Upgrade to Pro — share decks privately, control downloads, hide ads and more …

«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин

OWASP Moscow
March 05, 2020
Programming
0
450

«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин

Видео: https://youtu.be/VKAFYsBkzQk
OWASP Moscow 2020/1 (https://habr.com/ru/company/owasp/blog/497830/)

OWASP Moscow

March 05, 2020
Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
330
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
520
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
770
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
400
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
460
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
450
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
390
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
380
«Свой среди чужих», Антон Лопаницын
owaspmoscow
0
380

Other Decks in Programming

See All in Programming
2 週間で Twitter Bot を作ってみた
contour_gara
0
500
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
710
使ってみよう Azure AI Document Intelligence
kosmosebi
2
320
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
検証も兼ねて個人開発でHonoとかと向き合った話
hanetsuki
1
1k
PHPはいつから死んでいるかの調査
chiroruxx
1
400
障害対応を起点としたもっといい開発と運用のサイクル作りのためにできること / Hatena Enginner Seminar #29
polamjag
0
180
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
8
4.1k
Ruby Function Composition
bkuhlmann
1
330
VS Code をプロダクトにどう取り込むか
onomax
1
370
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
210
Java 22 Overview
kishida
1
180

Featured

See All Featured
Building an army of robots
kneath
300
41k
GraphQLとの向き合い方2022年版
quramy
32
12k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
YesSQL, Process and Tooling at Scale
rocio
164
13k
Teambox: Starting and Learning
jrom
128
8.4k
[RailsConf 2023] Rails as a piece of cake
palkan
23
4k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
A better future with KSS
kneath
231
16k
BBQ
matthewcrist
80
8.8k
Raft: Consensus for Rubyists
vanstee
132
6.3k
Debugging Ruby Performance
tmm1
70
11k

Transcript

  1. IF YOU ARE DEV/OPS, APPLAUD

  2. IF YOU ARE SECURITY SPECIALIST, APPLAUD

  3. Red Team Blue Team

  4. Blue Team Success Attacker’s Success

  5. DEV, SEC, OOPS: HOW AGILE SECURITY INCRESES ATTACK SURFACE Denis

    Makrushin Head of Advanced Security Research, Huawei https://twitter.com/difezza

  6. We showed that Healthcare fails as a Developer…

  7. …but the Healthcare is a User! https://www.bsimm.com/

  8. Agile Security: key principles • Don’t reinvent it • Do

    it incrementally • Automate it

  9. Agile Security: key principles • Don’t reinvent it • Do

    it incrementally • Automate it • Process (CI/CD) • People (DevSecOps) • Tools

  10. CI/CD from Researcher’s perspective

  11. Automation from Researcher’s perspective Automation from Researcher’s perspective

  12. What is “attack surface”. Formally.

  13. The attack graphs situations when the firewall is disabled (upper

    one) and enabled (lower one)

  14. Example of the unknown attack graph

  15. Product Security Touchpoints

  16. Attack Surface Graph of Enterprise-network

  17. Attack Surface Graph of Enterprise-network

  18. Security activities during Product Development Stages

  19. HOW TO COMPROMISE PRODUCT DEVELOPMENT PIPELINE USING COMMERCIAL SECURITY ASSETS?

  20. SonarQube: code quality and security

  21. SonarQube: Installations Shodan query: ”port:9000 sonarqube”

  22. SonarQube: deployment with Secrets

  23. SonarQube: CLI integration

  24. SonarQube: CLI integration with Secrets

  25. Checkmarx: Installations Shodan query: ”CxWebClient” Google dork: “inurl:CxWebClient”

  26. “Try the Demo”

  27. Checkmarx: CLI integration with Secrets

  28. Control your Attack Surface. The pipeline.

  29. WAIT. WHAT ABOUT OPEN SOURCE SOLUTIONS?

  30. Task management for Microservices: Flower

  31. Task management for Microservices: Flower

  32. Flower: Installations Shodan query: ”port:5555 flower”

  33. One field for user input…

  34. One field for user input… dejavue

  35. One field for user input… dejavue (#CVE20186210, #CVE20186213)

  36. One field for user input… Stored XSS

  37. PatrOwl: Security Operations Orchestration Platform

  38. PatrOwl: RCE in NMAP container

  39. PatrOwl: RCE in NMAP container

  40. Host Header Injection in official Docker-image

  41. Cache Poisoning via Host Header Injection

  42. Security folks are humans too

  43. Security folks are humans too

  44. Security folks are humans too

  45. Security folks are humans too

  46. How to fix it • Secure SDLC • Educate your

    User • OSINT your product If you are Security Vendor: If you are Security Engineer: • Know your Attack Surface • Do not click on links • Follow your Code of Conduct • Scan your Open Source

  47. CodeQL

  48. IF YOU ARE ATTACKER, ONE DAY SOMEONE WILL PUT THE

    BASKET ON YOUR HEAD…

  49. [email protected] TWITTER.COM/DIFEZZA THANK YOU.