Security from Inception

Transcript

1. Security from inception Matt Konda @mkonda Jemurai.com

2. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

   Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: Training Coaching Code Review Plugged in to SDLC Consulting Assessments

3. BACKGROUND ON ME

4. What is an inception?

5. None
6. None
7. None
8. None

9. ARE STAKEHOLDERS ASKING FOR SECURITY?

10. None
11. None

12. exercise 1

13. exercise 2

14. http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/ Credit: Josh Corman HDMoore’s Law

15. Baseline security requirements

16. story points

17. estimates to include security considerations

18. here’s why.

19. Agile metrics Credit: rallydev.com

20. security and agile

21. Agile values Individuals and interactions over processes and tools

22. Agile values Working software over comprehensive documentation

23. Agile values Customer collaboration over contract negotiation

24. Agile values Responding to change over following a plan

25. Traditional Plan Original goal

26. Traditional Plan Original goal Actual GOAL Agile Plan

27. Example: 2FA

28. placeholder for building picture

29. Example: auditing

30. story review

31. CREDIT:
 RALLYDEV.COM

32. incremental code review

33. hipchat

34. continuous integration

35. gauntlt

36. static analysis

37. dynamic analysis

38. app / network scanning

39. Speaking of tools…

40. there is no
    

41. EVIL False Positives Are a Necessary

42. checklists

43. bug tracking

44. testing

45. How many
    people here
    Write tests?

46. How many
    people here
    Use TDD?

47. How many
    people here
    Use BDD?

48. How many
    people here
    know of OWASP?

49. How many
    people here
    currently write security tests?

50. how many people have had a penetration test against their

    application?
51. None
52. None

53. Feature: person is restricted from accessing A project they do

    not own Scenario: person accesses a project
    that is not theirs
    Given a new project created by a user When a different person attempts to access the project Then the system should prevent access

54. demo cucumber --name "person is restricted from accessing project they

    do not own"
55. None

56. Given(/^a new project created by a user$/) do uuid =

    SecureRandom.uuid @user1 = "fb_user_1_#{uuid}@jemurai.com" register_as_user(@user1, "password") new_project("Insecure Direct Object Reference #{uuid}", "Forceful Browsing Desc") @url = current_url end When(/^a different person attempts to access the project$/) do logout(@user1) uuid = SecureRandom.uuid @user2 = "fb_user_2_#{uuid}@jemurai.com" register_as_user(@user2, "password") end Then(/^the system should prevent access$/) do visit @url expect(page).not_to have_content "Forceful Browsing Desc" end

57. demo cucumber --name "user is prevented from putting XSS in

    project form fields"
58. None
59. None

60. write tests that illustrate the security issues

61. simplified Steps • injection: inject commands into fields and detect

    functions being called. • XSS: inject scripts into fields and detect that alerts are thrown • Mass assignment: set raw form data and send it to see how the server responds • csrf: alter csrf token and send otherwise valid request • headers: interact with system and verify that headers are being set • Sensitive Data: open session cookie and inspect

62. OWASP Top 10 From: owasp.org

63. spend time on scenarios for negative testing

64. if you like all this stuff, maybe you should be

    a security champion

65. standup

66. None

67. built in architecture review

68. operationalize

69. None

70. Facilitate

71. ask questions

72. None

73. What we delivered

74. • • RELIABILITY MAINTAINABILITY • • • • • •

    • • SECURITY ruggeddev.org @ruggeddev rugged
75. None

76. never be afraid to ask for help

77. unfortunately, we’ve all done it wrong

78. make security friends
    

79. make security friends
    

80. Summary • Villain Person from Inception • baseline Security Requirements

    Up Front • Story Review for Security: acceptance criteria • Security Requirements included in stories PRE estimation • Incremental Code Review • Share Tools: planning, collaboration, build • Testing • Participate in Standup • operational and monitoring guide • Facilitate - ask questions - stay involved

81. Resources • owasp top 10 • OWASP ZAP • OWASP

    Dependency Check • OWASP WebGoat

82. Thank you

83. Thank you

84. Security from inception Matt Konda @mkonda Jemurai.com