013
    AppSec USA 2012, 2013
    ChicagoRuby 2013
    Secure 360
    Lone Star Ruby 2013
    WindyCityRails 2013
    Chicago JUG 2014
    RailsConf 2014
    Converge 2014
    MS in CS
    Founder
    Consultant
    Agile
    Clojure
    Graph Database
    Trying to hack a
    business model that
    succeeds while
    helping developers.
    Domains:
    Projects:
    DevOps / Automation
    Training
    Coaching
    Code Review
    Plugged in to SDLC
    Consulting
    Assessments
    @mkonda
    [email protected]
    DevOps
    Growing

    View Slide

  4. Census?

    View Slide

  5. View Slide

  6. What is DevOps?

    View Slide

  7. In my opinion, DevOps is basically
    Agile extended to include Ops as
    first class stakeholders.

    View Slide

  8. Of course, it is also a result of an
    increasingly cloud oriented Ops
    environment that is scripted with
    Chef, Puppet, Ansible, etc.

    View Slide

  9. automation

    View Slide

  10. View Slide

  11. visibility

    View Slide

  12. mttr
    Mean time to repair

    View Slide

  13. mttd
    Mean time to detect

    View Slide

  14. empathy

    View Slide

  15. accountability

    View Slide

  16. culture

    View Slide

  17. View Slide

  18. OK OK … but what does
    this actually mean for
    security?!?!?

    View Slide

  19. View Slide

  20. We’re trying to get on
    the bandwagon.

    View Slide

  21. SecDevOps
    DevSecOps
    DevOpsSec
    Rugged DevOps

    View Slide

  22. Reinforces something I
    learned as a developer:
    naming is hard.

    View Slide

  23. I think that security should just be
    implied by DevOps and doesn’t
    need to have another name.

    View Slide

  24. Why do we care?

    View Slide

  25. Being able to deploy quickly is
    my #1 security feature.
    - Nick Galbreath

    View Slide

  26. Personally: I have never
    seen anything change
    development/IT like this.

    View Slide

  27. Case Study #1

    View Slide

  28. Credit: Matt Tesauro at AppSecEU 2015
    http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

    View Slide

  29. Need somewhere to keep
    an inventory of
    applications.

    View Slide

  30. Credit: Matt Tesauro at AppSecEU 2015
    http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

    View Slide

  31. Always a way for
    human intervention.

    View Slide

  32. Credit: Matt Tesauro at AppSecEU 2015
    http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

    View Slide

  33. Automation

    View Slide

  34. Credit: Matt Tesauro at AppSecEU 2015
    http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

    View Slide

  35. Digest and filter

    View Slide

  36. Credit: Matt Tesauro at AppSecEU 2015
    http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

    View Slide

  37. Communicate with
    developers

    View Slide

  38. Credit: Matt Tesauro at AppSecEU 2015
    http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

    View Slide

  39. Visibility

    View Slide

  40. Credit: Matt Tesauro at AppSecEU 2015
    http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

    View Slide

  41. Scripted provisioning

    View Slide

  42. Credit: Matt Tesauro at AppSecEU 2015
    http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

    View Slide

  43. Credit: Matt Tesauro at AppSecEU 2015
    http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

    View Slide

  44. Case Study #2

    View Slide

  45. App Inventory
    Pipeline
    CSV, JSON, Text
    Git webhooks
    Jenkins

    View Slide

  46. Need somewhere to keep
    an inventory of
    applications.

    View Slide

  47. App Inventory
    Pipeline
    CSV, JSON, Text
    Git webhooks
    Jenkins

    View Slide

  48. View Slide

  49. Devs can interact and
    trigger security checks.

    View Slide

  50. View Slide

  51. Automation

    View Slide

  52. App Inventory
    Pipeline
    CSV, JSON, Text
    Git webhooks
    Jenkins

    View Slide

  53. Digest and filter

    View Slide

  54. App Inventory
    Pipeline
    CSV, JSON, Text
    Git webhooks
    Jenkins

    View Slide

  55. Communicate with
    developers

    View Slide

  56. App Inventory
    Pipeline
    CSV, JSON, Text
    Git webhooks
    Jenkins

    View Slide

  57. Visibility

    View Slide

  58. View Slide

  59. App Inventory
    Pipeline
    CSV, JSON, Text
    Git webhooks
    Jenkins

    View Slide

  60. Scripted provisioning

    View Slide

  61. App Inventory
    Pipeline
    CSV, JSON, Text
    Git webhooks
    Jenkins

    View Slide

  62. Most parts of this automation
    toolchain are open source and
    offer multiple ways to interact…

    View Slide

  63. Pipeline

    View Slide

  64. View Slide

  65. Intended to make it easy
    to do security automation.

    View Slide

  66. View Slide

  67. Mounter
    Currently: git repo, filesystem, iso, docker image

    View Slide

  68. Mounter
    Currently: clamav, hashdeep
    Files

    View Slide

  69. Mounter
    Currently: brakeman, bundler-audit,
    owasp-dependency-check, secrets in
    source, retire.js, scan.js
    Future: many more possible.
    Designed for extension.
    Files Code

