Web App Security in an Agile World Nick Galbreath [email protected] 2016-06-17 

No content

No content

Why We Started
 Signal Sciences 2014-01-31
 App Sec Cali
 Santa Monica, CA 

Macro Trends Stacked Against Defenders Rate of internal change is increasing, general shift from fixed assets to dynamic.
 Security talent is in short supply and oversubscribed.
 
 Attack economics are getting better… for attackers. or are they? 

Software Engineering is really new. App Sec is even newer 

Software Development as a Physical Construction Process http://blog.in-sight.io/software-engineering-vs-civil-engineering/ Where’s security? The Web Is Different! 

Maybe Civil Engineering
 isn’t the right model? http://www.infrastructurereportcard.org 

From $250 Million to $6.5 Billion: 
 The Bay Bridge Cost Overrun http://www.citylab.com/politics/2015/10/from-250-million-to-65-billion-the-bay-bridge-cost-overrun/410254/ 

slide http://www.dw.com/en/berlins-new-airport-potentially-hit-by-yet-another-delay/a-19107260# 

Every engineering organization in the world is trying to go faster by using cloud, devops, continuous integration, agile Or Planning To Do So, with Some Projects 

Even the USA Government Delivery is the strategy. https://18f.gsa.gov 

Even the State of California https://www.codeforamerica.org/blog/2015/11/30/a-new-approach-to-procuring-government-technology-in-california/ A New Approach to Procuring Government Technology in California What was going to be a business-as-usual procurement (a long, thousand- plus page contract for a complete solution, driven by requirements and a likely waterfall delivery) of a new Child Welfare System will now be a series of procurements for long-term services, not solutions, driven by understanding and meeting user needs, delivered iteratively. Child welfare services personnel in California investigate nearly half a million reports of severe maltreatment and life-threatening neglect to children a year. Of those half a million, around 80,000 reports are confirmed annually, 30,000 children must be removed from their homes, and at any time almost 100,000 children are living in foster care for their protection or live with their parents under close county protective supervision.
 The Child Welfare System was the perfect choice for a new approach because it’s too important to fail. NOVEMBER 30, 2015 

And You 

https://twitter.com/petecheslock/status/595617204273618944 

100-10-1
 Dev-Ops-Sec 

SF Bay Area:
 For every 1 person in infosec, there are 2 job postings 

a brief discussion on attack economics 

What Does
 Not Work 

Treating Web App Security
 as if were Network Security 

Machine
 Learning 

SPOF SOLUTIONS 

a different type of pen test:
 http://www.busybeecreations.biz/blog/2015/9/14/ink-and-pen-tests More
 Pen Tests 

Data
 Hoarding 

Going Slower 

No content

• Change is increasing • Hiring is challenging • Attack Economics is not look good • A bunch of stuff doesn't work 

??? 

me “Security is not a binary state” 

Fail Success How do we move away from this? 

Embrace, 
 Demand,
 and Extend
 “Continuous Deployment” Make Security Visible 
 (to all) 

Continuous Deployment:
 Moving Code from Dev to Production characterized by small changes, done more frequently, in a semi-automated way. 

Does not preclude • Code reviews • Architecture reviews • Testing • Two-man rules • Audibility • Compliance 

Does not require • 10,03894293842,00 pushes to prod today
 (i.e. do not chase the leaders) 

Mechanism POLICY https://forbo.blob.core.windows.net/forboimages/3159/Forbo_Slider_Everyday_life_pastry.jpg 

No content

1. HEAD/Mainline/Trunk is always ready to ship. http://www.paulhammond.org/2010/06/trunk/ alwaysshiptrunk.pdf 

Trunk is always ready to ship 

Feature Flags 

Automated Build/ Release Pipeline 

✓ Formatting Checks ✓ Linting ✓ Static Analysis ✓ Security Checks ✓ Unit Tests ✓ Integration Tests ✓ Spelling Checks ✓ Login / Auth 

Security can make
 patches as needed Require developers to do
 so in a timely manner or 

Average time to fix a vulnerability is 150 days after being reported…. you think that is due to technical reasons? 

No content

No content

Lessons from Manufacturing MTTD, MTTR 

Mean Time To Detect Mean Time To Resolve
 (bonus MTBF:
 Mean Time Between Failure) 

https://speakerdeck.com/ngalbreath/ continuous-deployment-1 

https://www.nps.gov/media/photo/gallery.htm?id=F865DA8A-155D-4519-3E66BBFECC74C707 No, that’s not going to work 

Visibility and Realtime Monitoring http://spectrumscoreboards.com/2014-04-01-15-02-36/softball 

Continuous Deployment Doesn't Change This Fact 

— Zane Lackey “If you are on the Internet,
 you are already getting a free pen test. 
 
 You just aren’t getting the report.” 

Get The Report
 Who are you attacker What is their goal Are they successful 

Get The Report • Who are you attackers • What is their goal • Are they successful 

Cosmic Background Noise of Attacks 

Cloud-based scanner 

Attack Tooling 

What are they looking at Using SQLMap, on this URL, focused on 'guests' 

Anomalies 

http://the-toast.net/2014/02/04/in-defense-of-art-history/ That’s great but what does it mean? 

An AppSec Love Story from Verona, Italy 

Security is Empowered 

Developers are interested in security 

It’s the Call to Action Slide! http://i.huffpost.com/gen/799454/images/o-CLARK-ATLANTA-UNIVERSITY-MARCHING-PANTHERS-facebook.jpg Embrace Continuous Deployment
 Make Security Visible 

[email protected]