Tweet
Tweet

Slide 1

Slide 1 text

Security Automation in Software Delivery: A Rugged DevOps Pipeline Matt Konda @mkonda

Slide 2

Slide 2 text

Prereqs • Docker Toolbox • pipeline • docker pull owasp/pipeline:0.8.1 • A project to analyze

Slide 3

Slide 3 text

Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] DevOps Growing

Slide 4

Slide 4 text

What do I do? • Bug bounty • Breaking • Mostly SDLC • Training • Automation

Slide 5

Slide 5 text

Overview • Quick overview of security tools • DevOps / Continuous Delivery & Rugged • Leveraging security automation where possible • Hands on with Pipeline for labs (time permitting)

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

– http://training.jemurai.com/struts2-blank/ example/X.action?action:%25{3*4}

Slide 8

Slide 8 text

training.jemurai.com/struts2-showcase/ employee/save.action?redirect:%25{(new +java.lang.ProcessBuilder(new +java.lang.String[]{‘touch’,'/tmp/hi2'})).start()}

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

metasploit + struts

Slide 11

Slide 11 text

Security Tools

Slide 12

Slide 12 text

Static Analysis

Slide 13

Slide 13 text

Static Analysis Live App Scanning

Slide 14

Slide 14 text

Static Analysis Live App Scanning Dynamic Analysis

Slide 15

Slide 15 text

Static Analysis Live App Scanning Dynamic Analysis Dependency Checks

Slide 16

Slide 16 text

Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation Penetration Testing

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

B+ C B+ F D D F B A- C The items on the left are the OWASP Top 10. The grades are mine and are arbitrary. https://www.owasp.org/index.php/Top_10_2013-Top_10

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

There is no substitute for people with knowledge.

Slide 22

Slide 22 text

But we can help ourselves by leveraging tools.

Slide 23

Slide 23 text

We just have to be smart and flexible about it.

Slide 24

Slide 24 text

So let’s go a bit deeper

Slide 25

Slide 25 text

Find Security Bugs

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

OWASP Dependency Check

Slide 35

Slide 35 text

http://dl.bintray.com/jeremy-long/owasp/ dependency-check-1.2.11-release.zip

Slide 36

Slide 36 text

/bin/dependency-check.sh -a struts2-showcase -out /tmp/ -s / tomcat-root/struts2-showcase/

Slide 37

Slide 37 text

CVE-2014-0050 5.0 Medium CWE-264 Permissions, Privileges, and Access Controls MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. BID http://www.securityfocus.com/bid/65400 65400 BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/532549/100/0/threaded 20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/535181/100/0/threaded 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE CONFIRM http://advisories.mageia.org/MGASA-2014-0110.html http://advisories.mageia.org/MGASA-2014-0110.html CONFIRM http://svn.apache.org/r1565143 http://svn.apache.org/r1565143 CONFIRM http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-7.html

Slide 38

Slide 38 text

CVE-2013-0248 3.3 Low CWE-264 Permissions, Privileges, and Access Controls The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack. BUGTRAQ http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html 20130306 [SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples OSVDB http://www.osvdb.org/90906 90906 cpe:/a:apache:commons_fileupload:1.0

Slide 39

Slide 39 text

CVE-2007-0185 5.0 Medium Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch. BID http://www.securityfocus.com/bid/21955 21955 CONFIRM http://getahead.ltd.uk/dwr/changelog http://getahead.ltd.uk/dwr/changelog OSVDB http://osvdb.org/32658 32658

Slide 40

Slide 40 text

CVE-2013-2251 9.3 High CWE-20 Improper Input Validation Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. BID http://www.securityfocus.com/bid/64758 64758 This is the one that allowed me to metasploit myself.

