Shifting Application Security Left

Slide 1

Slide 1 text

S H I F T I N G A P P L I C A T I O N S E C U R I T Y L E F T Craig Stuntz ∈ Improving

Slide 2

Slide 2 text

S H I F T I N G A P P L I C A T I O N S E C U R I T Y L E F T Craig Stuntz ∈ Improving https://speakerdeck.com/craigstuntz

Slide 3

Slide 3 text

2 0 1 2

Slide 4

Slide 4 text

2 0 1 7

Slide 5

Slide 5 text

2 0 1 7

Slide 6

Slide 6 text

2 0 1 8

Slide 7

Slide 7 text

P R E V I E W • What does application security mean? • Developer checklists don’t work • Threat modeling & security f rom f irst principles • Security as a f irst class part of the software design & development lifecycle

Slide 8

Slide 8 text

– H i p p o c r a t i c O a t h ( 1 9 6 4 L o u i s L a s a g n a v e r s i o n ) “I will remember that I do not treat a fever chart, a cancerous growth, but a sick human being, whose illness may affect the person’s family and economic stability.”

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

1. ummm… blockchain? 2. ??? 3. prof it!

Slide 11

Slide 11 text

http://www.independent.co.uk/travel/news-and-advice/air-safety-2017-best-year-safest-airline-passengers-worldwide-to70-civil-aviation-review- a8130796.html

Slide 12

Slide 12 text

W H A T W O U L D S O F T W A R E D E V E L O P M E N T L O O K L I K E I F H U M A N S A F E T Y W A S A LW A Y S T H E F I R S T C O N S I D E R A T I O N ? https://www.flickr.com/photos/wocintechchat/25900776992/

Slide 13

Slide 13 text

– A C M C o d e o f E t h i c s a n d P r o f e s s i o n a l C o n d u c t ( p r o p o s e d ) “A computing professional should contribute to society and to human well-being, acknowledging that all people are stakeholders in computing.”

Slide 14

Slide 14 text

– A l l i s o n M i l l e r “I don't think humans are the problem, the problem is that humans are the target.” https://www.scmagazineuk.com/news-feature-google-security-interview-human-solutions--the-way-to-go/article/701976/

Slide 15

Slide 15 text

W H A T I S S E C U R I T Y , R E A L LY ? https://commons.wikimedia.org/wiki/File:Airport_Frankfurt_-_Fraport_-_Flughafen_Frankfurt_-_barbed_wire_and_fence_-_Stacheldraht_und_Zaun_-_05.jpg https://www.flickr.com/photos/captkodak/37054929956/

Slide 16

Slide 16 text

D O M A I N S P E C I F I C Q A

Slide 17

Slide 17 text

Behavior

Slide 18

Slide 18 text

Behavior Speciﬁcation

Slide 19

Slide 19 text

Behavior Speciﬁcation

Slide 20

Slide 20 text

Behavior Speciﬁcation

Slide 21

Slide 21 text

Behavior Speciﬁcation

Slide 22

Slide 22 text

Behavior Speciﬁcation

Slide 23

Slide 23 text

Q A : D O E S T H E S O F T W A R E D O W H A T I T S H O U L D ?

Slide 24

Slide 24 text

S E C U R I T Y : D O E S I T A L S O D O A N Y T H I N G E L S E ?

Slide 25

Slide 25 text

D o We E v e n K n o w W h a t t h e S o f t w a r e I s S u p p o s e d t o D o ?

Slide 26

Slide 26 text

“In order to write secure applications, developers must • Take OWASP Top 10 training • Use Veracode • Have application pentested • Use two factor authentication on source control and hosts • Use off-the-shelf crypto libraries • Monitor production • Use memory-safe languages • Do code review • HTTPS everywhere!