    View Slide

  70. Mounter
    Currently: ZAP (in progress)
    Future: guantlt, etc.
    Files Code App

    View Slide

  71. Mounter
    Currently: Prevents false positives in JIRA.
    Files Code App Filter

    View Slide

  72. Mounter
    Currently: Reports to JIRA, csv, json, text.
    Files Code App Filter Reporter

    View Slide

  73. View Slide

  74. Extension Points
    • Mounters: mount, supports?
    • Tasks: run, analyze, supported?
    • Filters: filter
    • Reporter: run_report
    Mounter Files Code App Filter Reporter
    “Tasks”

    View Slide

  75. Other Internals
    • Within “Tasks”, each of the files, code and app
    phases of the pipeline can be run selectively.
    Mounter Files Code App Filter Reporter
    “Tasks”

    View Slide

  76. ruby bin/pipeline
    -l code (Code analysis)
    -d (Turn on debug)
    -f text (Output format)
    /area53/app/

    View Slide

  77. Some valid…

    View Slide

  78. Still noisy … but you can
    dismiss and move on and
    hopefully rarely see them.

    View Slide

  79. What if it just automatically
    ran against every
    company github project?

    View Slide

  80. Conceptual Framework
    for Security in DevOps

    View Slide

  81. Two passes
    • First talk about security overlaid on continuous
    delivery model
    • Then talk about event based security and DevOps
    related activities

    View Slide

  82. Understand lifecycle

    View Slide

  83. View Slide

  84. continuous delivery

    View Slide

  85. Security sees this
    and wants to …

    View Slide

  86. continuous delivery

    View Slide

  87. But we should embrace it.

    View Slide

  88. Think incremental

    View Slide

  89. View Slide

  90. continuous delivery
    Code Review
    Security Unit Tests
    Security Requirements

    View Slide

  91. Automate security tools

    View Slide

  92. continuous delivery
    Security Tool Automation:
    Code analysis
    Security unit tests
    Dynamic scanning
    etc.

    View Slide

  93. continuous delivery
    Security Tests Run
    Exploratory Testing Includes Security

    View Slide

  94. A detailed example:
    • Let’s say a feature is being developed
    • Then devs and testers are checking a new feature
    • Let them browse through an attack proxy (like Burp
    or ZAP) in passive mode
    • At night or when the system is quiet, use the
    browsing pattern as seeds for overnight attacks

    View Slide

  95. Continuous feedback

    View Slide

  96. continuous delivery
    Feedback!

    View Slide

  97. EVIL
    False
    Positives
    Are
    a Necessary

    View Slide

  98. Optimize for relevance

    View Slide

  99. Provisioning tools

    View Slide

  100. continuous delivery
    Since its easy to provision
    we can do security testing
    safely in a new env.

    View Slide

  101. Audit tools

    View Slide

  102. continuous delivery
    Deployment checks
    includes security
    audit checks.

    View Slide

  103. Self documenting for
    regulatory and
    compliance!

    View Slide

  104. Collect important data

    View Slide

  105. View Slide

  106. Chaos tools

    View Slide

  107. Change is good

    View Slide

  108. continuous delivery
    Change is happening.
    It can be an
    opportunity
    instead of a hassle.

    View Slide

  109. Complexity is an enemy

    View Slide

  110. continuous delivery
    Small releases reduce complexity.
    Decomposition to micro-services reduces dependencies and complexity.
    Right now, security hurts.

    View Slide

  111. Shared responsibility

    View Slide

  112. continuous delivery
    Another principle of software delivery: build security in!
    Done means
    secure!
    Empowered to
    do security right!

