«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин

«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин

47a3212bc9721c62f1135ead56569f17?s=128

OWASP Moscow

March 05, 2020
Tweet

Transcript

  1. IF YOU ARE DEV/OPS, APPLAUD

  2. IF YOU ARE SECURITY SPECIALIST, APPLAUD

  3. Red Team Blue Team

  4. Blue Team Success Attacker’s Success

  5. DEV, SEC, OOPS: HOW AGILE SECURITY INCRESES ATTACK SURFACE Denis

    Makrushin Head of Advanced Security Research, Huawei https://twitter.com/difezza
  6. We showed that Healthcare fails as a Developer…

  7. …but the Healthcare is a User! https://www.bsimm.com/

  8. Agile Security: key principles • Don’t reinvent it • Do

    it incrementally • Automate it
  9. Agile Security: key principles • Don’t reinvent it • Do

    it incrementally • Automate it • Process (CI/CD) • People (DevSecOps) • Tools
  10. CI/CD from Researcher’s perspective

  11. Automation from Researcher’s perspective Automation from Researcher’s perspective

  12. What is “attack surface”. Formally.

  13. The attack graphs situations when the firewall is disabled (upper

    one) and enabled (lower one)
  14. Example of the unknown attack graph

  15. Product Security Touchpoints

  16. Attack Surface Graph of Enterprise-network

  17. Attack Surface Graph of Enterprise-network

  18. Security activities during Product Development Stages

  19. HOW TO COMPROMISE PRODUCT DEVELOPMENT PIPELINE USING COMMERCIAL SECURITY ASSETS?

  20. SonarQube: code quality and security

  21. SonarQube: Installations Shodan query: ”port:9000 sonarqube”

  22. SonarQube: deployment with Secrets

  23. SonarQube: CLI integration

  24. SonarQube: CLI integration with Secrets

  25. Checkmarx: Installations Shodan query: ”CxWebClient” Google dork: “inurl:CxWebClient”

  26. “Try the Demo”

  27. Checkmarx: CLI integration with Secrets

  28. Control your Attack Surface. The pipeline.

  29. WAIT. WHAT ABOUT OPEN SOURCE SOLUTIONS?

  30. Task management for Microservices: Flower

  31. Task management for Microservices: Flower

  32. Flower: Installations Shodan query: ”port:5555 flower”

  33. One field for user input…

  34. One field for user input… dejavue

  35. One field for user input… dejavue (#CVE20186210, #CVE20186213)

  36. One field for user input… Stored XSS

  37. PatrOwl: Security Operations Orchestration Platform

  38. PatrOwl: RCE in NMAP container

  39. PatrOwl: RCE in NMAP container

  40. Host Header Injection in official Docker-image

  41. Cache Poisoning via Host Header Injection

  42. Security folks are humans too

  43. Security folks are humans too

  44. Security folks are humans too

  45. Security folks are humans too

  46. How to fix it • Secure SDLC • Educate your

    User • OSINT your product If you are Security Vendor: If you are Security Engineer: • Know your Attack Surface • Do not click on links • Follow your Code of Conduct • Scan your Open Source
  47. CodeQL

  48. IF YOU ARE ATTACKER, ONE DAY SOMEONE WILL PUT THE

    BASKET ON YOUR HEAD…
  49. DENIS@MAKRUSHIN.COM TWITTER.COM/DIFEZZA THANK YOU.