Upgrade to Pro — share decks privately, control downloads, hide ads and more …

«Dev, Sec, Oops: How Agile Security increases A...

Avatar for OWASP Moscow OWASP Moscow
March 05, 2020
Programming
0
630

«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин

Видео: https://youtu.be/VKAFYsBkzQk
OWASP Moscow 2020/1 (https://habr.com/ru/company/owasp/blog/497830/)
Avatar for OWASP Moscow

OWASP Moscow

March 05, 2020
Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
Avatar for OWASP Moscow owaspmoscow
0
510
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
Avatar for OWASP Moscow owaspmoscow
0
660
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
Avatar for OWASP Moscow owaspmoscow
0
920
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
Avatar for OWASP Moscow owaspmoscow
0
530
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
Avatar for OWASP Moscow owaspmoscow
0
590
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
Avatar for OWASP Moscow owaspmoscow
0
580
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
Avatar for OWASP Moscow owaspmoscow
0
530
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
Avatar for OWASP Moscow owaspmoscow
1
520
«Свой среди чужих», Антон Лопаницын
Avatar for OWASP Moscow owaspmoscow
0
500

Other Decks in Programming

See All in Programming
Language Server と喋ろう – TSKaigi 2025
Avatar for pizzacat83 pizzacat83
2
200
UMAPをざっくりと理解 / Overview of UMAP
Avatar for kaityo256 kaityo256
PRO
3
1.6k
Doma で目指す ORM 最適解
Avatar for Toshihiro Nakamura nakamura_to
1
120
最速Green Tea 🍵 Garbage Collector
Avatar for kuro kuro_kurorrr
1
160
SpringBootにおけるオブザーバビリティのなにか
Avatar for irof irof
1
440
CursorとDevinが仲間!?AI駆動で新規プロダクト開発に挑んだ3ヶ月を振り返る / A Story of New Product Development with Cursor and Devin
Avatar for r-kagaya rkaga
5
1.4k
Live Coding: Migrating an Application to Signals
Avatar for Manfred Steyer manfredsteyer
PRO
0
130
CRUD から CQRS へ ~ 分離が可能にする柔軟性
Avatar for Takashi Kawae tkawae
0
180
OpenTelemetryで始めるベンダーフリーなobservability / Vendor-free observability starting with OpenTelemetry
Avatar for shiro seike seike460
0
140
In geheimer Mission: AI Agents entwickeln
Avatar for Jörg Neumann joergneumann
0
130
AWS Summit Hong Kong 2025: Reinventing Programming - How AI Transforms Our Enterprise Coding Approach
Avatar for Ernest Chiang dwchiang
0
150
20250426 GDGoC 合同新歓 - GDGoC のススメ
Avatar for Yoshimura Naoya getty708
0
120

Featured

See All Featured
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
299
50k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
223
9.6k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
105
19k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
462
33k
It's Worth the Effort
Avatar for 3n 3n
184
28k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
28
3.8k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
56
9.4k
Music & Morning Musume
Avatar for Bryan Veloso bryan
47
6.5k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.5k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
613
210k

Transcript

  1. IF YOU ARE DEV/OPS, APPLAUD

  2. IF YOU ARE SECURITY SPECIALIST, APPLAUD

  3. Red Team Blue Team

  4. Blue Team Success Attacker’s Success

  5. DEV, SEC, OOPS: HOW AGILE SECURITY INCRESES ATTACK SURFACE Denis

    Makrushin Head of Advanced Security Research, Huawei https://twitter.com/difezza

  6. We showed that Healthcare fails as a Developer…

  7. …but the Healthcare is a User! https://www.bsimm.com/

  8. Agile Security: key principles • Don’t reinvent it • Do

    it incrementally • Automate it

  9. Agile Security: key principles • Don’t reinvent it • Do

    it incrementally • Automate it • Process (CI/CD) • People (DevSecOps) • Tools

  10. CI/CD from Researcher’s perspective

  11. Automation from Researcher’s perspective Automation from Researcher’s perspective

  12. What is “attack surface”. Formally.

  13. The attack graphs situations when the firewall is disabled (upper

    one) and enabled (lower one)

  14. Example of the unknown attack graph

  15. Product Security Touchpoints

  16. Attack Surface Graph of Enterprise-network

  17. Attack Surface Graph of Enterprise-network

  18. Security activities during Product Development Stages

  19. HOW TO COMPROMISE PRODUCT DEVELOPMENT PIPELINE USING COMMERCIAL SECURITY ASSETS?

  20. SonarQube: code quality and security

  21. SonarQube: Installations Shodan query: ”port:9000 sonarqube”

  22. SonarQube: deployment with Secrets

  23. SonarQube: CLI integration

  24. SonarQube: CLI integration with Secrets

  25. Checkmarx: Installations Shodan query: ”CxWebClient” Google dork: “inurl:CxWebClient”

  26. “Try the Demo”

  27. Checkmarx: CLI integration with Secrets

  28. Control your Attack Surface. The pipeline.

  29. WAIT. WHAT ABOUT OPEN SOURCE SOLUTIONS?

  30. Task management for Microservices: Flower

  31. Task management for Microservices: Flower

  32. Flower: Installations Shodan query: ”port:5555 flower”

  33. One field for user input…

  34. One field for user input… dejavue

  35. One field for user input… dejavue (#CVE20186210, #CVE20186213)

  36. One field for user input… Stored XSS

  37. PatrOwl: Security Operations Orchestration Platform

  38. PatrOwl: RCE in NMAP container

  39. PatrOwl: RCE in NMAP container

  40. Host Header Injection in official Docker-image

  41. Cache Poisoning via Host Header Injection

  42. Security folks are humans too

  43. Security folks are humans too

  44. Security folks are humans too

  45. Security folks are humans too

  46. How to fix it • Secure SDLC • Educate your

    User • OSINT your product If you are Security Vendor: If you are Security Engineer: • Know your Attack Surface • Do not click on links • Follow your Code of Conduct • Scan your Open Source

  47. CodeQL

  48. IF YOU ARE ATTACKER, ONE DAY SOMEONE WILL PUT THE

    BASKET ON YOUR HEAD…

  49. [email protected] TWITTER.COM/DIFEZZA THANK YOU.