Slide 1

Slide 1 text

Rosemary Wang A Practical Introduction to Minimum Secure Products

Slide 2

Slide 2 text

A USER STORY As a community member, I want to enter my email so that I can get a calendar invite for the Codemotion online tech conference. Improve user experience! 2

Slide 3

Slide 3 text

A DEVELOPER STORY As a developer, I want to deploy my application in two minutes so that I do not affect conference attendees watching the Codemotion online tech conference. Improve developer experience! 3

Slide 4

Slide 4 text

EVERY STORY HAS A CONFLICT Story A-1 Product Timeline Story … Story A-N Go live! 🎉 Story B-1 Bitcoin miner 😱 Rebuild Infrastructure Exposed user information 😱 Identify, Notify, and Remediate Story B-2 Story B-3 Remediate Vulnerability in logging library 😱 4

Slide 5

Slide 5 text

ROSEMARY WANG she/her @joatmon08 5

Slide 6

Slide 6 text

REWRITE THE STORIES 6

Slide 7

Slide 7 text

SHIFT SECURITY LEFT 7

Slide 8

Slide 8 text

A USER STORY As a community member, I want to securely enter my email so that I can get a calendar invite for the Codemotion online tech conference. Secure user experience! 8

Slide 9

Slide 9 text

A DEVELOPER STORY As a developer, I want to securely deploy my application in two minutes so that I do not affect conference attendees watching the Codemotion online tech conference. Secure developer experience! 9

Slide 10

Slide 10 text

REWRITING THE STORY Product Timeline Go live! 🎉 Story A-1 Secure Remediate Vulnerability in logging library 😱 10 Story … Secure Story A-N Secure Story B-1 Secure Story B-2 Secure Story B-3 Secure Story B-4 Secure

Slide 11

Slide 11 text

WHAT IS THE MINIMUM SECURITY I SHOULD KNOW? 11

Slide 12

Slide 12 text

MINIMUM SECURE PRODUCT The basic security requirements for any product (infrastructure, platform, software, delivery pipelines) that you deliver to production. 12

Slide 13

Slide 13 text

Delivery Pipelines Automation Runners Software Applications Serverless Platforms Managed Services Infrastructure 13

Slide 14

Slide 14 text

PLATFORMS Infrastructure & Managed Services 14

Slide 15

Slide 15 text

INFRASTRUCTURE: THE MINIMUM • If you have publicly accessible endpoints… q Should they be publicly accessible from anywhere? q Are they secured by certificates? q Do they have access control or user authentication? • If you have infrastructure storing data… q Is it encrypted at rest? q Is it encrypted in transit by TLS or keys? • If you have secrets like usernames, passwords, or certificates… q Are you storing them in a secrets manager instead of hard-coding them? q Are they unique for each user or resource? • If you have virtual machines or containers… q Do they only use verified software that they need to run? q Do they have any high vulnerabilities that someone can exploit? • If you have network policies… q Do they only allow access from specific endpoints? q Which ones allow access from anywhere? • If you have users or services accessing your infrastructure provider… q Do you restrict them to the services or resources they require? q Are you logging user and machine identities accessing the services? • If you are using infrastructure as code… q Does your configuration use secure defaults? q Are you verifying their checksums and signatures? q Have you reviewed any 3rd party modules or dependencies for security issues (e.g., making unauthorized external calls)? q Can you reproduce a copy of your infrastructure in case of a security incident? 15

Slide 16

Slide 16 text

MANAGED SERVICES: THE MINIMUM qCan you restrict your network policies to its endpoint(s)? qCan you set up user or service authentication and access control? qCan you retrieve its audit logs? qDo you know how the managed service remediates vulnerabilities? qCan you reproduce a copy of your managed service configuration in case of a security incident? 16

Slide 17

Slide 17 text

Infrastructure & Managed Services Secure Infrastructure Configuration Configuration Scanning Private Endpoints as Default Encryption Data Services (mTLS) Secrets Management Auditing Access Logs Load Balancers Web Servers Infrastructure API Access Resource Monitoring Machine Processes Resource Usage Least Privilege Access Control Infrastructure Resource to Infrastructure API Identity & Access Management Network Policy Firewall / Security Group Rules Engineer to Infrastructure Resource / API Identity & Access Management Secure Access Management VPN Secure Machine Configuration User Privileges Vulnerability Scanning Virtual Machines Containers Security Hardening PLATFORM: THE LATER STAGE 17

Slide 18

Slide 18 text

RESOURCES • National Checklist Program by U.S. NIST (https://ncp.nist.gov/) • Policy as code tools for infrastructure as code (https://github.com/joatmon08/tdd-infrastructure#policy-as-code-with- security-scanning) 18

