Upgrade to Pro — share decks privately, control downloads, hide ads and more …

«Dev, Sec, Oops: How Agile Security increases A...

OWASP Moscow
March 05, 2020
Programming
0
560

«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин

Видео: https://youtu.be/VKAFYsBkzQk
OWASP Moscow 2020/1 (https://habr.com/ru/company/owasp/blog/497830/)

OWASP Moscow

March 05, 2020
Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
420
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
600
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
850
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
470
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
540
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
530
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
470
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
460
«Свой среди чужих», Антон Лопаницын
owaspmoscow
0
450

Other Decks in Programming

See All in Programming
Remix on Hono on Cloudflare Workers
yusukebe
1
280
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.1k
EventSourcingの理想と現実
wenas
6
2.3k
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
110
Amazon Bedrock Agentsを用いてアプリ開発してみた!
har1101
0
330
ヤプリ新卒SREの オンボーディング
masaki12
0
130
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
110
RubyLSPのマルチバイト文字対応
notfounds
0
120
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
530
Amazon Qを使ってIaCを触ろう!
maruto
0
400
Realtime API 入門
riofujimon
0
150
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k

Featured

See All Featured
Fireside Chat
paigeccino
34
3k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
How GitHub (no longer) Works
holman
310
140k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
GraphQLとの向き合い方2022年版
quramy
43
13k
Docker and Python
trallard
40
3.1k
A designer walks into a library…
pauljervisheath
203
24k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k

Transcript

  1. IF YOU ARE DEV/OPS, APPLAUD

  2. IF YOU ARE SECURITY SPECIALIST, APPLAUD

  3. Red Team Blue Team

  4. Blue Team Success Attacker’s Success

  5. DEV, SEC, OOPS: HOW AGILE SECURITY INCRESES ATTACK SURFACE Denis

    Makrushin Head of Advanced Security Research, Huawei https://twitter.com/difezza

  6. We showed that Healthcare fails as a Developer…

  7. …but the Healthcare is a User! https://www.bsimm.com/

  8. Agile Security: key principles • Don’t reinvent it • Do

    it incrementally • Automate it

  9. Agile Security: key principles • Don’t reinvent it • Do

    it incrementally • Automate it • Process (CI/CD) • People (DevSecOps) • Tools

  10. CI/CD from Researcher’s perspective

  11. Automation from Researcher’s perspective Automation from Researcher’s perspective

  12. What is “attack surface”. Formally.

  13. The attack graphs situations when the firewall is disabled (upper

    one) and enabled (lower one)

  14. Example of the unknown attack graph

  15. Product Security Touchpoints

  16. Attack Surface Graph of Enterprise-network

  17. Attack Surface Graph of Enterprise-network

  18. Security activities during Product Development Stages

  19. HOW TO COMPROMISE PRODUCT DEVELOPMENT PIPELINE USING COMMERCIAL SECURITY ASSETS?

  20. SonarQube: code quality and security

  21. SonarQube: Installations Shodan query: ”port:9000 sonarqube”

  22. SonarQube: deployment with Secrets

  23. SonarQube: CLI integration

  24. SonarQube: CLI integration with Secrets

  25. Checkmarx: Installations Shodan query: ”CxWebClient” Google dork: “inurl:CxWebClient”

  26. “Try the Demo”

  27. Checkmarx: CLI integration with Secrets

  28. Control your Attack Surface. The pipeline.

  29. WAIT. WHAT ABOUT OPEN SOURCE SOLUTIONS?

  30. Task management for Microservices: Flower

  31. Task management for Microservices: Flower

  32. Flower: Installations Shodan query: ”port:5555 flower”

  33. One field for user input…

  34. One field for user input… dejavue

  35. One field for user input… dejavue (#CVE20186210, #CVE20186213)

  36. One field for user input… Stored XSS

  37. PatrOwl: Security Operations Orchestration Platform

  38. PatrOwl: RCE in NMAP container

  39. PatrOwl: RCE in NMAP container

  40. Host Header Injection in official Docker-image

  41. Cache Poisoning via Host Header Injection

  42. Security folks are humans too

  43. Security folks are humans too

  44. Security folks are humans too

  45. Security folks are humans too

  46. How to fix it • Secure SDLC • Educate your

    User • OSINT your product If you are Security Vendor: If you are Security Engineer: • Know your Attack Surface • Do not click on links • Follow your Code of Conduct • Scan your Open Source

  47. CodeQL

  48. IF YOU ARE ATTACKER, ONE DAY SOMEONE WILL PUT THE

    BASKET ON YOUR HEAD…

  49. [email protected] TWITTER.COM/DIFEZZA THANK YOU.