Slide 41

Slide 41 text

Lab 1: Running Pipeline from Docker 1. docker-machine create --driver virtualbox default 2. eval $(docker-machine env default) 3. docker pull owasp/pipeline:0.8.1 4. docker run —rm owasp/pipeline:0.8.1 -h 5. docker run —rm owasp/pipeline:0.8.1 -t brakeman https://github.com/Jemurai/ triage.git

Slide 42

Slide 42 text

DevOps / Continuous Delivery

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

Rugged

Slide 45

Slide 45 text

I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

Slide 46

Slide 46 text

I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

Slide 47

Slide 47 text

Understand lifecycle

Slide 48

Slide 48 text

Requirements Design Code Test Maintenance Classic Waterfall Delivery

Slide 49

Slide 49 text

Requirements Design Code Test Maintenance Classic Waterfall Delivery Security

Slide 50

Slide 50 text

continuous delivery

Slide 51

Slide 51 text

Classic security sees this and wants to …

Slide 52

Slide 52 text

continuous delivery

Slide 53

Slide 53 text

But we can embrace it.

Slide 54

Slide 54 text

Being able to deploy quickly is my #1 security feature. - Nick Galbreath

Slide 55

Slide 55 text

Think incremental

Slide 56

Slide 56 text

Story Continuous Delivery: The Unit of work is a story Requirements Design Code Test

Slide 57

Slide 57 text

Story Continuous Delivery: The Unit of Work is a Story Requirements Design Code Test Security Requirements Security Unit Tests Exploratory Testing Static Analysis on Commit Code Review Threat model / attack surface Checklists Understand Dependencies

Slide 58

Slide 58 text

continuous delivery Code Review Security Unit Tests Security Requirements

Slide 59

Slide 59 text

Automate security tools

Slide 60

Slide 60 text

continuous delivery Security Tool Automation: Code analysis Security unit tests Dynamic scanning etc.

Slide 61

Slide 61 text

continuous delivery Security Tests Run Exploratory Testing Includes Security

Slide 62

Slide 62 text

Lab 2: Running Pipeline on Your Project docker run —rm -v /Users/mk/code/loca:/tmp/target/ owasp/pipeline:0.8.1 \ -d \ -t owaspdependencycheck \ -f csv \ /tmp/target/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.

Slide 63

Slide 63 text

Lab 2: Running Pipeline on Your Project 1. docker run —name pipe jemurai/ pipeline:0.8 2.docker exec -it pipe bash docker ps FIND YOUR IMAGE NAME * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.

Slide 64

Slide 64 text

Lab 3: Getting into the Pipeline Docker Image 1. docker run -rm —i -t —entrypoint=/ bin/bash owasp/pipeline:0.8.1 2. cd lib 3. ../bin/pipeline -h Now you’re running from source. We can change anything …

Slide 65

Slide 65 text

Integrations

Slide 66

Slide 66 text

pre-commit

Slide 67

Slide 67 text

Lab 5: Running Pipeline on a Git Hook 1. Copy /hooks/pre-commit to your project in /.git/hooks 2. chmod +x pre-commit 3. Edit pre-commit to reflect your path and tools 4. Regular process: 1. Change a 2. git add 3. git commit -m “Testing”

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

chat ops

Slide 70

Slide 70 text

No content

Slide 71

Slide 71 text

No content

Slide 72

Slide 72 text

https://github.com/OWASP/Owbot

Slide 73

Slide 73 text

Jenkins

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

No content

Slide 76

Slide 76 text

No content

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

No content

Slide 79

Slide 79 text

No content

Slide 80

Slide 80 text

No content

Slide 81

Slide 81 text

No content

Slide 82

Slide 82 text

No content

Slide 83

Slide 83 text

No content

Slide 84

Slide 84 text

Issue Tracking

Slide 85

Slide 85 text

Jira

Slide 86

Slide 86 text

Github (future)

