Slide 1

Slide 1 text

www.gitguardian.com Achieving high performance (security) engineering Secure SDLC for the modern API

Slide 2

Slide 2 text

Who? Whoʼs this guy? and who does he work for?

Slide 3

Slide 3 text

Kayssar Daher Security Lead @ GitGuardian Security & data privacy enthusiast specialising in building security for French tech scale-ups. whoami Todayʼs talk Loves road cycling. Cooks okay food. Worked in security for many French Tech orgs. Not enough Pull Requests. Writes the.secure.engineer blog. CV

Slide 4

Slide 4 text

Funding $56M in total with a $44M Series B in Dec 2021 Mission Make secure software the easiest choice for every organization Products Secrets detection, Honeytoken (intrusion detection), SCA Technology Over 1 billion GitHub commits secured every year! Adoption 370k+ developers currently using our free plan Founding year 2017 HQ Paris, France Boston, MA, US Team 150+ GitGuardian is the code security platform for the DevOps generation

Slide 5

Slide 5 text

Everything is an API How does GitGuardian work? API used by our web app frontend ● Cookie authentication APIs used by our user-facing services ● Service tokens Internal API Public API Internal services API used by humans and machines ● API keys ● Clients include: curl, py-gitguardian, ggshield Out of scope

Slide 6

Slide 6 text

What is security? 01 Itʼs not office warfare

Slide 7

Slide 7 text

Security What is ?

Slide 8

Slide 8 text

Oxford English Dictionary Security 1. secure condition or feeling. 2. thing that guards or guarantees. 3.a. safety against espionage, theft, etc. 3.b. organization for ensuring this

Slide 9

Slide 9 text

Control What is ?

Slide 10

Slide 10 text

Oxford English Dictionary Control 1. power of directing. 2. power of restraining. 3. means of restraint. 4. means of regulating.

Slide 11

Slide 11 text

Control Security Security requires some control But security is not control

Slide 12

Slide 12 text

So, what is security? In the context of software engineering security is the discipline of slowing down attackers while ensuring maximum delivery velocity

Slide 13

Slide 13 text

How to slow down attackers? In a technical system Code Your own code can be vulnerable to all sorts of attacks. So ware dependencies The libraries you use can be vulnerable. (eg. log4shell, xz, ua-parser-js) Platform dependencies The container, VM or network that hosts your workload can be vulnerable. 👉 Eliminate vulnerabilities at all levels System features Your appʼs own features can themselves be a vulnerability.

Slide 14

Slide 14 text

Letʼs talk about water 02

Slide 15

Slide 15 text

Water in the Paris metropolitan area 0 cholera outbreaks Found within the 12.2 million resident population in 2023 100 liters Of water are consumed everyday by Ile-de-France residents 12 210 000 people Live in the greater Paris metropolitain area

Slide 16

Slide 16 text

Water treatment process How does tap water work? Coagulation 1 Flocculation 2 Sedimentation 3 Filtration 4 Disinfection 5 OTB Checks ∞

Slide 17

Slide 17 text

Optimising for high performance, secure flow 03 How we go fast, and slow down attackers

Slide 18

Slide 18 text

High performance, high security SDLC Automation and recurring checks Design review 1 SCA & dependencies 3 Secrets detection 5 etc. ∞ Code review 8 Linters 2 SAST 4 IaC security 6 DAST 7 etc. ? Bug bounty ∞ CSPM ∞ Attack surface ∞ Pentesting ∞ Openbox audit ∞ Monitoring ? High availability! ? CI pipeline security ? Secret rotation ? Patching SLAs ? Threat modeling ? Base image hardening ?

Slide 19

Slide 19 text

SCA Sometimes, the wheel you didnʼt invent, is broken ❔ 💣 🏭 What is it? Software composition analysis 🛠 Examples of tools Dependency-Check, Snyk What risk does it mitigate? Vulnerable dependencies eg. log4shell, xz, spring4shell How does it work? Compares your pipfile.lock, package-lock.json against a DB of known vulnerable packages At GitGuardian… What do we use? GitGuardian & Renovate-Bot (moving away from Snyk) How do we use it? ● GitGuardian in CI jobs with ggshield, and through the web app ● Renovate-Bot opens pull requests to upgrade all our dependencies Any other info? ● We self-host our own Renovate-Bot ● We use CycloneDX for SBOM generation ● cd repo && ggshield sca scan all

Slide 20

Slide 20 text

SAST Finding out the building will crack, by looking at the blueprint ❔ 💣 🏭 What is it? Static Application Security Testing 🛠 Examples of tools Sonar, Gitlab, Veracode What risk does it mitigate? Vulnerable app code How does it work? Parses code looking for vulnerable code patterns (eg. unencoded strings sent to the frontend, SQL query concatenated with user input) At GitGuardian… What do we use? Semgrep How do we use it? ● In CI jobs on our app code ● Breaks pipeline if issue is found Any other info? ● Integrated with Gitlabʼs JUnit based testing framework ● Scans all our Python & JS code ● Does generate false positives ○ Important to allow users to ignore false positives ○ git blame 🎉

