Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Automation Workshop

Matt Konda
January 05, 2016

Security Automation Workshop

At Codemash

Matt Konda

January 05, 2016
Tweet

More Decks by Matt Konda

Other Decks in Technology

Transcript

  1. Security Automation in
    Software Delivery: A
    Rugged DevOps Pipeline
    Matt Konda
    @mkonda

    View Slide

  2. Prereqs
    • Docker Toolbox
    • http://prereqs.codemash.org/
    • pipeline
    • http://prereqs.codemash.org/
    • docker pull jemurai/pipeline:0.8 (or USB)
    • A project to analyze

    View Slide

  3. Introduction
    1997 2006 2014
    Consultant
    Engineer
    Software
    Architect
    Director of
    Engineering
    Rabble Rouser:
    Perl
    Java Applet
    C++
    J2EE
    J2EE

    Spring
    Analytics
    Certificate Authority
    Vulnerability Scanner
    Penetration Test Manager
    Pricing
    Retail
    Banking
    Manufacturing
    Pharma
    Healthcare
    Research
    Ruby
    Rails
    Chicago BSides 2011, 2012
    Defcon Skytalk
    OWASP Chicago, MSP 2013
    AppSec USA 2012, 2013
    ChicagoRuby 2013
    Secure 360
    Lone Star Ruby 2013
    WindyCityRails 2013
    Chicago JUG 2014
    RailsConf 2014
    Converge 2014
    Chicago Coder Conference 2015
    MS in CS
    Founder
    Consultant
    Agile
    Clojure
    Graph Database
    Trying to hack a
    business model that
    succeeds while
    helping developers.
    Domains:
    Projects:
    DevOps / Automation
    Training
    Coaching
    Code Review
    Plugged in to SDLC
    Consulting
    Assessments
    @mkonda
    [email protected]
    DevOps
    Growing

    View Slide

  4. What do I do?
    • Bug bounty
    • Breaking
    • Mostly SDLC
    • Training
    • Automation

    View Slide

  5. Overview
    • Hands on with Pipeline for labs
    • Quick overview of security tools
    • DevOps / Continuous Delivery & Rugged
    • Leveraging security automation where possible

    View Slide

  6. Lab 1: Running Pipeline from Docker
    1. docker-machine create --driver
    virtualbox default
    2. eval $(docker-machine env default)
    3. docker pull jemurai/pipeline:0.8
    (or: docker load < pipeline-0.8.tar.gz)
    4. docker run —rm jemurai/pipeline:0.8 -h
    6. docker run —rm jemurai/pipeline:0.8 \
    https://github.com/Jemurai/triage.git

    View Slide

  7. Checkpoint: 30?

    View Slide

  8. Security Tools

    View Slide

  9. Static Analysis

    View Slide

  10. Static Analysis Live App Scanning

    View Slide

  11. Static Analysis Live App Scanning
    Dynamic Analysis

    View Slide

  12. Static Analysis Live App Scanning
    Dynamic Analysis Dependency Checks

    View Slide

  13. Static Analysis Live App Scanning
    Dynamic Analysis Dependency Checks
    Web Application Firewall

    View Slide

  14. Static Analysis Live App Scanning
    Dynamic Analysis Dependency Checks
    Web Application Firewall Runtime Security Monitoring

    View Slide

  15. Static Analysis Live App Scanning
    Dynamic Analysis Dependency Checks
    Web Application Firewall Runtime Security Monitoring
    IP Reputation

    View Slide

  16. Static Analysis Live App Scanning
    Dynamic Analysis Dependency Checks
    Web Application Firewall Runtime Security Monitoring
    IP Reputation Anti-Automation

    View Slide

  17. Static Analysis Live App Scanning
    Dynamic Analysis Dependency Checks
    Web Application Firewall Runtime Security Monitoring
    IP Reputation Anti-Automation
    Penetration Testing

    View Slide

  18. Static Analysis Live App Scanning
    Dynamic Analysis Dependency Checks
    Web Application Firewall Runtime Security Monitoring
    IP Reputation Anti-Automation
    Penetration Testing

    View Slide

  19. View Slide

  20. B+
    C
    B+
    F
    D
    D
    F
    B
    A-
    C
    The items on
    the left are
    the OWASP
    Top 10.
    The grades
    are mine and
    are arbitrary.
    https://www.owasp.org/index.php/Top_10_2013-Top_10

    View Slide

  21. View Slide

  22. View Slide

  23. There is no substitute for
    people with knowledge.

    View Slide

  24. But we can help
    ourselves by leveraging
    tools.

    View Slide

  25. We just have to be smart
    and flexible about it.

    View Slide

  26. Lab 2: Running Pipeline on Your Project
    docker run jemurai/pipeline:0.8 \
    -d \
    -f csv \
    -v ~/code/location:/tmp/directory/ \
    /tmp/directory/
    * Due to docker ease of setup, please use a directory within your home directory. It is
    possible to do this in other ways, but it requires further setup of shared folders in
    virtual box which we want to avoid for the purposes of this workshop.

