Confidential & proprietary © Sqreen, 2015 Dev Sec Fix your ... Let's attack! ??? We're screwed! Come on... No way... Let's ship! App Security is just a Git flow ( with built-in conflicts ) 

Confidential & proprietary © Sqreen, 2015 sqreen.io Status: Security is out of CI 

Confidential & proprietary © Sqreen, 2015 sqreen.io Approach: In-app runtime protection 

Confidential & proprietary © Sqreen, 2015 We make products antifragile. We make products antifragile. (dbg) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query Successfully created breakpoint with id 1 (dbg) continue [283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, binds = []) 289: type_casted_binds = binds.map { |col, val| 290: [col, type_cast(val, col)] 291: } 292: (dbg) p sql sql = SELECT * FROM posts WHERE id=3 SQL injection protection: database driver 

Confidential & proprietary © Sqreen, 2015 We make products antifragile. We make products antifragile. (byebug) break ActionView::OutputBuffer.<< [6, 15] in actionview-4.2.3/lib/action_view/buffers.rb … 10: def <<(value) => 11: return self if value.nil? 12: super(value.to_s) 13: end 14: alias :append= :<< 15: (byebug) var local value = "my alert() title" (byebug) value.html_safe? true XSS protection: template rendering 

Confidential & proprietary © Sqreen, 2015 We make products antifragile. We make products antifragile. irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20s\t%s\t%s " % [k, v.version, v.homepage] end rake 10.4.2 i18n 0.7.0 http://github.com/svenfuchs/i18n tzinfo 1.2.2 http://tzinfo.github.io activesupport 4.2.3 http://www.rubyonrails.org erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/… execjs 2.6.0 https://github.com/rails/execjs ... An application dependencies CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 

Confidential & proprietary © Sqreen, 2015 sqreen.io Detect attacks as they occur raise So we can to block them 

Confidential & proprietary © Sqreen, 2015 sqreen.io And that’s only for SQL injection Everything can be done inside the app 

9 Confidential & Proprietary © Sqreen 0a448b | Slide sqreen.io "Oh man, I f***ing hate security" - Kevin, Rails dev Ops Let's begin the security assessment... We keep on developing! We found so many breaches! We identified breaches in... Can we punt the release? The assessed product is too old! No way! Okay, let's ship like this... Assessment v1 v2 Hey, where are the fixes? Sec team Dev 

© Sqreen sqreen.io Jean-Baptiste Aviat CTO @SqreenIO (https://sqreen.io) Former hacker at
 Apple (Red Team) @JbAviat [email protected] 

Confidential & proprietary sqreen.io Every product should embed 
 its own security logic