Rosemary Wang A Practical Introduction to Minimum Secure Products

A USER STORY As a community member, I want to enter my email so that I can get a calendar invite for the Codemotion online tech conference. Improve user experience! 2

A DEVELOPER STORY As a developer, I want to deploy my application in two minutes so that I do not affect conference attendees watching the Codemotion online tech conference. Improve developer experience! 3

EVERY STORY HAS A CONFLICT Story A-1 Product Timeline Story … Story A-N Go live! 🎉 Story B-1 Bitcoin miner 😱 Rebuild Infrastructure Exposed user information 😱 Identify, Notify, and Remediate Story B-2 Story B-3 Remediate Vulnerability in logging library 😱 4

ROSEMARY WANG she/her @joatmon08 5

REWRITE THE STORIES 6

SHIFT SECURITY LEFT 7

A USER STORY As a community member, I want to securely enter my email so that I can get a calendar invite for the Codemotion online tech conference. Secure user experience! 8

A DEVELOPER STORY As a developer, I want to securely deploy my application in two minutes so that I do not affect conference attendees watching the Codemotion online tech conference. Secure developer experience! 9

REWRITING THE STORY Product Timeline Go live! 🎉 Story A-1 Secure Remediate Vulnerability in logging library 😱 10 Story … Secure Story A-N Secure Story B-1 Secure Story B-2 Secure Story B-3 Secure Story B-4 Secure

WHAT IS THE MINIMUM SECURITY I SHOULD KNOW? 11

MINIMUM SECURE PRODUCT The basic security requirements for any product (infrastructure, platform, software, delivery pipelines) that you deliver to production. 12

Delivery Pipelines Automation Runners Software Applications Serverless Platforms Managed Services Infrastructure 13

PLATFORMS Infrastructure & Managed Services 14

INFRASTRUCTURE: THE MINIMUM • If you have publicly accessible endpoints… q Should they be publicly accessible from anywhere? q Are they secured by certificates? q Do they have access control or user authentication? • If you have infrastructure storing data… q Is it encrypted at rest? q Is it encrypted in transit by TLS or keys? • If you have secrets like usernames, passwords, or certificates… q Are you storing them in a secrets manager instead of hard-coding them? q Are they unique for each user or resource? • If you have virtual machines or containers… q Do they only use verified software that they need to run? q Do they have any high vulnerabilities that someone can exploit? • If you have network policies… q Do they only allow access from specific endpoints? q Which ones allow access from anywhere? • If you have users or services accessing your infrastructure provider… q Do you restrict them to the services or resources they require? q Are you logging user and machine identities accessing the services? • If you are using infrastructure as code… q Does your configuration use secure defaults? q Are you verifying their checksums and signatures? q Have you reviewed any 3rd party modules or dependencies for security issues (e.g., making unauthorized external calls)? q Can you reproduce a copy of your infrastructure in case of a security incident? 15

MANAGED SERVICES: THE MINIMUM qCan you restrict your network policies to its endpoint(s)? qCan you set up user or service authentication and access control? qCan you retrieve its audit logs? qDo you know how the managed service remediates vulnerabilities? qCan you reproduce a copy of your managed service configuration in case of a security incident? 16

Infrastructure & Managed Services Secure Infrastructure Configuration Configuration Scanning Private Endpoints as Default Encryption Data Services (mTLS) Secrets Management Auditing Access Logs Load Balancers Web Servers Infrastructure API Access Resource Monitoring Machine Processes Resource Usage Least Privilege Access Control Infrastructure Resource to Infrastructure API Identity & Access Management Network Policy Firewall / Security Group Rules Engineer to Infrastructure Resource / API Identity & Access Management Secure Access Management VPN Secure Machine Configuration User Privileges Vulnerability Scanning Virtual Machines Containers Security Hardening PLATFORM: THE LATER STAGE 17

RESOURCES • National Checklist Program by U.S. NIST (https://ncp.nist.gov/) • Policy as code tools for infrastructure as code (https://github.com/joatmon08/tdd-infrastructure#policy-as-code-with- security-scanning) 18

