What is Rugged all about?

Transcript

1. What is ‘Rugged’ all about? Matt Konda

2. None
3. None
4. None
5. None
6. None

7. He would want me to tell you • Software is

   eating the world. • DevOps and Security is a rare opportunity. • Makes security positive, cultural+ • Show the Rugged Manifesto • Honey Badger = Security + DevOps … • Empathy, Empathy, Empathy • Bridge communities!

8. He would want me to emphasize • Instrumentation • Be

   Mean To Your Code • Complexity is the Enemy • Change Management (Automation through tooling) • Empathy (Did I say that yet?)

9. He would want me to mention • By updating our

   software (and it’s dependencies) we can address a huge amount of attack surface. • DevOps should be good at this. • Empathy (Did I say that yet?)
10. None

11. OWASP?

12. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] DevOps Growing

13. This was a setup. Chicago style.

14. None
15. None

16. But in Chicago, we make the best of every situation.

17. None

18. Positive Software Security Matt Konda

19. Let’s learn what we can from Rugged (applied to DevOps)

20. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

21. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

22. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

23. Reminiscent of the Agile Manifesto Perhaps?

24. Let’s talk about adversaries…

25. None

26. This year, organized crime became the most frequently seen threat

    actor for Web App Attacks. Source: Verizon 2015 Data Breach Investigations Report
27. None
28. None

29. Threat model

30. None
31. None
32. None
33. None
34. None

35. Security Examples

36. SELECT "orders".* FROM "orders" WHERE (rewards_code = 'a') union select

    id, 'product', 1, 1, 'cc', 'cvv', 'expiration', email as first_name, encrypted_password as last_name, created_at, updated_at, id, 'reward' from users; --')

37. Getting Rugged? Train. Search for string concatenation: +, append prefer

    parameterized queries! Do code review. Use static analysis. Use web app scanning.

38. Output Encoding < &lt; > &gt;

39. Getting Rugged? Train. Search for {{{, innerHTML, .raw, utext, etc.

    Do code review. Use static analysis. Use web app scanning.

40. Insecure Direct Object Reference Hani Joanne Salary Record Salary Record

    ? Authorization fail!
41. None
42. None

43. Some Specifics Around Process

44. Security in the SDLC • Building software is a process.

    • The best way to make software secure is to make security part of the process. • There are many ways to do this - none is perfect. • Find a way to make the security fit your process.

45. Requirements Design Code Test Maintenance Classic Waterfall Delivery

46. Requirements Design Code Test Maintenance Classic Waterfall Delivery Security

47. Story Continuous Delivery: The Unit of Work is a Story

    Requirements Design Code Test

48. Story Continuous Delivery: The Unit of Work is a Story

    Requirements Design Code Test Security Requirements Security Unit Tests Exploratory Testing Static Analysis on Commit Code Review Threat model / attack surface Checklists Understand Dependencies

49. continuous delivery

50. Classic security sees this and wants to …

51. continuous delivery

52. Baseline Security Requirements

53. ARE STAKEHOLDERS ASKING FOR SECURITY?

54. None
55. None

56. Story Points

57. Estimates to Include Security Considerations

58. Here’s why.

59. Agile metrics Credit: rallydev.com

60. Story Review

61. Incremental Code Review

62. Continuous Integration

63. None
64. None
65. None

66. Static Analysis

67. Checklists

68. None
69. None
70. None
71. None

72. Bug Tracking

73. Testing

74. None
75. None

76. Operationalize

77. Understand lifecycle

78. Think incremental

79. continuous delivery Code Review Security Unit Tests Security Requirements

80. Automate security tools

81. continuous delivery Security Tool Automation: Code analysis Security unit tests

    Dynamic scanning etc.

82. continuous delivery Security Tests Run Exploratory Testing Includes Security

83. A detailed example: • Let’s say a feature is being

    developed • Then devs and testers are checking a new feature • Let them browse through an attack proxy (like Burp or ZAP) in passive mode • At night or when the system is quiet, use the browsing pattern as seeds for overnight attacks

84. Continuous feedback

85. continuous delivery Feedback!

86. EVIL False Positives Are a Necessary

87. Optimize for relevance

88. Provisioning tools

89. continuous delivery Since its easy to provision we can do

    security testing safely in a new env.

90. Audit tools

91. continuous delivery Deployment checks includes security audit checks.

92. Self documenting for regulatory and compliance!

93. Chaos tools

94. Change is good

95. continuous delivery Change is happening. It can be an opportunity

    instead of a hassle.

96. Complexity is an enemy

97. continuous delivery Small releases reduce complexity. Decomposition to micro-services reduces

    dependencies and complexity. Right now, security hurts.

98. Shared responsibility

99. continuous delivery Another principle of software delivery: build security in!

    Done means secure! Empowered to do security right!

100. Measure results

101. Event based model … (Reactive)

102. Commit • Security Unit Tests • Static Code Analysis (Pipeline)

     • Security Requirements • Check Dependencies • Code Review • Checklists

103. Deploy • Scripted Provisioning / Built in Change Control •

     Provisioning Auditing (Chef Audit, hardening.io) • Gauntlt

104. Periodic • Full app analysis (static, manual pen test) •

     Secure Development Training • Baseline Security Requirements Review • ASVS Review • Data Science on Results

105. Security Incident

106. Required metasploit struts demo…

107. /bin/dependency-check.sh - a struts2-showcase - out /tmp/ - s /tomcat-root/struts2-showcase/

108. <vulnerability> <name>CVE-2013-2251</name> <cvssScore>9.3</cvssScore> <severity>High</severity> <cwe>CWE-20 Improper Input Validation</cwe> <description>Apache Struts

     2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.</description> <references> <reference> <source>BID</source> <url>http://www.securityfocus.com/bid/64758</url> <name>64758</name> </reference> …

109. Takeaway: lots of your issues might be in your dependencies!

110. So what is Rugged all About?

111. None
112. None
113. None
114. None
115. None
116. None
117. None
118. None

119. Traditional Plan Original goal

120. Traditional Plan Original goal Actual GOAL Agile Plan

121. empathy

122. accountability

123. culture

124. None