Slide 27

Slide 27 text

B U I L D A R E C I P E , N O T A G R O C E R Y S T O R E

Slide 28

Slide 28 text

L E A R N Y O U R D O M A I N https://commons.wikimedia.org/wiki/File:Domain,_Atrium_(Hong_Kong).jpg

Slide 29

Slide 29 text

– M a t t Ta i t “The underlying problem is folks think in terms of ‘secure’ versus ‘insecure.’ But in reality, it's ‘in/secure vs. X threat in Y threat model.’” https://twitter.com/pwnallthethings/status/922009773352120320

Slide 30

Slide 30 text

https://www.pbs.org/newshour/science/amazon-recalls-potentially-hazardous-solar-eclipse-glasses

Slide 31

Slide 31 text

https://twitter.com/slatestarcodex/status/944739157988974592

Slide 32

Slide 32 text

https://twitter.com/slatestarcodex/status/944739157988974592

Slide 33

Slide 33 text

iT u n e s M o n e y L a u n d e r i n g https://www.thedailybeast.com/want-to-launder-bitcoins-how-crooks-are-hacking-itunes-and-getting-paid-by-apple

Slide 34

Slide 34 text

“ I ’ m j u s t a t o a s t e r . N o b o d y w i l l e v e r t r y t o h a c k m e ! ”

Slide 35

Slide 35 text

– S e n . R i c h a r d B u r r “You commented yesterday that your company’s goal is bringing people together. In this case, people were brought together to foment conflict, and Facebook enabled that event to happen.” https://www.texastribune.org/2017/11/01/russian-facebook-page-organized-protest-texas-different-russian-page-l/

Slide 36

Slide 36 text

QA! Security!

Slide 37

Slide 37 text

F O U N D A T I O N S Secure Design Secure Lifecycle Empowered Developers Threat Model Security Fundamentals Human Safety Priority Domain Knowledge Safer Applications and Infrastructure

Slide 38

Slide 38 text

Deﬁne Design Develop QA Security Deploy

Slide 39

Slide 39 text

N I S T 8 0 0 - 6 4 Security Considerations in the System Development Life Cycle (2008) http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf

Slide 40

Slide 40 text

C I S C O S E C U R E D E V E L O P M E N T L I F E C Y C L E https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/building-trustworthy-systems-with-CSDL.pdf

Slide 41

Slide 41 text

M I C R O S O F T S D L C http://www.microsoft.com/en-us/SDL

Slide 42

Slide 42 text

O W A S P S D L C DRAFT https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

https://twitter.com/petecheslock/status/595617204273618944?lang=en

Slide 45

Slide 45 text

G R E A T I D E A S … O N T H E R I G H T

Slide 46

Slide 46 text

G R E A T I D E A S … O N T H E R I G H T Bug Bounties Canaries Full Packet Capture Fuzzing Asset Identiﬁcation Attack Simulation

Slide 47

Slide 47 text

S L A C K S L C https://www.youtube.com/watch?v=eBwluaTaenI

Slide 48

Slide 48 text

S L A C K S L C https://github.com/slackhq/goSDL

Slide 49

Slide 49 text

S E C U R I T Y I N A N A G I L E P R O C E S S https://www.scrum.org/resources/scrum-framework-poster

Slide 50

Slide 50 text

S E C U R I T Y I N A N A G I L E P R O C E S S https://www.scrum.org/resources/scrum-framework-poster Fundamental Principles Threat Model Automated Analysis Manual Review

Slide 51

Slide 51 text

T H R E A T M O D E L I N G

Slide 52

Slide 52 text

S I X D E G R E E S Who is affected by the software you create? https://www.flickr.com/photos/wocintechchat/25388897014/

Slide 53

Slide 53 text

U s e r s https://www.flickr.com/photos/wocintechchat/25703122741/

Slide 54

Slide 54 text

C u s t o m e r s https://www.flickr.com/photos/wocintechchat/25703122741/ https://www.flickr.com/photos/wocintechchat/25926791491/

Slide 55

Slide 55 text

Yo u r Te a m https://www.flickr.com/photos/wocintechchat/25167741264/

Slide 56

Slide 56 text

S t a k e h o l d e r s https://www.flickr.com/photos/wocintechchat/25388889234/

Slide 57

Slide 57 text

P a r t n e r s https://www.flickr.com/photos/wocintechchat/25388854424/

Slide 58

Slide 58 text

Yo u r C o m m u n i t y

Slide 59

Slide 59 text

W H A T D O Y O U H A V E ?