SOFTWARE Applications, Serverless, & More 19

SOFTWARE: THE MINIMUM • If your code accesses another service (e.g., database, queue, application)… q Does it only have least-privilege access to the services it needs? q Does it authenticate to the service with a unique set of credentials? • If your code processes data... q Does it mask or omit personally identifiable information? q Does it encrypt the data (using keys and TLS)? q Can you track transactions or failed logins with logs or metrics? • If you are using 3rd party dependencies… q Are you verifying their checksums and signatures? q Have you scanned them for potential security issues (e.g., making unauthorized external calls)? q Are the dependencies updated and pinned to a version? q Is your code secured by authentication? q Did you do static application security testing (SAST) on your code? q Did you do dynamic application security testing (DAST) on your code? 20

Software Secure Code Static Application Security Testing Dynamic Application Security Testing Verify 3rd Party Dependencies Data Personal Identifying Information (PII) Encryption Mask / Omit TLS Secrets Management Auditing Application Logs Transactions Events Application Monitoring Least Privilege Access Control Application to Application Identity & Access Management API Authorization User to Application Authentication TLS Engineer to Application Identity & Access Management Secure Access Management VPN Secure Deployment Network Policy Web Application Firewalls (WAFs) Traffic Management DDoS Protection SOFTWARE: THE LATER STAGE 21

RESOURCES • OWASP Top Ten (https://owasp.org/www-project-top-ten/) • OWASP Mobile Security Testing Guide (https://owasp.org/www-project- mobile-security-testing-guide/) • OWASP Zed Attack Proxy (ZAP) (https://www.zaproxy.org/) 22

DELIVERY PIPELINES Automation, Runners, and Supply Chain 23

DELIVERY PIPELINES: THE MINIMUM • If you use credentials in your delivery pipelines… q Can you easily rotate them if they are compromised? q Are they masked or omitted from pipeline outputs? q Does your pipeline use separate credentials for production deployment? • If you use a managed continuous integration framework… q Did you restrict access to your application and infrastructure to its known public endpoints? q Does it have access control to check authorized users for debugging or troubleshooting pipelines? • If you use pipelines as code… q Do you control changes to pipeline configurations through version control? q Does your pipeline have stages that require remote code execution? q Do you scan and verify use 3rd party pipeline plugins? • If you have standard stages in your pipeline… q Do you have a security testing stage before you release? q Do you have a signing or verification stage before you release an artifact? q Do you keep a history of pipeline runs for auditing? 24

Software Secure Pipeline Configuration Test Configuration Standardize Stages Security Testing Release Signing & Verification Secrets Management Mask / Omit in Output Auditing Pipeline Runs Least Privilege Access Control Pipeline to Platform/Applications Identity & Access Management Network Policy Engineer to Pipeline Identity & Access Management Secure Access Management VPN DELIVERY PIPELINES: THE LATER STAGE 25

RESOURCES • An Overview of Securing CI/CD Pipelines (https://youtu.be/Ljof-WI0C8I) • OWASP Pipeline Tools (https://owasp.org/www-project-appsec- pipeline/pipeline-tools) 26

SO MANY REQUIREMENTS… 27

• Running code or infrastructure resources • Requires active resources • Can be tested in a non-production environment • i.e., Integration tests DYNAMIC ANALYSIS AUTOMATE WITH TESTS 28 STATIC ANALYSIS • Configuration or code in version control • Does not require active resources • Can be tested before production deployment • i.e., Unit tests

AUTOMATE WITH TESTS Static Analysis (Unit Tests) Test Runtime Analysis (Integration tests) Production Runtime Analysis (Remediation) 29 Dynamic Analysis

30 Unknown knowns (siloed knowledge) Known knowns (testing) Unknown knowns (observability) Known unknowns (monitoring) Convert unknown knowns to testing, observability, or monitoring.

SUMMARY • Rewrite stories with minimum security requirements. • Learn from your community. • Contribute your security knowledge. • Always be securing. 31

THANK YOU! Rosemary Wang joatmon08.github.io/03_speaking.html