Slide 87

Slide 87 text

Process images

Slide 88

Slide 88 text

spider docker registry

Slide 89

Slide 89 text

grab ami

Slide 90

Slide 90 text

Process chef, puppet, ansible config …

Slide 91

Slide 91 text

Custom Application

Slide 92

Slide 92 text

No content

Slide 93

Slide 93 text

No content

Slide 94

Slide 94 text

No content

Slide 95

Slide 95 text

No content

Slide 96

Slide 96 text

Chat + UI + Queue + Pipeline + Jenkins + JIRA

Slide 97

Slide 97 text

Case Study

Slide 98

Slide 98 text

Credit: Matt Tesauro at AppSecEU 2015 http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

Slide 99

Slide 99 text

Pipeline Design

Slide 100

Slide 100 text

Overview • Pipeline is broken into different chunks to try to make it easy and straightforward to extend in expected ways. • These illustrate the challenges of security automation. Mounter Files Code Live Filter Reporter “Tasks”

Slide 101

Slide 101 text

No content

Slide 102

Slide 102 text

Mounter git repo, filesystem, iso, docker image

Slide 103

Slide 103 text

Mounter clamav hashdeep Files

Slide 104

Slide 104 text

Mounter brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, eslint/scan.js, nodesecurityproject. Files Code

Slide 105

Slide 105 text

Mounter Currently: ZAP Future: guantlt, etc. Files Code Live

Slide 106

Slide 106 text

Recap of “Tasks” • File: AV, FIM • Code: • Ruby/Rails: brakeman, bundler-audit • JavaScript: NodeSecurityProject, eslint, retire.js • Java: owasp-dependency-check • Checkmarx • Live: ZAP

Slide 107

Slide 107 text

Lab 4: Running JS Tools 1.docker run jemurai/pipeline:0.8 -t eslint https://github.com/OWASP/ NodeGoat.git Or interactively: 1.docker run -t -i —entrypoint=/bin/bash jemurai/pipeline:0.8 2.cd line/pipeline/lib 3.../bin/pipeline -t eslint https:// github.com/OWASP/NodeGoat.git Try: -t eslint,nodesecurityproject,retirejs

Slide 108

Slide 108 text

Here’s a secret…

Slide 109

Slide 109 text

I can’t tell you what’s going to work for you.

Slide 110

Slide 110 text

Mounter Prevents false positives in JIRA. Files Code Live Filter

Slide 111

Slide 111 text

Mounter Reports to JIRA, csv, json, text. Files Code Live Filter Reporter

Slide 112

Slide 112 text

How would you do tsv?

Slide 113

Slide 113 text

How would you do github?

Slide 114

Slide 114 text

Extension Points • Mounters: mount, supports? • Tasks: run, analyze, supported? • Filters: filter • Reporter: run_report Mounter Files Code Live Filter Reporter “Tasks”

Slide 115

Slide 115 text

Other Internals • Within “Tasks”, each of the files, code and app phases of the pipeline can be run selectively as stages. Mounter Files Code Live Filter Reporter “Tasks”

Slide 116

Slide 116 text

ruby bin/pipeline -l code (Code analysis) -d (Turn on debug) -f text (Output format) /area53/app/

Slide 117

Slide 117 text

ruby bin/pipeline -t brakeman (Tool) -d (Turn on debug) -f csv (Output format) /area53/app/

Slide 118

Slide 118 text

Lab 5: Adding a New Tool to Pipeline 1. docker run -i -t —entrypoint=/bin/ bash jemurai/pipeline:0.8 2. cd pipeline/lib/pipeline/tasks/ 3. cp bundler-audit.rb test.rb 4. Edit to always create a finding (or use the following example for grep) 5. cd /../../lib 6. …/bin/pipeline -t test /tmp/

Slide 119

Slide 119 text

Thank you.

Slide 120

Slide 120 text

References • https://github.com/owasp/pipeline • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline • https://speakerdeck.com/garethr/maintaining-control-by-letting-go-security-and-devops • http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security • https://www.rsaconference.com/writable/presentations/file_upload/asd-t07r-continuous- security-5-ways-devops-improves-security.pdf • http://gotocon.com/goto-london-2015/ • http://gauntlt.org/ • https://github.com/PearsonEducation/bag-of-holding • https://www.ruggedsoftware.org/