Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Automation Pipeline

Matt Konda
January 14, 2016
Programming
1
190

Security Automation Pipeline

IJUG Meetup where we talked about security tools, where they fit in continuous delivery pipelines and how the OWASP pipeline tool can help.

Matt Konda

January 14, 2016
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
110
Automate All of the Things
mkonda
0
180
Building Rugged Software in a DevOps World
mkonda
0
94
What is Rugged all about?
mkonda
1
81
Real World Security Testing
mkonda
1
95
Security Automation Workshop
mkonda
0
53
Rationalizing Security
mkonda
0
52
Application Security Landscape
mkonda
0
73
Security and DevOps
mkonda
0
87

Other Decks in Programming

See All in Programming
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
360
[SF Ruby, March 2024] Rails on Wasm
palkan
0
370
チーム力を高めるスクラム実践法:カンバン公開と課題攻略について - ニフティのスクラムトーク Vol. 2 - NIFTY Tech Talk #18
niftycorp
PRO
1
110
StreamlitとTerraformでデータカタログを作った話
gussan0223
0
290
Folding Cheat Sheet #2
philipschwarz
PRO
0
110
Hanami and htmx
bkuhlmann
0
190
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
170
Introduction for Open Source Swift Workshop
giginet
PRO
0
1.1k
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
300
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
180
try! Swift Tokyo 2024のLT枠に採択されたプロポーザルを出すときに考えていたこと
ski
0
340
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
22
15k

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
115
18k
Code Reviewing Like a Champion
maltzj
513
39k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
Fantastic passwords and where to find them - at NoRuKo
philnash
36
2.5k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
2k
Rails Girls Zürich Keynote
gr2m
91
13k
Scaling GitHub
holman
457
140k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
16
6.3k
The Language of Interfaces
destraynor
151
23k
The Invisible Customer
myddelton
114
12k
Statistics for Hackers
jakevdp
789
220k
Fontdeck: Realign not Redesign
paulrobertlloyd
75
4.9k

Transcript

  1. Security Automation in Software Delivery: A Rugged DevOps Pipeline Matt

    Konda @mkonda

  2. Prereqs • Docker Toolbox • pipeline • docker pull owasp/pipeline:0.8.1

    • A project to analyze

  3. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] DevOps Growing

  4. What do I do? • Bug bounty • Breaking •

    Mostly SDLC • Training • Automation

  5. Overview • Quick overview of security tools • DevOps /

    Continuous Delivery & Rugged • Leveraging security automation where possible • Hands on with Pipeline for labs (time permitting)
  6. None

  7. – http://training.jemurai.com/struts2-blank/ example/X.action?action:%25{3*4}

  8. training.jemurai.com/struts2-showcase/ employee/save.action?redirect:%25{(new +java.lang.ProcessBuilder(new +java.lang.String[]{‘touch’,'/tmp/hi2'})).start()}

  9. None

  10. metasploit + struts

  11. Security Tools

  12. Static Analysis

  13. Static Analysis Live App Scanning

  14. Static Analysis Live App Scanning Dynamic Analysis

  15. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks

  16. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation Penetration Testing
  17. None

  18. B+ C B+ F D D F B A- C

    The items on the left are the OWASP Top 10. The grades are mine and are arbitrary. https://www.owasp.org/index.php/Top_10_2013-Top_10
  19. None
  20. None

  21. There is no substitute for people with knowledge.

  22. But we can help ourselves by leveraging tools.

  23. We just have to be smart and flexible about it.

  24. So let’s go a bit deeper

  25. Find Security Bugs

  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. OWASP Dependency Check

  35. http://dl.bintray.com/jeremy-long/owasp/ dependency-check-1.2.11-release.zip

  36. /bin/dependency-check.sh -a struts2-showcase -out /tmp/ -s / tomcat-root/struts2-showcase/

  37. <vulnerabilities> <vulnerability> <name>CVE-2014-0050</name> <cvssScore>5.0</cvssScore> <severity>Medium</severity> <cwe>CWE-264 Permissions, Privileges, and Access