    View Slide

  27. What are your results?

    View Slide

  28. Checkpoint: 60?

    View Slide

  29. DevOps /
    Continuous Delivery

    View Slide

  30. View Slide

  31. Rugged

    View Slide

  32. I recognize that software has become a foundation of our
    modern world.
    I recognize the awesome responsibility that comes with this
    foundational role.
    I recognize that my code will be used in ways I cannot
    anticipate, in ways it was not designed, and for longer than it
    was ever intended.
    I recognize that my code will be attacked by talented and
    persistent adversaries who threaten our physical, economic
    and national security.
    I recognize these things – and I choose to be rugged.

    View Slide

  33. I recognize that software has become a foundation of our
    modern world.
    I recognize the awesome responsibility that comes with this
    foundational role.
    I recognize that my code will be used in ways I cannot
    anticipate, in ways it was not designed, and for longer than it
    was ever intended.
    I recognize that my code will be attacked by talented and
    persistent adversaries who threaten our physical,
    economic and national security.
    I recognize these things – and I choose to be rugged.

    View Slide

  34. Understand lifecycle

    View Slide

  35. Requirements
    Design
    Code
    Test
    Maintenance
    Classic Waterfall Delivery

    View Slide

  36. Requirements
    Design
    Code
    Test
    Maintenance
    Classic Waterfall Delivery
    Security

    View Slide

  37. continuous delivery

    View Slide

  38. Classic security sees this
    and wants to …

    View Slide

  39. continuous delivery

    View Slide

  40. But we can embrace it.

    View Slide

  41. Being able to deploy quickly is
    my #1 security feature.
    - Nick Galbreath

    View Slide

  42. Think incremental

    View Slide

  43. Story
    Continuous Delivery: The Unit of work is a story
    Requirements Design
    Code
    Test

    View Slide

  44. Story
    Continuous Delivery: The Unit of Work is a Story
    Requirements Design
    Code
    Test
    Security Requirements
    Security Unit Tests
    Exploratory Testing
    Static Analysis on Commit
    Code Review
    Threat model / attack
    surface
    Checklists
    Understand Dependencies

    View Slide

  45. continuous delivery
    Code Review
    Security Unit Tests
    Security Requirements

    View Slide

  46. Automate security tools

    View Slide

  47. continuous delivery
    Security Tool Automation:
    Code analysis
    Security unit tests
    Dynamic scanning
    etc.

    View Slide

  48. continuous delivery
    Security Tests Run
    Exploratory Testing Includes Security

    View Slide

  49. Lab 3: Getting into the Pipeline Docker Image
    1. docker run -i -t —entrypoint=/bin/
    bash jemurai/pipeline:0.8
    2. cd lib
    3. ../bin/pipeline -h
    Now you’re running from source.
    We can change anything …

    View Slide

  50. Checkpoint: 80?

    View Slide

  51. Case Study

    View Slide

  52. Credit: Matt Tesauro at AppSecEU 2015
    http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

    View Slide

  53. Pipeline Design

    View Slide

  54. Overview
    • Pipeline is broken into different chunks to try to make it
    easy and straightforward to extend in expected ways.
    • These illustrate the challenges of security automation.
    Mounter Files Code Live Filter Reporter
    “Tasks”

    View Slide

  55. View Slide

  56. View Slide

  57. Mounter
    git repo, filesystem, iso, docker image

    View Slide

  58. View Slide

  59. View Slide

  60. Mounter
    clamav
    hashdeep
    Files

    View Slide

  61. View Slide

  62. Mounter
    brakeman, bundler-audit,
    owasp-dependency-check, secrets in
    source, retire.js, eslint/scan.js,
    nodesecurityproject.
    Files Code

    View Slide

  63. View Slide

  64. View Slide

  65. View Slide

  66. Mounter
    Currently: ZAP
    Future: guantlt, etc.
    Files Code Live

    View Slide

  67. View Slide

  68. Recap of “Tasks”
    • File: AV, FIM
    • Code:
    • Ruby/Rails: brakeman, bundler-audit
    • JavaScript: NodeSecurityProject, eslint, retire.js
    • Java: owasp-dependency-check
    • Checkmarx
    • Live: ZAP