Slide 19

Slide 19 text

SOFTWARE Applications, Serverless, & More 19

Slide 20

Slide 20 text

SOFTWARE: THE MINIMUM • If your code accesses another service (e.g., database, queue, application)… q Does it only have least-privilege access to the services it needs? q Does it authenticate to the service with a unique set of credentials? • If your code processes data... q Does it mask or omit personally identifiable information? q Does it encrypt the data (using keys and TLS)? q Can you track transactions or failed logins with logs or metrics? • If you are using 3rd party dependencies… q Are you verifying their checksums and signatures? q Have you scanned them for potential security issues (e.g., making unauthorized external calls)? q Are the dependencies updated and pinned to a version? q Is your code secured by authentication? q Did you do static application security testing (SAST) on your code? q Did you do dynamic application security testing (DAST) on your code? 20

Slide 21

Slide 21 text

Software Secure Code Static Application Security Testing Dynamic Application Security Testing Verify 3rd Party Dependencies Data Personal Identifying Information (PII) Encryption Mask / Omit TLS Secrets Management Auditing Application Logs Transactions Events Application Monitoring Least Privilege Access Control Application to Application Identity & Access Management API Authorization User to Application Authentication TLS Engineer to Application Identity & Access Management Secure Access Management VPN Secure Deployment Network Policy Web Application Firewalls (WAFs) Traffic Management DDoS Protection SOFTWARE: THE LATER STAGE 21

Slide 22

Slide 22 text

RESOURCES • OWASP Top Ten (https://owasp.org/www-project-top-ten/) • OWASP Mobile Security Testing Guide (https://owasp.org/www-project- mobile-security-testing-guide/) • OWASP Zed Attack Proxy (ZAP) (https://www.zaproxy.org/) 22

Slide 23

Slide 23 text

DELIVERY PIPELINES Automation, Runners, and Supply Chain 23

Slide 24

Slide 24 text

DELIVERY PIPELINES: THE MINIMUM • If you use credentials in your delivery pipelines… q Can you easily rotate them if they are compromised? q Are they masked or omitted from pipeline outputs? q Does your pipeline use separate credentials for production deployment? • If you use a managed continuous integration framework… q Did you restrict access to your application and infrastructure to its known public endpoints? q Does it have access control to check authorized users for debugging or troubleshooting pipelines? • If you use pipelines as code… q Do you control changes to pipeline configurations through version control? q Does your pipeline have stages that require remote code execution? q Do you scan and verify use 3rd party pipeline plugins? • If you have standard stages in your pipeline… q Do you have a security testing stage before you release? q Do you have a signing or verification stage before you release an artifact? q Do you keep a history of pipeline runs for auditing? 24

Slide 25

Slide 25 text

Software Secure Pipeline Configuration Test Configuration Standardize Stages Security Testing Release Signing & Verification Secrets Management Mask / Omit in Output Auditing Pipeline Runs Least Privilege Access Control Pipeline to Platform/Applications Identity & Access Management Network Policy Engineer to Pipeline Identity & Access Management Secure Access Management VPN DELIVERY PIPELINES: THE LATER STAGE 25

Slide 26

Slide 26 text

RESOURCES • An Overview of Securing CI/CD Pipelines (https://youtu.be/Ljof-WI0C8I) • OWASP Pipeline Tools (https://owasp.org/www-project-appsec- pipeline/pipeline-tools) 26

Slide 27

Slide 27 text

SO MANY REQUIREMENTS… 27

Slide 28

Slide 28 text

• Running code or infrastructure resources • Requires active resources • Can be tested in a non-production environment • i.e., Integration tests DYNAMIC ANALYSIS AUTOMATE WITH TESTS 28 STATIC ANALYSIS • Configuration or code in version control • Does not require active resources • Can be tested before production deployment • i.e., Unit tests

Slide 29

Slide 29 text

AUTOMATE WITH TESTS Static Analysis (Unit Tests) Test Runtime Analysis (Integration tests) Production Runtime Analysis (Remediation) 29 Dynamic Analysis

Slide 30

Slide 30 text

30 Unknown knowns (siloed knowledge) Known knowns (testing) Unknown knowns (observability) Known unknowns (monitoring) Convert unknown knowns to testing, observability, or monitoring.

Slide 31

Slide 31 text

SUMMARY • Rewrite stories with minimum security requirements. • Learn from your community. • Contribute your security knowledge. • Always be securing. 31

Slide 32

Slide 32 text

THANK YOU! Rosemary Wang joatmon08.github.io/03_speaking.html