Slide 1

Slide 1 text

Confidential & proprietary © Sqreen, 2015 Dev Sec Fix your ... Let's attack! ??? We're screwed! Come on... No way... Let's ship! App Security is just a Git flow ( with built-in conflicts )

Slide 2

Slide 2 text

Confidential & proprietary © Sqreen, 2015 sqreen.io Status: Security is out of CI

Slide 3

Slide 3 text

Confidential & proprietary © Sqreen, 2015 sqreen.io Approach: In-app runtime protection

Slide 4

Slide 4 text

Confidential & proprietary © Sqreen, 2015 We make products antifragile. We make products antifragile. (dbg) break ActiveRecord::ConnectionAdapters::SQLite3Adapter.exec_query Successfully created breakpoint with id 1 (dbg) continue [283, 292] in …/active_record/connection_adapters/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, binds = []) 289: type_casted_binds = binds.map { |col, val| 290: [col, type_cast(val, col)] 291: } 292: (dbg) p sql sql = SELECT * FROM posts WHERE id=3 SQL injection protection: database driver

Slide 5

Slide 5 text

Confidential & proprietary © Sqreen, 2015 We make products antifragile. We make products antifragile. (byebug) break ActionView::OutputBuffer.<< [6, 15] in actionview-4.2.3/lib/action_view/buffers.rb … 10: def <<(value) => 11: return self if value.nil? 12: super(value.to_s) 13: end 14: alias :append= :<< 15: (byebug) var local value = "my alert() title" (byebug) value.html_safe? true XSS protection: template rendering

Slide 6

Slide 6 text

Confidential & proprietary © Sqreen, 2015 We make products antifragile. We make products antifragile. irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20s\t%s\t%s " % [k, v.version, v.homepage] end rake 10.4.2 i18n 0.7.0 http://github.com/svenfuchs/i18n tzinfo 1.2.2 http://tzinfo.github.io activesupport 4.2.3 http://www.rubyonrails.org erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/… execjs 2.6.0 https://github.com/rails/execjs ... An application dependencies CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035

Slide 7

Slide 7 text

Confidential & proprietary © Sqreen, 2015 sqreen.io Detect attacks as they occur raise So we can to block them

Slide 8

Slide 8 text

Confidential & proprietary © Sqreen, 2015 sqreen.io And that’s only for SQL injection Everything can be done inside the app

Slide 9

Slide 9 text

9 Confidential & Proprietary © Sqreen 0a448b | Slide sqreen.io "Oh man, I f***ing hate security" - Kevin, Rails dev Ops Let's begin the security assessment... We keep on developing! We found so many breaches! We identified breaches in... Can we punt the release? The assessed product is too old! No way! Okay, let's ship like this... Assessment v1 v2 Hey, where are the fixes? Sec team Dev

Slide 10

Slide 10 text

© Sqreen sqreen.io Jean-Baptiste Aviat CTO @SqreenIO (https://sqreen.io) Former hacker at
 Apple (Red Team) @JbAviat [email protected]

Slide 11

Slide 11 text

Confidential & proprietary sqreen.io Every product should embed 
 its own security logic