www.gitguardian.com Achieving high performance (security) engineering Secure SDLC for the modern API

Who? Whoʼs this guy? and who does he work for?

Kayssar Daher Security Lead @ GitGuardian Security & data privacy enthusiast specialising in building security for French tech scale-ups. whoami Todayʼs talk Loves road cycling. Cooks okay food. Worked in security for many French Tech orgs. Not enough Pull Requests. Writes the.secure.engineer blog. CV

Funding $56M in total with a $44M Series B in Dec 2021 Mission Make secure software the easiest choice for every organization Products Secrets detection, Honeytoken (intrusion detection), SCA Technology Over 1 billion GitHub commits secured every year! Adoption 370k+ developers currently using our free plan Founding year 2017 HQ Paris, France Boston, MA, US Team 150+ GitGuardian is the code security platform for the DevOps generation

Everything is an API How does GitGuardian work? API used by our web app frontend ● Cookie authentication APIs used by our user-facing services ● Service tokens Internal API Public API Internal services API used by humans and machines ● API keys ● Clients include: curl, py-gitguardian, ggshield Out of scope

What is security? 01 Itʼs not office warfare

Security What is ?

Oxford English Dictionary Security 1. secure condition or feeling. 2. thing that guards or guarantees. 3.a. safety against espionage, theft, etc. 3.b. organization for ensuring this

Control What is ?

Oxford English Dictionary Control 1. power of directing. 2. power of restraining. 3. means of restraint. 4. means of regulating.

Control Security Security requires some control But security is not control

So, what is security? In the context of software engineering security is the discipline of slowing down attackers while ensuring maximum delivery velocity

How to slow down attackers? In a technical system Code Your own code can be vulnerable to all sorts of attacks. So ware dependencies The libraries you use can be vulnerable. (eg. log4shell, xz, ua-parser-js) Platform dependencies The container, VM or network that hosts your workload can be vulnerable. 👉 Eliminate vulnerabilities at all levels System features Your appʼs own features can themselves be a vulnerability.

Letʼs talk about water 02

Water in the Paris metropolitan area 0 cholera outbreaks Found within the 12.2 million resident population in 2023 100 liters Of water are consumed everyday by Ile-de-France residents 12 210 000 people Live in the greater Paris metropolitain area

Water treatment process How does tap water work? Coagulation 1 Flocculation 2 Sedimentation 3 Filtration 4 Disinfection 5 OTB Checks ∞

Optimising for high performance, secure flow 03 How we go fast, and slow down attackers

High performance, high security SDLC Automation and recurring checks Design review 1 SCA & dependencies 3 Secrets detection 5 etc. ∞ Code review 8 Linters 2 SAST 4 IaC security 6 DAST 7 etc. ? Bug bounty ∞ CSPM ∞ Attack surface ∞ Pentesting ∞ Openbox audit ∞ Monitoring ? High availability! ? CI pipeline security ? Secret rotation ? Patching SLAs ? Threat modeling ? Base image hardening ?

SCA Sometimes, the wheel you didnʼt invent, is broken ❔ 💣 🏭 What is it? Software composition analysis 🛠 Examples of tools Dependency-Check, Snyk What risk does it mitigate? Vulnerable dependencies eg. log4shell, xz, spring4shell How does it work? Compares your pipfile.lock, package-lock.json against a DB of known vulnerable packages At GitGuardian… What do we use? GitGuardian & Renovate-Bot (moving away from Snyk) How do we use it? ● GitGuardian in CI jobs with ggshield, and through the web app ● Renovate-Bot opens pull requests to upgrade all our dependencies Any other info? ● We self-host our own Renovate-Bot ● We use CycloneDX for SBOM generation ● cd repo && ggshield sca scan all

SAST Finding out the building will crack, by looking at the blueprint ❔ 💣 🏭 What is it? Static Application Security Testing 🛠 Examples of tools Sonar, Gitlab, Veracode What risk does it mitigate? Vulnerable app code How does it work? Parses code looking for vulnerable code patterns (eg. unencoded strings sent to the frontend, SQL query concatenated with user input) At GitGuardian… What do we use? Semgrep How do we use it? ● In CI jobs on our app code ● Breaks pipeline if issue is found Any other info? ● Integrated with Gitlabʼs JUnit based testing framework ● Scans all our Python & JS code ● Does generate false positives ○ Important to allow users to ignore false positives ○ git blame 🎉