Slide 60

Slide 60 text

I n f r a s t r u c t u r e • Servers • Software • Clients • Gateways • Third Parties

Slide 61

Slide 61 text

D a t a • Databases • Metadata • Logs • Credentials • Files on client machines

Slide 62

Slide 62 text

T r u s t B o u n d a r i e s • Implicit • Explicit

Slide 63

Slide 63 text

W H A T C O U L D G O W R O N G ?

Slide 64

Slide 64 text

D O M A I N - S P E C I F I C R I S K S

Slide 65

Slide 65 text

T a k e C a r e o f P e o p l e F i r s t https://www.flickr.com/photos/wocintechchat/25926827581/

Slide 66

Slide 66 text

L e a r n f r o m H i s t o r y https://commons.wikimedia.org/wiki/File:Maginot_line_1.jpg

Slide 67

Slide 67 text

E x i s t e n t i a l T h r e a t s http://money.cnn.com/2012/08/09/technology/knight-expensive-computer-bug/index.html

Slide 68

Slide 68 text

R e g u l a t o r y

Slide 69

Slide 69 text

B A C K T O B A S I C S

Slide 70

Slide 70 text

C O M P R E H E N S I V I T Y Security f rom First Principles Am I covering all of my bases? Craig Jackson, Scott Russell, and Susan Sons https://upload.wikimedia.org/wikipedia/commons/7/72/Agoncillo_- _W%C3%BCrth_Rioja%2C_Museo_30_-_Christo.JPG

Slide 71

Slide 71 text

O P P O R T U N I T Y Security f rom First Principles Am I taking advantage of my environment? https://commons.wikimedia.org/wiki/File:Amazing_Bhutan_Monastery.jpg Craig Jackson, Scott Russell, and Susan Sons

Slide 72

Slide 72 text

R I G O R Security f rom First Principles What is correct behavior, and how am I ensuring it? https://commons.wikimedia.org/wiki/File:Turnstile_state_machine_colored.svg Craig Jackson, Scott Russell, and Susan Sons

Slide 73

Slide 73 text

M I N I M I Z A T I O N Security f rom First Principles Can this be a smaller target? Craig Jackson, Scott Russell, and Susan Sons

Slide 74

Slide 74 text

C O M P A R T M E N T A L I Z A T I O N Security f rom First Principles Is this made of distinct parts with limited interactions? https://en.wikipedia.org/wiki/Bulkhead_(partition)#/media/ File:Compartments_and_watertight_subdivision_of_a_ship%27s_hull_(Seaman%27s_Pocket- Book,_1943).jpg Craig Jackson, Scott Russell, and Susan Sons

Slide 75

Slide 75 text

F A U LT T O L E R A N C E Security f rom First Principles What happens if this fails? https://commons.wikimedia.org/wiki/ File:A_U.S._Soldier,_right,_looks_on_as_a_U.S._Army_Garrison_Ansbach_Junior_ROTC_cadet_negotia tes_a_high_rope_obstacle_6.jpg Craig Jackson, Scott Russell, and Susan Sons

Slide 76

Slide 76 text

P R O P O R T I O N A L I T Y Security f rom First Principles Is this worth it? https://twitter.com/jwgoerlich/status/939268098699550720?s=09 Craig Jackson, Scott Russell, and Susan Sons

Slide 77

Slide 77 text

T H E B A S I C P R I N C I P L E S I N A C T I O N

Slide 78

Slide 78 text

B U S I N E S S P R O B L E M • A hotel chain needs to capture credit card numbers for potential incidental charges when the cardholder will not be present at check in • Example: A parent wants to authorize incidental charges for a traveling school sports team member • Current process is a paper form. Company would like to automate

Slide 79

Slide 79 text

N A Ï V E S O L U T I O N “Type a quote here.”

Slide 80

Slide 80 text

N A Ï V E S O L U T I O N , R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 81

Slide 81 text

N A Ï V E S O L U T I O N , R E - R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 82

Slide 82 text

N A Ï V E S O L U T I O N , R E - R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 83

Slide 83 text

N A Ï V E S O L U T I O N , R E - R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 84

Slide 84 text

N A Ï V E S O L U T I O N , R E - R E - R E V I S I T E D Comprehensivity “Type a quote here.”

