Automatic Application Security v2

Automatic Application Security v2

E0fdc1036537c1308400fc8ba6e987b0?s=128

Neil Matatall

July 22, 2015
Tweet

Transcript

  1. the best way to build and ship software Automatic Application

    Security `
  2. the best way to build and ship software Me 2

    ! • Github Security Engineer • Twitter: @ndm • Github: @oreoshake
  3. the best way to build and ship software Automatic Application

    Security? 3 !
  4. the best way to build and ship software The story

    of a line of code 4 ! • Before the code is written • While the code is being written • After the code has been written • After the code has shipped
  5. the best way to build and ship software Before the

    code is written 5 ! • Framework / Architecture Security • Secure by default • Education • Culture
  6. the best way to build and ship software Framework /

    Architecture security 6 ! • Provide the necessary controls • Don’t provide anything else • Disable unused framework features • Deprecate and remove/replace unsafe API
  7. the best way to build and ship software Secure by

    default 7 An extension of “opting out” of security ! • Apply security headers by default • The framework is configured in the most restrictive way possible
  8. the best way to build and ship software Education (nho)

    8 ! • Separate code and data • Understand the context boundaries • Learn how to safely cross contexts • If you do, we’ll leave you alone
  9. the best way to build and ship software Culture 9

    ! • Don’t be a jerk • Security is not a blocker, it’s a passive guide • Secure code is correct code • Understand your code will be scrutinized
  10. the best way to build and ship software CODE !=

    DATA 10 Culture of correct code ! “select * from table where id=“ + id + “ order by thing” to “select * from table where id=? order by thing” Table.where(id: id).order(:thing) link = “<a href=“ + url + “>lol</a>” to link = document.createElement(“a”) link.href = url
  11. the best way to build and ship software Banned Techniques

    11 Don’t do this, and you’ll never hear from us ! • JSONP • Dynamic javascript • Dynamic CSS • Building html via string operations • Using unescaped content (html_safe) • User-controlled beginning documents (even text/plain) • Non-idempotent GET requests
  12. the best way to build and ship software Tests are

    your friend 12 ! • Encourage “negative” test cases
  13. the best way to build and ship software While the

    code is being written 13 ! • provide what is needed • tooling • libraries • process integration
  14. the best way to build and ship software guard-brakeman 14

    !
  15. the best way to build and ship software secure_headers 15

    ! • It’s just a (set of) header(s) • Ported to Node*, Go, .Net, Java, PHP, Python, dancer, drupal, etc. • Think of the benefits of the headers as config values, rather than the textual value
  16. the best way to build and ship software Provide what

    is needed: CSP 16 ! • Nonce / Hash support
  17. the best way to build and ship software It’s a

    bug, not a feature 17 ! • XSS? • Mixed content? • Site defacement? • All solved* by csp
  18. the best way to build and ship software Nonce 18

    ! • Generate a random value per request • Populate a “nonce” attribute for any script tag you want to be whitelisted
  19. the best way to build and ship software Railsgoat +

    nonce 19 ! • Pull request to add nonce support[1] • 46 files changed, 72 additions, -46 deletions • global find and replace took care of 90% of the job [1] https://github.com/OWASP/railsgoat/pull/174
  20. the best way to build and ship software Hashes 20

    ! • Find and compute hash values for <script> tags • Associate each hash with the file it lives in • Every time a file is rendered, include the corresponding hashes in the header • Requires less changes than the nonce approach
  21. the best way to build and ship software Railsgoat +

    hash 21 ! • Pull request[1] to add hashes when possible, nonces when not • 12 files change, 33 additions, 13 deletions (> 50% reduction in changes over nonce) • Hardest part was dealing with dynamic js (which requires the use of nonce) [1] https://github.com/oreoshake/railsgoat/pull/1
  22. the best way to build and ship software IRL 22

    ! • Coming to a twitter near you… • Only 5 inline scripts
  23. the best way to build and ship software After the

    code has been written 23 ! • Go all out • Stay out of the way
  24. the best way to build and ship software Scan on

    arrival 24 ! • Every time new code is pushed, run tools and diff the results from master
  25. the best way to build and ship software The SADB

    workflow 25 !
  26. the best way to build and ship software Laundry list

    of tools 26 ! • Static analysis • Brakeman • scan js • Dependency Management • bundler-audit • retire js • owasp dependency check • Other • Charlie Miller’s fuzzer thing
  27. the best way to build and ship software Review upon

    review 27 ! • Code review is a great integration point
  28. the best way to build and ship software Again, it’s

    just a regex 28 ! • When your threat model is tiny, the tools required to support it are pretty simple
  29. the best way to build and ship software Notify the

    relavent authorities 29 ! • OWNERS
  30. the best way to build and ship software Did we

    catch it all? 30 ! • Probably not
  31. the best way to build and ship software After the

    code has been shipped 31 ! • It’s out of our hands, right?
  32. the best way to build and ship software Decider 32

    ! • All features, and any new code is often behind a Feature Flag • Graudual rollouts • “dark shipping” • Beta/targeted testing • “oh shit” button
  33. the best way to build and ship software Bug Bounty

    33 ! • Penetration testing on the cheap
  34. the best way to build and ship software Stats 34

    ! • They aren’t just for proving a feature was a success
  35. the best way to build and ship software You can

    do it 35 ! • These tools and integrations came out of a direct need. • “The best indicator of the next bug is the last bug” • Look at your previous bugs, and focus there
  36. the best way to build and ship software Time to

    Chill 36 ! • Your threat model is small • Code is always under scrutiny • People know what the “right thing” is • You have sensors to detect issues at all phases of the pipeline • You have social and technical controls in place