    Controls</cwe> <description>MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop&apos;s intended exit conditions.</description> <references> <reference> <source>BID</source> <url>http://www.securityfocus.com/bid/65400</url> <name>65400</name> </reference> <reference> <source>BUGTRAQ</source> <url>http://www.securityfocus.com/archive/1/archive/1/532549/100/0/threaded</url> <name>20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library</name> </reference> <reference> <source>BUGTRAQ</source> <url>http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded</url> <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> </reference> <reference> <source>BUGTRAQ</source> <url>http://www.securityfocus.com/archive/1/archive/1/535181/100/0/threaded</url> <name>20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE</name> </reference> <reference> <source>CONFIRM</source> <url>http://advisories.mageia.org/MGASA-2014-0110.html</url> <name>http://advisories.mageia.org/MGASA-2014-0110.html</name> </reference> <reference> <source>CONFIRM</source> <url>http://svn.apache.org/r1565143</url> <name>http://svn.apache.org/r1565143</name> </reference> <reference> <source>CONFIRM</source> <url>http://tomcat.apache.org/security-7.html</url> <name>http://tomcat.apache.org/security-7.html</name> </reference>

  38. <vulnerability> <name>CVE-2013-0248</name> <cvssScore>3.3</cvssScore> <severity>Low</severity> <cwe>CWE-264 Permissions, Privileges, and Access Controls</cwe>

    <description>The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.</description> <references> <reference> <source>BUGTRAQ</source> <url>http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html</url> <name>20130306 [SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples</name> </reference> <reference> <source>OSVDB</source> <url>http://www.osvdb.org/90906</url> <name>90906</name> </reference> </references> <vulnerableSoftware> <software>cpe:/a:apache:commons_fileupload:1.0</software>

  39. <vulnerabilities> <vulnerability> <name>CVE-2007-0185</name> <cvssScore>5.0</cvssScore> <severity>Medium</severity> <description>Getahead Direct Web Remoting (DWR)

    before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch.</description> <references> <reference> <source>BID</source> <url>http://www.securityfocus.com/bid/21955</url> <name>21955</name> </reference> <reference> <source>CONFIRM</source> <url>http://getahead.ltd.uk/dwr/changelog</url> <name>http://getahead.ltd.uk/dwr/changelog</name> </reference> <reference> <source>OSVDB</source> <url>http://osvdb.org/32658</url> <name>32658</name> </reference>

  40. <vulnerability> <name>CVE-2013-2251</name> <cvssScore>9.3</cvssScore> <severity>High</severity> <cwe>CWE-20 Improper Input Validation</cwe> <description>Apache Struts

    2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.</description> <references> <reference> <source>BID</source> <url>http://www.securityfocus.com/bid/64758</url> <name>64758</name> </reference> This is the one that allowed me to metasploit myself.

  41. Lab 1: Running Pipeline from Docker 1. docker-machine create --driver

    virtualbox default 2. eval $(docker-machine env default) 3. docker pull owasp/pipeline:0.8.1 4. docker run —rm owasp/pipeline:0.8.1 -h 5. docker run —rm owasp/pipeline:0.8.1 -t brakeman https://github.com/Jemurai/ triage.git

  42. DevOps / Continuous Delivery

  43. None

  44. Rugged

  45. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

  46. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

  47. Understand lifecycle

  48. Requirements Design Code Test Maintenance Classic Waterfall Delivery

  49. Requirements Design Code Test Maintenance Classic Waterfall Delivery Security

  50. continuous delivery

  51. Classic security sees this and wants to …

  52. continuous delivery

  53. But we can embrace it.

  54. Being able to deploy quickly is my #1 security feature.

    - Nick Galbreath

  55. Think incremental

  56. Story Continuous Delivery: The Unit of work is a story

    Requirements Design Code Test

  57. Story Continuous Delivery: The Unit of Work is a Story

    Requirements Design Code Test Security Requirements Security Unit Tests Exploratory Testing Static Analysis on Commit Code Review Threat model / attack surface Checklists Understand Dependencies

  58. continuous delivery Code Review Security Unit Tests Security Requirements

  59. Automate security tools

  60. continuous delivery Security Tool Automation: Code analysis Security unit tests

    Dynamic scanning etc.

  61. continuous delivery Security Tests Run Exploratory Testing Includes Security

  62. Lab 2: Running Pipeline on Your Project docker run —rm

    -v /Users/mk/code/loca:/tmp/target/ owasp/pipeline:0.8.1 \ -d \ -t owaspdependencycheck \ -f csv \ /tmp/target/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.

  63. Lab 2: Running Pipeline on Your Project 1. docker run

    —name pipe jemurai/ pipeline:0.8 2.docker exec -it pipe bash docker ps FIND YOUR IMAGE NAME * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.

