Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defensive team – who are security engineers and how they help teams to develop secure applications

vixentael
December 13, 2018

Defensive team – who are security engineers and how they help teams to develop secure applications

Who is a blue team and how they prevent business risks against company assets? What is secure development, secure architecture, secure coding? A lecture for Women in Appsec community and infosec students.

vixentael

December 13, 2018
Tweet

More Decks by vixentael

Other Decks in Technology

Transcript

  1. Blue teams
    security engineering
    @vixentael

    View full-size slide

  2. @vixentael
    Product Engineer
    github.com/vixentael/
    my-talks
    cryptographic software,
    security consulting,
    developers training

    View full-size slide

  3. Real risk
    Compliance

    demands
    1999
    @vixentael

    View full-size slide

  4. Business Risk
    Compliance

    demands
    2018
    @vixentael

    View full-size slide

  5. “Bad security” leads to
    reputation risks (Equifax)
    legal responsibility (GDPR, HIPAA, PCI DSS)
    operations (Google, Facebook)
    https://www.cossacklabs.com/blog/gdpr-for-engineers.html
    competitors advantage
    @vixentael

    View full-size slide

  6. financial damage

    “Bad security” leads to
    @vixentael

    View full-size slide

  7. twitter.com/c_pellegrino/status/981409466242486272 @vixentael
    @vixentael

    View full-size slide

  8. @vixentael
    twitter.com/c_pellegrino/status/981409466242486272 @vixentael

    View full-size slide

  9. @vixentael
    twitter.com/c_pellegrino/status/981409466242486272 @vixentael

    View full-size slide

  10. mln records
    0
    200
    400
    600
    800
    1,000
    February March April May June July August September
    https://www.itgovernance.co.uk/blog/category/cyber-security/
    Million of records leaked per month
    @vixentael

    View full-size slide

  11. mln records
    0
    200
    400
    600
    800
    1,000
    February March April May June July August September
    https://www.itgovernance.co.uk/blog/category/cyber-security/
    Million of records leaked per month
    @vixentael

    View full-size slide

  12. financial damage

    “Bad security” leads to






    @vixentael

    View full-size slide

  13. Proactive vs reactive
    Secure Development

    Secure Architecture

    Secure Operations

    Processes
    Pentests / Audits

    Compliance

    Incident Response
    @vixentael

    View full-size slide

  14. Blue team
    The Security Stakeholder

    (defining the what and what not)
    The Evangelist
    (raising the bar)
    The Security Expert
    (helping with the how)
    Security Automation
    (continuous security)
    Incident response,
    investigations and
    forensics
    https://xebia.com/blog/being-an-agile-security-officer/
    @vixentael

    View full-size slide

  15. prevent business risks
    against company assets
    Blue team
    @vixentael

    View full-size slide

  16. Assets we protect
    1. Sensitive data

    2. Encryption keys

    3. Credentials

    4. Technical credentials

    5. ACL

    6. Systems and nodes
    @vixentael

    View full-size slide

  17. @vixentael
    is any kind of data, that will break
    business objectives or prosperity of
    those who use data, if leaked.
    Sensitive data –
    @vixentael

    View full-size slide

  18. Confidentiality
    Integrity
    Availability
    CIA triad
    @vixentael

    View full-size slide

  19. Processes we protect
    Continuity

    Capacity

    Availability
    } Component security

    Technical assets security

    SRE practices
    @vixentael

    View full-size slide

  20. Business risk is the possibility a company
    will have lower than anticipated profits or
    experience a loss rather than taking a profit.
    @vixentael

    View full-size slide

  21. Risks
    - unauthorized access
    - use
    - disclosure
    - disruption
    - modification
    - inspection
    - recording
    - destruction
    - Strategic risks
    - Operational risks
    - Reputational risks
    - Compliance risks
    @vixentael

    View full-size slide

  22. Risks
    Can’t we just
    fix all the bugs?
    - unauthorized access
    - use
    - disclosure
    - disruption
    - modification
    - inspection
    - recording
    - destruction
    @vixentael

    View full-size slide

  23. Secret of pragmatic security
    1. Focus on real risks
    2. Prioritize:
    - impact
    - probability
    @vixentael

    View full-size slide

  24. InfoSec processes
    - Planning: Risk assessment
    - Building:
    - Secure Software Development
    - Infrastructure security
    - Doing:
    - Compliance / certification
    - Security verification (audit, pentests, appsec)
    - Operations / processes
    @vixentael

    View full-size slide

  25. InfoSec processes
    - Planning: Risk assessment
    - Building:
    - Secure Software Development
    - Infrastructure security
    - Doing:
    - Compliance / certification
    - Security verification (audit, pentests, appsec)
    - Operations / processes
    @vixentael

    View full-size slide

  26. Secure development,
    secure architecture,
    secure coding

    View full-size slide

  27. Secure software development
    lifecycle methodology
    MS SDL OWASP S-SDLC
    www.microsoft.com/en-us/sdl www.owasp.org/index.php/
    OWASP_Secure_Software_Development_
    Lifecycle_Project
    @vixentael

    View full-size slide

  28. SSDLC
    -distills common sense from experience

    of building secure software.

    -prescribes methodologies which covers 

    most risks in most cases.

    -is a good start.
    @vixentael

    View full-size slide

  29. Risk evaluation
    Risk assessment
    Threat model
    Security plan
    Secure coding
    Security verification
    Secure operations
    SSDLC
    Response
    @vixentael

    View full-size slide

  30. Risk evaluation
    Risk assessment
    Threat model
    Security plan
    Secure coding
    Security verification
    Secure operations
    SSDLC
    Response
    Requirements
    Design/architecture
    Development
    Testing
    Operations
    @vixentael

    View full-size slide

  31. Secure architecture
    prevents the infosec-related business risks in a
    consistent, pre-designed structure that corresponds
    to the business goals.
    @vixentael

    View full-size slide

  32. Addressing security risks at
    architecture level
    1. Designing systems that focus on preventing risks
    instead of focusing on preventing vulnerabilities.

