Security and the self-contained unit of software

Slide 1

Slide 1 text

(without introducing more risk) Security and the self- contained unit of software Puppet Gareth Rushgrove Security in an app-centic world

Slide 2

Slide 2 text

(without introducing more risk) @garethr

Slide 3

Slide 3 text

(without introducing more risk) Gareth Rushgrove

Slide 4

Slide 4 text

(without introducing more risk) What we’ll cover This talk

Slide 5

Slide 5 text

- The end of perimeter (only) security - From infrastructure to applications - The rise of the black box application - Pushing security concerns to the app Gareth Rushgrove

Slide 6

Slide 6 text

(without introducing more risk) An old model breaks down The end of security (only) at the edges

Slide 7

Slide 7 text

Gareth Rushgrove For much of network security, ﬁrewalls were the panacea. Got a security problem? Throw more ﬁrewall at it. James Wicket, Signal Sciences “

Slide 8

Slide 8 text

Gareth Rushgrove Through the 90’s and early 2000’s, buying an appliance to solve a problem was a common occurrence James Wicket, Signal Sciences “

Slide 9

Slide 9 text

Gareth Rushgrove Any problem in computer science can be solved with another layer of indirection David Wheeler (maybe) “

Slide 10

Slide 10 text

Adding something new on top was quicker than ﬁxing the software Gareth Rushgrove

Slide 11

Slide 11 text

With modern approaches to software delivery we can change software quickly Gareth Rushgrove

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Slide 14

Slide 14 text

2009

Slide 15

Slide 15 text

Gareth Rushgrove Jon Jenkins, VelocityConf, 2011 “Amazon deploys every 11.6 seconds

Slide 16

Slide 16 text

Gareth Rushgrove

Slide 17

Slide 17 text

Gareth Rushgrove We do not rely on internal network segmentation or ﬁrewalling as our primary security mechanisms Google Infrastructure Security Design Overview “

Slide 18

Slide 18 text

Attacks are increasingly targeting application and business logic Gareth Rushgrove

Slide 19

Slide 19 text

So where does security go? Gareth Rushgrove

Slide 20

Slide 20 text

(without introducing more risk) Direction of travel in systems design From infrastructure to applications

Slide 21

Slide 21 text

The ability to change software quickly has seen functionality move from the infrastructure to the application Gareth Rushgrove

Slide 22

Slide 22 text

Built-in application healthchecks Gareth Rushgrove

Slide 23

Slide 23 text

(without introducing more risk) Gareth Rushgrove $ curl -i localhost:8080/health HTTP/1.1 200 OK X-Application-Context: application Content-Type: application/vnd.spring-boot.actuator.v1+json;charset=UTF- Content-Length: 221 { "status" : "UP", "diskSpace" : { "status" : "UP", "total" : 63251804160, "free" : 31316164608, "threshold" : 10485760 }, "db" : { /health from Spring Boot

Slide 24

Slide 24 text

(without introducing more risk) Gareth Rushgrove /metrics from Metrics $ curl http://localhost:3000/metrics | jq { jvm.thread.deadlock.count: { type: "gauge", value: 0 }, ring.requests.rate.GET: { type: "meter", rates: { 1: 0.009626100280886805, 5: 0.008973894483657855, 15: 0.00939960671455037, total: 199 } },

Slide 25

Slide 25 text

Structured logging Gareth Rushgrove

Slide 26

Slide 26 text

(without introducing more risk) Gareth Rushgrove From something like syslog Dec 6 23:17:01 logstash CRON[5849]: (root) CMD (cd / && run- parts --report /etc/cron.hourly)

Slide 27

Slide 27 text

(without introducing more risk) Gareth Rushgrove To something like lograge { "method":"GET", "path":"/users", "format":"html", "controller":"users", "action":"index", "status":200, "duration":189.35, "view":186.35, "db":0.92, "@timestamp":"2015-12-11T13:35:47.062+00:00", "@version":"1", "message":"[200] GET /users (users#index)", "severity":"INFO", "host":"app1-web1",

Slide 28

Slide 28 text

From manual black-box testing to unit tests Gareth Rushgrove

Slide 29

Slide 29 text

From conﬁguration ﬁles to environment variables Gareth Rushgrove

Slide 30

Slide 30 text

From external manual testing to unit tests Gareth Rushgrove

Slide 31

Slide 31 text

From static conﬁguration to service discovery Gareth Rushgrove

Slide 32

Slide 32 text

12 factor applications Gareth Rushgrove

Slide 33

Slide 33 text

(without introducing more risk) And implications for security The rise of the black box application