    View Slide

  69. Lab 4: Running JS Tools
    1.docker run jemurai/pipeline:0.8 -t
    eslint https://github.com/OWASP/
    NodeGoat.git
    Or interactively:
    1.docker run -t -i —entrypoint=/bin/bash
    jemurai/pipeline:0.8
    2.cd line/pipeline/lib
    3.../bin/pipeline -t eslint https://
    github.com/OWASP/NodeGoat.git
    Try: -t
    eslint,nodesecurityproject,retirejs

    View Slide

  70. Here’s a secret…

    View Slide

  71. I can’t tell you what’s
    going to work for you.

    View Slide

  72. Mounter
    Prevents false positives in JIRA.
    Files Code Live Filter

    View Slide

  73. View Slide

  74. Mounter
    Reports to JIRA, csv, json, text.
    Files Code Live Filter Reporter

    View Slide

  75. View Slide

  76. View Slide

  77. How would you do
    tsv?

    View Slide

  78. How would you do
    github?

    View Slide

  79. View Slide

  80. Extension Points
    • Mounters: mount, supports?
    • Tasks: run, analyze, supported?
    • Filters: filter
    • Reporter: run_report
    Mounter Files Code Live Filter Reporter
    “Tasks”

    View Slide

  81. Other Internals
    • Within “Tasks”, each of the files, code and app
    phases of the pipeline can be run selectively as
    stages.
    Mounter Files Code Live Filter Reporter
    “Tasks”

    View Slide

  82. ruby bin/pipeline
    -l code (Code analysis)
    -d (Turn on debug)
    -f text (Output format)
    /area53/app/

    View Slide

  83. ruby bin/pipeline
    -t brakeman (Tool)
    -d (Turn on debug)
    -f csv (Output format)
    /area53/app/

    View Slide

  84. Lab 5: Adding a New Tool to Pipeline
    1. docker run -i -t —entrypoint=/bin/
    bash jemurai/pipeline:0.8
    2. cd pipeline/lib/pipeline/tasks/
    3. cp bundler-audit.rb test.rb
    4. Edit to always create a finding (or
    use the following example for grep)
    5. cd /../../lib
    6. …/bin/pipeline -t test /tmp/

    View Slide

  85. View Slide

  86. Checkpoint: 125?

    View Slide

  87. Integrations

    View Slide

  88. pre-commit

    View Slide

  89. Lab 5: Running Pipeline on a Git Hook
    1. Copy /hooks/pre-commit to your
    project in /.git/hooks
    2. chmod +x pre-commit
    3. Edit pre-commit to reflect your path
    and tools
    4. Regular process:
    1. Change a
    2. git add
    3. git commit -m “Testing”

    View Slide

  90. View Slide

  91. chat ops

    View Slide

  92. View Slide

  93. View Slide

  94. https://github.com/OWASP/Owbot

    View Slide

  95. Jenkins

    View Slide

  96. View Slide

  97. View Slide

  98. View Slide

  99. View Slide

  100. View Slide

  101. View Slide

  102. View Slide

  103. View Slide

  104. View Slide

  105. View Slide

  106. Issue Tracking

    View Slide

  107. Jira

    View Slide

  108. Github (future)

    View Slide

  109. Process images

    View Slide

  110. spider docker registry

    View Slide

  111. grab ami

    View Slide

  112. Process chef, puppet,
    ansible config …

    View Slide

  113. Custom Application

    View Slide

  114. View Slide

  115. View Slide

  116. View Slide

  117. View Slide

  118. Chat + UI + Queue +
    Pipeline + Jenkins + JIRA

    View Slide

  119. Checkpoint: 160?

    View Slide

  120. Thank you.

    View Slide

  121. References
    • https://github.com/owasp/pipeline
    • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
    • https://speakerdeck.com/garethr/maintaining-control-by-letting-go-security-and-devops
    • http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security
    • https://www.rsaconference.com/writable/presentations/file_upload/asd-t07r-continuous-
    security-5-ways-devops-improves-security.pdf
    • http://gotocon.com/goto-london-2015/
    • http://gauntlt.org/
    • https://github.com/PearsonEducation/bag-of-holding
    • https://www.ruggedsoftware.org/

    View Slide

  122. Thank you.
    Bill Sempf
    Justin Collins
    Aaron Bedra
    Jim Manico
    Matt Tesauro
    Josh Corman
    CodeMash!

    View Slide