Slide 85

Slide 85 text

D E S I G N E D I N T O P R O C E S S Comprehensivity https://jeremylong.github.io/DependencyCheck/

Slide 86

Slide 86 text

T R A I N I N G Comprehensivity https://twitter.com/chrisrohlf/status/925846092184477698

Slide 87

Slide 87 text

O P P O R T U N I T Y

Slide 88

Slide 88 text

O P P O R T U N I T Y

Slide 89

Slide 89 text

O P P O R T U N I T Y

Slide 90

Slide 90 text

O P P O R T U N I T Y

Slide 91

Slide 91 text

O P P O R T U N I T Y

Slide 92

Slide 92 text

P A T C H A L L O F T H E T H I N G S Opportunity “Type a quote here.”

Slide 93

Slide 93 text

R I G O R

Slide 94

Slide 94 text

S T A T I C A N A LY S I S Rigor “The most important thing I have done as a programmer in recent years is to aggressively pursue static code analysis. Even more valuable than the hundreds of serious bugs I have prevented with it is the change in mindset about the way I view software reliability and code quality.” - J o h n C a r m a c k https://www.gamasutra.com/view/news/128836/InDepth_Static_Code_Analysis.php

Slide 95

Slide 95 text

No content

Slide 96

Slide 96 text

M I N I M I Z E A T T A C K S U R F A C E ( a n d e v e r y t h i n g e l s e ) https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet

Slide 97

Slide 97 text

S T O R E L E S S Minimization “Limit cardholder data storage and retention time to that which is required for business, legal, and/ or regulatory purposes, as documented in your data retention policy. Purge unnecessary stored data at least quarterly.” P C I - D S S § 3 . 1 https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf

Slide 98

Slide 98 text

C O M P A R T M E N T A L I Z E I T !

Slide 99

Slide 99 text

D O U B L E E D G E D S W O R D Compartmentalization “Your perimeter is not the boundary of your network it’s the boundary of your telemetry.” http://grugq.github.io/presentations/comae-blackhat-year-of-the-worm.pdf - T h e G r u g q

Slide 100

Slide 100 text

L E A S T P R I V I L E G E Compartmentalization EncryptionServiceIAMRole: Type: "AWS::IAM::Role" Properties: Path: "/" ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "AllowLambdaServiceToAssumeRole" Effect: "Allow" Action: - "sts:AssumeRole" Principal: Service: - "lambda.amazonaws.com"

Slide 101

Slide 101 text

C O M P A R T M E N T A L I Z E I T ! • Networks • Public ingress (CloudFront), WAF rules • Private ingress (Jump server) • Roles for public, hotel staff, site admin, developer, ops • Restrict data by property • Archive old data to encrypted cold storage • Use key management (KMS, HSM, etc.) for secrets

Slide 102

Slide 102 text

F A U LT T O L E R A N C E https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys

Slide 103

Slide 103 text

F A U LT T O L E R A N C E • User safety • Stop the exf iltration • Assess the scope • Proactively prevent further damage to users • Listen • Technical • Engage DF/IR professionals to assess how it happened and how to prevent • Design system for secure storage and rotation of secrets

Slide 104

Slide 104 text

P R O P O R T I O N A L I T Y

Slide 105

Slide 105 text

L A T H E R , R I N S E , R E P E A T • Plan on enumerating the f irst principles at least twice in initial app design • Enumerate again in sprint planning for each sprint • Following f irst principles does not mean “big design upf ront”

Slide 106

Slide 106 text

C O N T I N U O U S S E C U R I T Y Initially •Human safety review •Review principles at least twice •Begin threat modeling •Security controls in CI Periodically •Pentest •Regulatory review •Incident response plan Continuously •Use principles in backlog grooming •Update threat model •Usability testing •Static/dynamic analysis •Training •Patch All of the Things

Slide 107

Slide 107 text

F U R T H E R R E A D I N G • The Information Security Practice Principles, Center for Applied Cybersecurity Research, Indiana University • Threat Modeling, Designing for Security, by Adam Shostack

Slide 108

Slide 108 text

C R E D I T S • Some stock photography f rom wocintechchat.com, CC- BY 2.0 • Creative Commons photography credited on each slide

Slide 109

Slide 109 text

C O N T A C T [email protected] @craigstuntz http://paperswelove.org/chapter/columbus/ https://speakerdeck.com/craigstuntz