Slide 34

Slide 34 text

With all these applications we seek out a platform to run them on Gareth Rushgrove

Slide 35

Slide 35 text

The platform might be Docker, Kubernetes, AWS Lambda, Azure Functions, Heroku, CloudFoundry, EC2 or something else Gareth Rushgrove

Slide 36

Slide 36 text

From a security perspective, the platform is a great place to introduce central security features Gareth Rushgrove

Slide 37

Slide 37 text

But general purpose platforms often treat the application as a black box Gareth Rushgrove

Slide 38

Slide 38 text

The implementation of that black box might be a containers, a virtual machine, a serverless function or something else Gareth Rushgrove

Slide 39

Slide 39 text

From a security perspective, the black box application sounds like a very bad idea Gareth Rushgrove

Slide 40

Slide 40 text

What’s inside that container? Gareth Rushgrove

Slide 41

Slide 41 text

(without introducing more risk) You don’t know, and that’s a problem

Slide 42

Slide 42 text

Gareth Rushgrove Image downloads

Slide 43

Slide 43 text

Gareth Rushgrove Image GitHub popularity

Slide 44

Slide 44 text

Gareth Rushgrove Image contents

Slide 45

Slide 45 text

(without introducing more risk) Vulnerable images in repositories

Slide 46

Slide 46 text

- Most containers have OS user space - Most containers have lots of unmanaged packages at unspeciﬁed versions - Some containers are not immutable - Some containers will have vulnerabilities Gareth Rushgrove

Slide 47

Slide 47 text

What about Serverless? Gareth Rushgrove

Slide 48

Slide 48 text

Gareth Rushgrove These code packages are like little pieces of infrastructure embedded inside your application. Application dependencies are similar to the oft-exploited server dependencies Guy Podjarny, Snyk “

Slide 49

Slide 49 text

Platform security brings improvements Gareth Rushgrove Guy Podjarny, Snyk

Slide 50

Slide 50 text

Guy Podjarny, Snyk Application security still an issue Gareth Rushgrove

Slide 51

Slide 51 text

Guy Podjarny, Snyk Existing approaches not always relevant Gareth Rushgrove

Slide 52

Slide 52 text

(without introducing more risk) Because the platform can’t do everything Pushing security concerns to the application

Slide 53

Slide 53 text

In this new world we need to push security to the application Gareth Rushgrove

Slide 54

Slide 54 text

(without introducing more risk) Security testing at build time

Slide 55

Slide 55 text

OWASP ZAP Gareth Rushgrove

Slide 56

Slide 56 text

(without introducing more risk) Gareth Rushgrove BDD Security Scenario: The application should not contain SQL injection vulnerabilities Meta: @id scan_sql_injection @cwe-89 Given a scanner with all policies disabled And the SQL-Injection policy is enabled And the attack strength is set to High And the alert threshold is set to Low When the scanner is run And the XML report is written to the file sql_injection.xml Then no Medium or higher risk vulnerabilities should be present Testing for SQL Injection vulnerabilities in the CI pipeline

Slide 57

Slide 57 text

(without introducing more risk) Gareth Rushgrove Lynis #!/bin/bash -e yum install -y lynis touch /etc/lynis/custom.prf lynis configure settings error-on-warnings=yes:quick=yes:skip-test=FIRE-4512 lynis audit system Scanning for vulnerabilities during VM image build

Slide 58

Slide 58 text

(without introducing more risk) Assuring dependencies

Slide 59

Slide 59 text

OWASP Dependency-Check Gareth Rushgrove

Slide 60

Slide 60 text

(without introducing more risk) Gareth Rushgrove Bundler audit $ bundle-audit Name: actionpack Version: 3.2.10 Advisory: OSVDB-91452 Criticality: Medium URL: http://www.osvdb.org/show/osvdb/91452 Title: XSS vulnerability in sanitize_css in Action Pack Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13 Name: actionpack Version: 3.2.10 Checking for disclosed Ruby vulnerabilities in Gemﬁle.lock

