Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] DevOps Growing
Overview • Quick overview of security tools • DevOps / Continuous Delivery & Rugged • Leveraging security automation where possible • Hands on with Pipeline for labs (time permitting)
B+ C B+ F D D F B A- C The items on the left are the OWASP Top 10. The grades are mine and are arbitrary. https://www.owasp.org/index.php/Top_10_2013-Top_10
CVE-2014-0050 5.0 Medium CWE-264 Permissions, Privileges, and Access Controls MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
BID http://www.securityfocus.com/bid/65400 65400
BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/532549/100/0/threaded 20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library
CVE-2013-0248 3.3 Low CWE-264 Permissions, Privileges, and Access Controls The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
CVE-2007-0185 5.0 Medium Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch.
CVE-2013-2251 9.3 High CWE-20 Improper Input Validation Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
BID http://www.securityfocus.com/bid/64758 64758
This is the one that allowed me to metasploit myself.
I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.
I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.
Story Continuous Delivery: The Unit of Work is a Story Requirements Design Code Test Security Requirements Security Unit Tests Exploratory Testing Static Analysis on Commit Code Review Threat model / attack surface Checklists Understand Dependencies
Lab 2: Running Pipeline on Your Project docker run —rm -v /Users/mk/code/loca:/tmp/target/ owasp/pipeline:0.8.1 \ -d \ -t owaspdependencycheck \ -f csv \ /tmp/target/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
Lab 2: Running Pipeline on Your Project 1. docker run —name pipe jemurai/ pipeline:0.8 2.docker exec -it pipe bash docker ps FIND YOUR IMAGE NAME * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
Lab 3: Getting into the Pipeline Docker Image 1. docker run -rm —i -t —entrypoint=/ bin/bash owasp/pipeline:0.8.1 2. cd lib 3. ../bin/pipeline -h Now you’re running from source. We can change anything …
Lab 5: Running Pipeline on a Git Hook 1. Copy /hooks/pre-commit to your project in /.git/hooks 2. chmod +x pre-commit 3. Edit pre-commit to reflect your path and tools 4. Regular process: 1. Change a 2. git add 3. git commit -m “Testing”
Overview • Pipeline is broken into different chunks to try to make it easy and straightforward to extend in expected ways. • These illustrate the challenges of security automation. Mounter Files Code Live Filter Reporter “Tasks”
Other Internals • Within “Tasks”, each of the files, code and app phases of the pipeline can be run selectively as stages. Mounter Files Code Live Filter Reporter “Tasks”
Lab 5: Adding a New Tool to Pipeline 1. docker run -i -t —entrypoint=/bin/ bash jemurai/pipeline:0.8 2. cd pipeline/lib/pipeline/tasks/ 3. cp bundler-audit.rb test.rb 4. Edit to always create a finding (or use the following example for grep) 5. cd /../../lib 6. …/bin/pipeline -t test /tmp/
mkonda
shibe23
hazumirr
itsmedreamwalker
iwatatomoya
ogiwarat
taowata
hschwentner
kizuku_miyagi
hirodragon112
cocoeyes02
beenos
vrallev
jensimmons
lauravandoore
holman
wjessup
kastner
trallard
palkan
pedronauck
marktimemedia
brettharned
notwaldorf
thoeni