Automatic Application Security

Slide 1

Slide 1 text

Automatic Application Security @twitter

Slide 2

Slide 2 text

Me • Twitter Github Security Engineer • Twitter: @ndm • Github: @oreoshake

Slide 3

Slide 3 text

Automatic Application Security?

Slide 4

Slide 4 text

The story of a line of code • Before the code is written • While the code is being written • After the code has been written • After the code has shipped

Slide 5

Slide 5 text

Before the code is written • Framework / Architecture Security • Secure by default • Education • Culture

Slide 6

Slide 6 text

Framework / Architecture security • Provide the necessary controls • Don’t provide anything else • Require opting out of security

Slide 7

Slide 7 text

Secure by default • An extension of “opting out” of security • The framework is conﬁgured in the most restrictive way possible

Slide 8

Slide 8 text

Education (nho) • Separate code and data • If you do, we’ll leave you alone

Slide 9

Slide 9 text

Culture • Don’t be a jerk • Understand your code will be scrutinized

Slide 10

Slide 10 text

While the code is being written • Provide what is needed

Slide 11

Slide 11 text

guard-brakeman

Slide 12

Slide 12 text

Tests are your friend • Encourage “negative” test cases

Slide 13

Slide 13 text

secure_headers • It’s just a freakin (set of) header(s) • Ported to Node*, Go, .Net, Java, PHP, Python, dancer, drupal, etc. • Think of the beneﬁts of the headers as conﬁg values, rather than the textual value

Slide 14

Slide 14 text

Provide what is needed: CSP • Nonce / Hash support

Slide 15

Slide 15 text

It’s a bug, not a feature • XSS? • Mixed content? • Site defacement? • All solved* by csp

Slide 16

Slide 16 text

Nonce • Generate a random value per request • Populate a “nonce” attribute for any script tag you want to be whitelisted

Slide 17

Slide 17 text

Railsgoat + nonce • Pull request to add nonce support[1] • 46 ﬁles changed, 72 additions, -46 deletions • global ﬁnd and replace took care of 90% of the job [1] https://github.com/OWASP/railsgoat/pull/174

Slide 18

Slide 18 text

Hashes • Find and compute hash values for tags • Associate each hash with the ﬁle it lives in • Every time a ﬁle is rendered, include the corresponding hashes in the header • Requires less changes than the nonce approach

Slide 19

Slide 19 text

Railsgoat + hash • Pull request[1] to add hashes when possible, nonces when not • 12 ﬁles change, 33 additions, 13 deletions (> 50% reduction in changes over nonce) • Hardest part was dealing with dynamic js (which requires the use of nonce) [1] https://github.com/oreoshake/railsgoat/pull/1

Slide 20

Slide 20 text

Automatic hashing PoC

Slide 21

Slide 21 text

IRL • Coming to a twitter near you… • Only 5 inline scripts

Slide 22

Slide 22 text

After the code has been written • Go all out • Stay out of the way

Slide 23

Slide 23 text

Scan on arrival • Every time new code is pushed, run tools and diff the results from master

Slide 24

Slide 24 text

The SADB workﬂow

Slide 25

Slide 25 text

Laundry list of tools • Static analysis • Brakeman • scan js • Dependency Management • bundler-audit • retire js • owasp dependency check • Other • Charlie Miller’s fuzzer thing

Slide 26

Slide 26 text

Review upon review • Code review is a great integration point

Slide 27

Slide 27 text

Again, it’s just a regex • When your threat model is tiny, the tools required to support it are pretty simple

Slide 28

Slide 28 text

Notify the relavent authorities • OWNERS

Slide 29

Slide 29 text

Did we catch it all? • Probably not

Slide 30

Slide 30 text

After the code has been shipped • It’s out of our hands, right?

Slide 31

Slide 31 text

Decider • All features, and any new code is often behind a Feature Flag

Slide 32

Slide 32 text

Bug Bounty • Penetration testing on the cheap

Slide 33

Slide 33 text

Stats • They aren’t just for proving a feature was a success

Slide 34

Slide 34 text

You can do it • These tools and integrations came out of a direct need. • “The best indicator of the next bug is the last bug” • Look at your previous bugs, and focus there

Slide 35

Slide 35 text

Not everything is successful • Vendor black box scanner • pre-SADB integration • Phantom gang • Business logic ﬂaws amirite

Slide 36

Slide 36 text

Tie it all together • With a dashboard of course

Slide 37

Slide 37 text

Time to Chill • Your threat model is small • Code is always under scrutiny • People know what the “right thing” is • You have sensors to detect issues at all phases of the pipeline • You have social and technical controls in place