    View Slide

  113. Measure results

    View Slide

  114. Event based model …
    (Reactive)

    View Slide

  115. Commit
    • Security Unit Tests
    • Static Code Analysis (Pipeline)
    • Security Requirements
    • Check Dependencies
    • Code Review
    • Checklists

    View Slide

  116. Deploy
    • Scripted Provisioning / Built in Change Control
    • Provisioning Auditing (Chef Audit, hardening.io)
    • Gauntlt

    View Slide

  117. Periodic
    • Full app analysis (static, manual pen test)
    • Secure Development Training
    • Baseline Security Requirements Review
    • ASVS Review
    • Data Science on Results

    View Slide

  118. Security Incident

    View Slide

  119. Maturity Model

    View Slide

  120. How do we know what
    to actually DO?

    View Slide

  121. Belts

    View Slide

  122. Defining Kata

    View Slide

  123. Kata Name: Run ZAP Proxy Daily
    Kata Detail: Automate a way to run ZAP Proxy against an
    app on a daily basis and report issues to Jira
    How to Do the Kata: Activate “XYZ” Jenkins Plugin
    Training Resource: A web page with specifics about this
    Kata.
    Experts: A reference to people that can help with this Kata.
    Difficulty: Belt level for the Kata.
    Security Objectives: What security objectives does this Kata
    help us to achieve?

    View Slide

  124. Data Classification
    OWASP Top 10 Training
    Simple Developer Environment Setup
    Continuous Integration and Testing
    Source Code Repository and Proper Tags
    Repeatable Deployment
    HTTPS (TLS) Everywhere

    View Slide

  125. Baseline Security Requirements
    Test for Security Headers
    Lockout to Prevent Brute Force
    Consistent Output Encoding
    Audit Records Written
    IDE Style Checks
    Villain Persona and Security Requirements
    Operational Metrics
    Unauthenticated Scanning

    View Slide

  126. Storing Secrets
    Solid SSL
    Security of Dependencies
    Audit Records Written
    Anti DoS
    Anti-CSRF Protection
    Consistent SQL Injection Protection
    Static Analysis
    Vulnerability Scanning
    Authenticated Application Scanning
    Security Code Review

    View Slide

  127. Logs Aggregated with Security Event
    Incident Management System
    Appropriate Encryption
    Antivirus / Malware
    Business Metrics
    HSTS and Certificate Pinning
    Application Penetration Testing

    View Slide

  128. Attack Awareness
    Behavioral Blocking
    Centralized Security Service
    Security Unit Tests for Business Logic
    Hands on Developer Security Training
    Dynamic Analysis
    Runtime Application Security Analysis
    Application Honeypot

    View Slide

  129. Up, Up, Down, Down, Left, Right, Left, Right, B, A, Start.

    View Slide

  130. The intent is not to force everyone to
    do every one of those things.
    The intent is to help to identify the things that can be
    done and layer them so that they can be prioritized.

    View Slide

  131. This is actively evolving.
    You can help!

    View Slide

  132. OWASP DevOps
    Related Projects

    View Slide

  133. AppSec Pipeline Documentation Project
    https://www.owasp.org/index.php/
    OWASP_AppSec_Pipeline

    View Slide

  134. To include:
    Case studies
    Best practices
    Data sharing

    View Slide

  135. Josh Corman
    Matt Tesauro
    Aaron Weaver
    Shannon Lietz
    James Wicket
    Mercedes Cox
    Aaron Tesch
    Matt Konda
    You … ?

    View Slide

  136. Pipeline Tools Project
    https://www.owasp.org/index.php/OWASP_Pipeline_Tool_Project
    github.com/owasp/pipeline

    View Slide

  137. Developer focused security pages:
    owasp.github.com/dev-pages

    View Slide

  138. Thank you.

    View Slide

  139. I recognize that software has become a foundation of our
    modern world.
    I recognize the awesome responsibility that comes with this
    foundational role.
    I recognize that my code will be used in ways I cannot
    anticipate, in ways it was not designed, and for longer than it
    was ever intended.
    I recognize that my code will be attacked by talented and
    persistent adversaries who threaten our physical, economic
    and national security.
    I recognize these things – and I choose to be rugged.

    View Slide

  140. I recognize that software has become a foundation of our
    modern world.
    I recognize the awesome responsibility that comes with this
    foundational role.
    I recognize that my code will be used in ways I cannot
    anticipate, in ways it was not designed, and for longer than it
    was ever intended.
    I recognize that my code will be attacked by talented and
    persistent adversaries who threaten our physical,
    economic and national security.
    I recognize these things – and I choose to be rugged.

    View Slide

  141. References
    • https://speakerdeck.com/garethr/maintaining-control-by-letting-go-security-and-devops
    • http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security
    • https://www.rsaconference.com/writable/presentations/file_upload/asd-t07r-continuous-
    security-5-ways-devops-improves-security.pdf
    • https://github.com/owasp/pipeline
    • http://gotocon.com/goto-london-2015/
    • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
    • http://gauntlt.org/
    • https://github.com/PearsonEducation/bag-of-holding
    • https://www.ruggedsoftware.org/

    View Slide

  142. Thank you.

    View Slide