  64. Lab 3: Getting into the Pipeline Docker Image 1. docker

    run -rm —i -t —entrypoint=/ bin/bash owasp/pipeline:0.8.1 2. cd lib 3. ../bin/pipeline -h Now you’re running from source. We can change anything …

  65. Integrations

  66. pre-commit

  67. Lab 5: Running Pipeline on a Git Hook 1. Copy

    /hooks/pre-commit to your project in <project-root>/.git/hooks 2. chmod +x pre-commit 3. Edit pre-commit to reflect your path and tools 4. Regular process: 1. Change a <file> 2. git add <file> 3. git commit -m “Testing” <file>
  68. None

  69. chat ops

  70. None
  71. None

  72. https://github.com/OWASP/Owbot

  73. Jenkins

  74. None
  75. None
  76. None
  77. None
  78. None
  79. None
  80. None
  81. None
  82. None
  83. None

  84. Issue Tracking

  85. Jira

  86. Github (future)

  87. Process images

  88. spider docker registry

  89. grab ami

  90. Process chef, puppet, ansible config …

  91. Custom Application

  92. None
  93. None
  94. None
  95. None

  96. Chat + UI + Queue + Pipeline + Jenkins +

    JIRA

  97. Case Study

  98. Credit: Matt Tesauro at AppSecEU 2015 http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

  99. Pipeline Design

  100. Overview • Pipeline is broken into different chunks to try

    to make it easy and straightforward to extend in expected ways. • These illustrate the challenges of security automation. Mounter Files Code Live Filter Reporter “Tasks”
  101. None

  102. Mounter git repo, filesystem, iso, docker image

  103. Mounter clamav hashdeep Files

  104. Mounter brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, eslint/scan.js, nodesecurityproject.

    Files Code

  105. Mounter Currently: ZAP Future: guantlt, etc. Files Code Live

  106. Recap of “Tasks” • File: AV, FIM • Code: •

    Ruby/Rails: brakeman, bundler-audit • JavaScript: NodeSecurityProject, eslint, retire.js • Java: owasp-dependency-check • Checkmarx • Live: ZAP

  107. Lab 4: Running JS Tools 1.docker run jemurai/pipeline:0.8 -t eslint

    https://github.com/OWASP/ NodeGoat.git Or interactively: 1.docker run -t -i —entrypoint=/bin/bash jemurai/pipeline:0.8 2.cd line/pipeline/lib 3.../bin/pipeline -t eslint https:// github.com/OWASP/NodeGoat.git Try: -t eslint,nodesecurityproject,retirejs

  108. Here’s a secret…

  109. I can’t tell you what’s going to work for you.

  110. Mounter Prevents false positives in JIRA. Files Code Live Filter

  111. Mounter Reports to JIRA, csv, json, text. Files Code Live

    Filter Reporter

  112. How would you do tsv?

  113. How would you do github?

  114. Extension Points • Mounters: mount, supports? • Tasks: run, analyze,

    supported? • Filters: filter • Reporter: run_report Mounter Files Code Live Filter Reporter “Tasks”

  115. Other Internals • Within “Tasks”, each of the files, code

    and app phases of the pipeline can be run selectively as stages. Mounter Files Code Live Filter Reporter “Tasks”

  116. ruby bin/pipeline -l code (Code analysis) -d (Turn on debug)

    -f text (Output format) /area53/app/

  117. ruby bin/pipeline -t brakeman (Tool) -d (Turn on debug) -f

    csv (Output format) /area53/app/

  118. Lab 5: Adding a New Tool to Pipeline 1. docker

    run -i -t —entrypoint=/bin/ bash jemurai/pipeline:0.8 2. cd pipeline/lib/pipeline/tasks/ 3. cp bundler-audit.rb test.rb 4. Edit to always create a finding (or use the following example for grep) 5. cd /../../lib 6. …/bin/pipeline -t test /tmp/

  119. Thank you.

  120. References • https://github.com/owasp/pipeline • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline • https://speakerdeck.com/garethr/maintaining-control-by-letting-go-security-and-devops • http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security •

    https://www.rsaconference.com/writable/presentations/file_upload/asd-t07r-continuous- security-5-ways-devops-improves-security.pdf • http://gotocon.com/goto-london-2015/ • http://gauntlt.org/ • https://github.com/PearsonEducation/bag-of-holding • https://www.ruggedsoftware.org/