Slide 21

Slide 21 text

DAST Poking and prodding, until it bursts ❔ 💣 🏭 What is it? Static Application Security Testing 🛠 Examples of tools BurpSuite Enterprise, Intruder.io What risk does it mitigate? Vulnerabilities within live apps & APIs How does it work? Sends attack HTTP requests to the live app At GitGuardian… What do we use? StackHawk How do we use it? ● Runs everyday on our preprod ● On a dedicated workspace ● Through Gitlab CI job Any other info? ● Dedicated runners ● Triage workflow is currently manual ● Based on OWASP ZAP ● Ingests OpenAPI file, and bombards API with attacks

Slide 22

Slide 22 text

Secret detection Our bread and butter ❔ 💣 🏭 What is it? Finds API keys, passwords, private keys 🛠 Examples of tools git-leaks, GitGuardian What risk does it mitigate? Vulnerabilities within live apps & APIs How does it work? Ingests code from github/gitlab, and runs in pre-commit At GitGuardian… What do we use? GitGuardian How do we use it? ● In pre-commit hooks ● In CI jobs ● Connected to our Gitlab, and Slack Any other info? ● Saved us from 2 incidents in 2023 ● No incidents in 2024

Slide 23

Slide 23 text

Bug bounty Outsourcing your security testing ❔ 💣 🏭 What is it? Paying strangers for accurate security reports 🛠 Examples of tools HackerOne, BugCrowd, Yogosha What risk does it mitigate? Vulnerabilities within live apps & APIs How does it work? Hunters submit reports, you evaluate them, and pay them when appropriate At GitGuardian… What do we use? YesWeHack How do we use it? ● Private bug bounty program since 2022 ● All our APIs, and our CLI are in scope Any other info? ● 120+ reports submitted ● 39 resolved reports ○ 0 reports with CVSS > 8 ○ 3 reports with CVSS between 7 & 8 ○ 36 reports CVSS < 7

Slide 24

Slide 24 text

Secret rotation The best thing since sliced bread ❔ 💣 🏭 What is it? System that avoids static credentials 🛠 Examples of tools Hashicorp Vault, Confidant, Infiniscal What risk does it mitigate? Secret leaks How does it work? Generates short lived secrets on-demand At GitGuardian… What do we use? Hashicorp Vault How do we use it? ● Everywhere ○ AWS creds ○ DB creds ○ SSH creds ○ K8S creds Any other info? ● Makes IAM much easier ● Incident response becomes so much easier

Slide 25

Slide 25 text

Base image hardening If it doesn't spark joy, get rid of it ❔ 💣 🏭 What is it? Remove unnecessary packages and attack surface 🛠 Examples of tools Distroless, DockerSlim, Chisel What risk does it mitigate? Vulnerabilities within the platform layer How does it work? Container images with the bare minimum packages necessary to run your apps At GitGuardian… What do we use? Chainguard How do we use it? ● To build our app base images Any other info? ● We now ship 0 Critical & High CVE releases ● We monitor for this using daily Grype scans ○ Results available on Grafana

Slide 26

Slide 26 text

OWASP ASVS A hidden gem ❔ What is it? Application Security Verification Standard by OWASP Available on Github 232 control points in 14 chapters: ● Validation, sanitization & encoding ● Access control ● Stored cryptography ● Error Handling and logging ● API & Web services ● etc. At GitGuardian… What did we do? Full ASVS audit of our apps Why did we do it? ● Much more thorough than any pentest ● Covers what automated tools cannot find Any other info? ● Covers design, implementation and feature security ● Takes a lot of time to complete ● Worth every second

Slide 27

Slide 27 text

Boost your APIʼs security 04 How to guide

Slide 28

Slide 28 text

🔎 Run an ASVS audit Some checks are specifically interesting for APIs (eg. IDOR, schema validation, etc.) Boost your APIʼs security quickly Focus on high value items 🏭 Boost your CI security SCA, Secret Detection, SAST 🧪 Invest in security testing Deploy a DAST & a bug bounty program ➔ Donʼt hire external help for this ➔ Youʼll find design issues, race conditions, broken rate limiting, broken authorisation etc. ➔ Fixing them will take a while, thatʼs ok GitGuardianʼs advice ➔ Introduce Security CI jobs to PR pipelines ➔ Allow failure, monitor failure rates, help engineers avoid them ➔ Make security check blocking, then fix issues in the main branch ➔ Feed the DAST your OpenAPI file, fix findings ➔ A bug bounty program will cost you time and money, but will increase security testing coverage significantly

Slide 29

Slide 29 text

Thank you!