    2. Implement security in cost-efficient, maintainable
    and verifiable way.
    @vixentael

    View full-size slide

  33. Trust
    1. System’s trust is equal to trust to the weakest link.

    2. Good architecture allocates trust appropriate to
    practical constraints.
    @vixentael

    View full-size slide

  34. perimeter firewall access control
    internal

    network
    Trust
    authentication
    internal access
    control
    access/key
    management
    configuration
    management
    code encryption node security
    @vixentael

    View full-size slide

  35. Threats
    Threats are technical opportunities to materialize
    business risk in chosen architectures.

    Combined with actual trust and position of weak
    components they create attack vectors.
    @vixentael

    View full-size slide

  36. Attack surface
    – the combination of nodes, processes and
    applications that need to be compromised for
    damage to be done.
    Attack surface is created by components that open
    potential opportunity to inflict damage and materialize
    business risk, along with their risk level.
    @vixentael

    View full-size slide

  37. Managing attack surface
    Goal of security architecture is appropriate management
    of attack surface:
    observability
    minimization
    control
    attack surface @vixentael

    View full-size slide

  38. data
    Defense in depth
    encryption
    authorization
    authentication /
    access control
    @vixentael

    View full-size slide

  39. Bottom-up vs top-down
    maintain
    analyze risks,

    security plan
    SSDLC
    iterate
    find weakest part
    fix
    @vixentael

    View full-size slide

  40. @vixentael
    Secure Development –
    a process of choosing and
    implementing security controls
    appropriate to business risks.
    @vixentael

    View full-size slide

  41. Security controls
    Proactive: 

    - prevent risk
    Reactive: 

    - detect incident

    - correct / limit damage
    Physical
    Procedural
    Technical
    Legal
    @vixentael

    View full-size slide

  42. Proactive + Reactive
    Data security
    Application security
    Infrastructure security
    Monitoring
    Intrusion detection
    Vulnerability management
    @vixentael

    View full-size slide

  43. Proactive controls
    Data security encryption
    Access security authentication, firewalls, OS
    Node security
    firewalls, compartmentalization,
    OS
    @vixentael

    View full-size slide

  44. Data security
    integrity checks,
    authenticated crypto
    Access security honeypots, access logging
    Node security IDS, monitoring
    Reactive controls: detect
    @vixentael

    View full-size slide

  45. Data security key management, backups
    Access security credential management, jailbans
    Node security infrastructural management
    Reactive controls: limit damage
    @vixentael

    View full-size slide

  46. 1. Identify sensitive data, understand sensitive data
    lifecycle, classify data.
    2. Identify risks to data.
    3. Build trust model, understand risk impact.
    4. Prioritize risk vectors.
    5. Select and implement proper security controls for
    exploitable high risk vectors (to prevent risks and to
    identify leaks).
    Data protection 101
    @vixentael

    View full-size slide

  47. Encryption libraries should
    ★ use strong & audited crypto

    ★ work everywhere

    ★ hide cryptographic details

    ★ be hard to mis-use

    ★ have integration with key storage
    @vixentael

    View full-size slide

  48. ciphers
    abstraction
    level
    complexity
    libraries
    suites
    @vixentael
    Encryption libraries

    View full-size slide

  49. libsodium
    themis
    tink
    @vixentael
    3DES AES-256-GCM
    Salsa20 ChaCha
    ZeroKit
    Hermes
    Vault
    Ciphers
    libraries
    Suites
    Acra

    View full-size slide

  50. @vixentael
    Core principles
    Principle of least privilege.

    “Secure by default”.

    Compartmentalization.

    Access separation.

    Echelonization.

    Defense in depth, security measures escalate with sensitivity/risk.

    Independent defences.

    No single point of security failure.
    @vixentael

    View full-size slide

  51. @vixentael
    Core principles
    Balance security with usability.
    Break usability too much - security control will be overridden or broken.

    Log everything.

    Or be like ¯\_(ツ)_/¯ when things go bad.

    Have a contingency plan.
    Nobody is perfect. Have incident reaction plan from day 0.
    @vixentael

    View full-size slide

  52. Ensuring security
    Monitoring
    Automated

    security testing
    Automated

    security verification
    Security-conscious SLOs and metrics

    IDS

    SIEM
    Security-centric tests

    SAST / DAST

    Dependency monitoring
    Automated vulnerability
    scanning

    Automated OSINT
    @vixentael

    View full-size slide

  53. Problems with implementing
    security practices
    control override, angry users

    performance penalty

    additional operations

    lost access
    Usability vs security:

    Performance vs security:

    Maintainability vs security:

    Reliability vs security:
    @vixentael

    View full-size slide

  54. #owaspkyiv @vixentael

    View full-size slide

  55. Home reading
    https://github.com/forter/security-101-for-saas-startups/blob/english/security.md
    Organization security for startups
    https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27
    Security as a Product
    https://www.cossacklabs.com/blog/hiring-external-security-team.html
    Hiring External Security Team: What You Need To Know
    https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html
    What Do We Really Need To Encrypt. Cheatsheet

    View full-size slide

  56. Community
    https://github.com/sapran/Ukraine-infosec-conferences
    Ukrainian security events
    BSides, OWASP, UISGCon, NoNameCon, WIA, WWCode Kyiv
    – search in Facebook

    View full-size slide

  57. @vixentael
    Product Engineer
    github.com/vixentael/
    my-talks
    cryptographic software,
    security consulting,
    developers training

    View full-size slide