DAST Poking and prodding, until it bursts ❔ 💣 🏭 What is it? Static Application Security Testing 🛠 Examples of tools BurpSuite Enterprise, Intruder.io What risk does it mitigate? Vulnerabilities within live apps & APIs How does it work? Sends attack HTTP requests to the live app At GitGuardian… What do we use? StackHawk How do we use it? ● Runs everyday on our preprod ● On a dedicated workspace ● Through Gitlab CI job Any other info? ● Dedicated runners ● Triage workflow is currently manual ● Based on OWASP ZAP ● Ingests OpenAPI file, and bombards API with attacks

Secret detection Our bread and butter ❔ 💣 🏭 What is it? Finds API keys, passwords, private keys 🛠 Examples of tools git-leaks, GitGuardian What risk does it mitigate? Vulnerabilities within live apps & APIs How does it work? Ingests code from github/gitlab, and runs in pre-commit At GitGuardian… What do we use? GitGuardian How do we use it? ● In pre-commit hooks ● In CI jobs ● Connected to our Gitlab, and Slack Any other info? ● Saved us from 2 incidents in 2023 ● No incidents in 2024

Bug bounty Outsourcing your security testing ❔ 💣 🏭 What is it? Paying strangers for accurate security reports 🛠 Examples of tools HackerOne, BugCrowd, Yogosha What risk does it mitigate? Vulnerabilities within live apps & APIs How does it work? Hunters submit reports, you evaluate them, and pay them when appropriate At GitGuardian… What do we use? YesWeHack How do we use it? ● Private bug bounty program since 2022 ● All our APIs, and our CLI are in scope Any other info? ● 120+ reports submitted ● 39 resolved reports ○ 0 reports with CVSS > 8 ○ 3 reports with CVSS between 7 & 8 ○ 36 reports CVSS < 7

Secret rotation The best thing since sliced bread ❔ 💣 🏭 What is it? System that avoids static credentials 🛠 Examples of tools Hashicorp Vault, Confidant, Infiniscal What risk does it mitigate? Secret leaks How does it work? Generates short lived secrets on-demand At GitGuardian… What do we use? Hashicorp Vault How do we use it? ● Everywhere ○ AWS creds ○ DB creds ○ SSH creds ○ K8S creds Any other info? ● Makes IAM much easier ● Incident response becomes so much easier

Base image hardening If it doesn't spark joy, get rid of it ❔ 💣 🏭 What is it? Remove unnecessary packages and attack surface 🛠 Examples of tools Distroless, DockerSlim, Chisel What risk does it mitigate? Vulnerabilities within the platform layer How does it work? Container images with the bare minimum packages necessary to run your apps At GitGuardian… What do we use? Chainguard How do we use it? ● To build our app base images Any other info? ● We now ship 0 Critical & High CVE releases ● We monitor for this using daily Grype scans ○ Results available on Grafana

OWASP ASVS A hidden gem ❔ What is it? Application Security Verification Standard by OWASP Available on Github 232 control points in 14 chapters: ● Validation, sanitization & encoding ● Access control ● Stored cryptography ● Error Handling and logging ● API & Web services ● etc. At GitGuardian… What did we do? Full ASVS audit of our apps Why did we do it? ● Much more thorough than any pentest ● Covers what automated tools cannot find Any other info? ● Covers design, implementation and feature security ● Takes a lot of time to complete ● Worth every second

Boost your APIʼs security 04 How to guide

🔎 Run an ASVS audit Some checks are specifically interesting for APIs (eg. IDOR, schema validation, etc.) Boost your APIʼs security quickly Focus on high value items 🏭 Boost your CI security SCA, Secret Detection, SAST 🧪 Invest in security testing Deploy a DAST & a bug bounty program ➔ Donʼt hire external help for this ➔ Youʼll find design issues, race conditions, broken rate limiting, broken authorisation etc. ➔ Fixing them will take a while, thatʼs ok GitGuardianʼs advice ➔ Introduce Security CI jobs to PR pipelines ➔ Allow failure, monitor failure rates, help engineers avoid them ➔ Make security check blocking, then fix issues in the main branch ➔ Feed the DAST your OpenAPI file, fix findings ➔ A bug bounty program will cost you time and money, but will increase security testing coverage significantly

Thank you!