Web App Security in an Agile World

Transcript

1. Web App Security in an Agile World Nick Galbreath [email protected]

   2016-06-17
2. None
3. None

4. Why We Started
 Signal Sciences 2014-01-31
 App Sec Cali
 Santa

   Monica, CA

5. Macro Trends Stacked Against Defenders Rate of internal change is

   increasing, general shift from fixed assets to dynamic.
 Security talent is in short supply and oversubscribed.
 
 Attack economics are getting better… for attackers. or are they?

6. Software Engineering is really new. App Sec is even newer

7. Software Development as a Physical Construction Process http://blog.in-sight.io/software-engineering-vs-civil-engineering/ Where’s security?

   The Web Is Different!

8. Maybe Civil Engineering
 isn’t the right model? http://www.infrastructurereportcard.org

9. From $250 Million to $6.5 Billion: 
 The Bay Bridge

   Cost Overrun http://www.citylab.com/politics/2015/10/from-250-million-to-65-billion-the-bay-bridge-cost-overrun/410254/

10. slide http://www.dw.com/en/berlins-new-airport-potentially-hit-by-yet-another-delay/a-19107260#

11. Every engineering organization in the world is trying to go

    faster by using cloud, devops, continuous integration, agile Or Planning To Do So, with Some Projects

12. Even the USA Government Delivery is the strategy. https://18f.gsa.gov

13. Even the State of California https://www.codeforamerica.org/blog/2015/11/30/a-new-approach-to-procuring-government-technology-in-california/ A New Approach to

    Procuring Government Technology in California What was going to be a business-as-usual procurement (a long, thousand- plus page contract for a complete solution, driven by requirements and a likely waterfall delivery) of a new Child Welfare System will now be a series of procurements for long-term services, not solutions, driven by understanding and meeting user needs, delivered iteratively. Child welfare services personnel in California investigate nearly half a million reports of severe maltreatment and life-threatening neglect to children a year. Of those half a million, around 80,000 reports are confirmed annually, 30,000 children must be removed from their homes, and at any time almost 100,000 children are living in foster care for their protection or live with their parents under close county protective supervision.
 The Child Welfare System was the perfect choice for a new approach because it’s too important to fail. NOVEMBER 30, 2015

14. And You

15. https://twitter.com/petecheslock/status/595617204273618944

16. 100-10-1
 Dev-Ops-Sec

17. SF Bay Area:
 For every 1 person in infosec, there

    are 2 job postings

18. a brief discussion on attack economics

19. What Does
 Not Work

20. Treating Web App Security
 as if were Network Security

21. Machine
 Learning

22. SPOF SOLUTIONS

23. a different type of pen test:
 http://www.busybeecreations.biz/blog/2015/9/14/ink-and-pen-tests More
 Pen Tests

24. Data
 Hoarding

25. Going Slower

26. None

27. • Change is increasing • Hiring is challenging • Attack

    Economics is not look good • A bunch of stuff doesn't work

28. ???

29. me “Security is not a binary state”

30. Fail Success How do we move away from this?

31. Embrace, 
 Demand,
 and Extend
 “Continuous Deployment” Make Security Visible

    
 (to all)

32. Continuous Deployment:
 Moving Code from Dev to Production characterized by

    small changes, done more frequently, in a semi-automated way.

33. Does not preclude • Code reviews • Architecture reviews •

    Testing • Two-man rules • Audibility • Compliance

34. Does not require • 10,03894293842,00 pushes to prod today
 (i.e.

    do not chase the leaders)

35. Mechanism POLICY https://forbo.blob.core.windows.net/forboimages/3159/Forbo_Slider_Everyday_life_pastry.jpg

36. None

37. 1. HEAD/Mainline/Trunk is always ready to ship. http://www.paulhammond.org/2010/06/trunk/ alwaysshiptrunk.pdf

38. Trunk is always ready to ship

39. Feature Flags

40. Automated Build/ Release Pipeline

41. ✓ Formatting Checks ✓ Linting ✓ Static Analysis ✓ Security

    Checks ✓ Unit Tests ✓ Integration Tests ✓ Spelling Checks ✓ Login / Auth

42. Security can make
 patches as needed Require developers to do


    so in a timely manner or

43. Average time to fix a vulnerability is 150 days after

    being reported…. you think that is due to technical reasons?
44. None
45. None

46. Lessons from Manufacturing MTTD, MTTR

47. Mean Time To Detect Mean Time To Resolve
 (bonus MTBF:


    Mean Time Between Failure)

48. https://speakerdeck.com/ngalbreath/ continuous-deployment-1

49. https://www.nps.gov/media/photo/gallery.htm?id=F865DA8A-155D-4519-3E66BBFECC74C707 No, that’s not going to work

50. Visibility and Realtime Monitoring http://spectrumscoreboards.com/2014-04-01-15-02-36/softball

51. Continuous Deployment Doesn't Change This Fact

52. — Zane Lackey “If you are on the Internet,
 you

    are already getting a free pen test. 
 
 You just aren’t getting the report.”

53. Get The Report
 Who are you attacker What is their

    goal Are they successful

54. Get The Report • Who are you attackers • What

    is their goal • Are they successful

55. Cosmic Background Noise of Attacks

56. Cloud-based scanner

57. Attack Tooling

58. What are they looking at Using SQLMap, on this URL,

    focused on 'guests'

59. Anomalies

60. http://the-toast.net/2014/02/04/in-defense-of-art-history/ That’s great but what does it mean?

61. An AppSec Love Story from Verona, Italy

62. Security is Empowered

63. Developers are interested in security

64. It’s the Call to Action Slide! http://i.huffpost.com/gen/799454/images/o-CLARK-ATLANTA-UNIVERSITY-MARCHING-PANTHERS-facebook.jpg Embrace Continuous Deployment


    Make Security Visible

65. [email protected]