Slide 61

Slide 61 text

Snyk Gareth Rushgrove

Slide 62

Slide 62 text

(without introducing more risk) Gareth Rushgrove Checking application dependencies $ snyk test ionic ... ✗ High severity vulnerability found on shelljs@0.2.6 - desc: Command Injection - info: https://snyk.io/vuln/npm:shelljs:20140723 - from: ionic@2.2.3 > ionic-app-lib@2.2.1 > shelljs@0.2.6 Fix: None available. Consider removing this dependency. ✗ High severity vulnerability found on shelljs@0.3.0 - desc: Command Injection - info: https://snyk.io/vuln/npm:shelljs:20140723 - from: ionic@2.2.3 > ionic-app-lib@2.2.1 > cordova-lib@6.1.0 > shelljs Fix: None available. Consider removing this dependency.

Slide 63

Slide 63 text

(without introducing more risk) Gareth Rushgrove $ scan-image-for-cves garethr/myapp ---> Scanning package: python ---> CVEs found for python-2.7.5-34.el7 +---------------+----------+------------+-------------------+ | CVE | Severity | CVSS score | Date | +---------------+----------+------------+-------------------+ | CVE-2014-4650 | moderate | 5.0 | 23 June 2014 | | CVE-2013-1752 | moderate | 4.3 | 25 September 2012 | | CVE-2013-1753 | moderate | 4.3 | 25 September 2012 | | CVE-2014-7185 | low | 4.0 | 23 June 2014 | | CVE-2014-4616 | moderate | 4.0 | 19 May 2014 | +---------------+----------+------------+-------------------+ ---> Scanning package: python ---> CVEs found for python-2.7.5-34.el7 +---------------+----------+------------+-------------------+ | CVE | Severity | CVSS score | Date | Checking Docker containers for CVEs

Slide 64

Slide 64 text

(without introducing more risk) Testing in production

Slide 65

Slide 65 text

The only source of truth is the network Gareth Rushgrove

Slide 66

Slide 66 text

(without introducing more risk) Gareth Rushgrove Making sure selinux is enabled (expect running-on-all-clients? "selinux") Using PuppetDB as a CMDB to make assertions against

Slide 67

Slide 67 text

(without introducing more risk) Gareth Rushgrove Making sure you’re using the approved OS def test_os(inventory): host_info = inventory['capabilities']['host']['payload'] family = host_info['platformfamily'] assert "debian" == family Querying the state of running Docker containers

Slide 68

Slide 68 text

(without introducing more risk) Visibility

Slide 69

Slide 69 text

osquery Gareth Rushgrove

Slide 70

Slide 70 text

(without introducing more risk) Gareth Rushgrove Checking for processes listening on ports SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid; SQL for asking questions of your system

Slide 71

Slide 71 text

(without introducing more risk) Gareth Rushgrove inventory { facts.osfamily = "Debian" and facts.datacentre = "Lon1" and resources { type = "Package" and title = "npm" and parameters.version = "1.03" } } Quering against your CMBD Find versions of an installed software package with PQL

Slide 72

Slide 72 text

(without introducing more risk) Letting the runtime protect us

Slide 73

Slide 73 text

Runtime Application Self-Protection (RASP) Gareth Rushgrove

Slide 74

Slide 74 text

Gareth Rushgrove RASP comes into play when the application is executed (runtime), causing the program to monitor itself and detect malicious input and behaviour. Veracode “

Slide 75

Slide 75 text

OWASP AppSensor Gareth Rushgrove

Slide 76

Slide 76 text

Gareth Rushgrove The AppSensor project deﬁnes a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications “ OWASP AppSensor

Slide 77

Slide 77 text

Gareth Rushgrove The best place to identify malicious activity against the application is within the application itself “ OWASP AppSensor

Slide 78

Slide 78 text

(without introducing more risk) If all you remember is Conclusions

Slide 79

Slide 79 text

We need secure applications, not just secure platforms Gareth Rushgrove

Slide 80

Slide 80 text

Gareth Rushgrove App developers are conquering the world

Slide 81

Slide 81 text

- Push security into the CI pipelines - Provide assurance of app dependencies - Build visibility into the application - Get reactive security into the runtime Gareth Rushgrove

Slide 82

Slide 82 text

We need to move away from security tools and towards development tools with security features Gareth Rushgrove

Slide 83

Slide 83 text

(without introducing more risk) Questions? And thanks for listening