Defensive team – who are security engineers and how they help teams to develop secure applications

042b7c0e45c53de46667f07de2fb2614?s=47 vixentael
December 13, 2018

Defensive team – who are security engineers and how they help teams to develop secure applications

Who is a blue team and how they prevent business risks against company assets? What is secure development, secure architecture, secure coding? A lecture for Women in Appsec community and infosec students.

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

December 13, 2018
Tweet

Transcript

  1. 3.
  2. 6.

    “Bad security” leads to reputation risks (Equifax) legal responsibility (GDPR,

    HIPAA, PCI DSS) operations (Google, Facebook) https://www.cossacklabs.com/blog/gdpr-for-engineers.html competitors advantage @vixentael
  3. 11.

    mln records 0 200 400 600 800 1,000 February March

    April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month @vixentael
  4. 12.

    mln records 0 200 400 600 800 1,000 February March

    April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month @vixentael
  5. 14.
  6. 15.

    Proactive vs reactive Secure Development Secure Architecture Secure Operations Processes

    Pentests / Audits Compliance Incident Response @vixentael
  7. 16.

    Blue team The Security Stakeholder (defining the what and what

    not) The Evangelist (raising the bar) The Security Expert (helping with the how) Security Automation (continuous security) Incident response, investigations and forensics https://xebia.com/blog/being-an-agile-security-officer/ @vixentael
  8. 17.
  9. 18.
  10. 19.
  11. 21.

    Assets we protect 1. Sensitive data 2. Encryption keys 3.

    Credentials 4. Technical credentials 5. ACL 6. Systems and nodes @vixentael
  12. 22.

    @vixentael is any kind of data, that will break business

    objectives or prosperity of those who use data, if leaked. Sensitive data – @vixentael
  13. 25.

    Business risk is the possibility a company will have lower

    than anticipated profits or experience a loss rather than taking a profit. @vixentael
  14. 26.

    Risks - unauthorized access - use - disclosure - disruption

    - modification - inspection - recording - destruction - Strategic risks - Operational risks - Reputational risks - Compliance risks @vixentael
  15. 27.

    Risks Can’t we just fix all the bugs? - unauthorized

    access - use - disclosure - disruption - modification - inspection - recording - destruction @vixentael
  16. 28.

    Secret of pragmatic security 1. Focus on real risks 2.

    Prioritize: - impact - probability @vixentael
  17. 29.

    InfoSec processes - Planning: Risk assessment - Building: - Secure

    Software Development - Infrastructure security - Doing: - Compliance / certification - Security verification (audit, pentests, appsec) - Operations / processes @vixentael
  18. 30.

    InfoSec processes - Planning: Risk assessment - Building: - Secure

    Software Development - Infrastructure security - Doing: - Compliance / certification - Security verification (audit, pentests, appsec) - Operations / processes @vixentael
  19. 32.

    Secure software development lifecycle methodology MS SDL OWASP S-SDLC www.microsoft.com/en-us/sdl

    www.owasp.org/index.php/ OWASP_Secure_Software_Development_ Lifecycle_Project @vixentael
  20. 33.

    SSDLC -distills common sense from experience
 of building secure software.

    -prescribes methodologies which covers 
 most risks in most cases. -is a good start. @vixentael
  21. 34.

    Risk evaluation Risk assessment Threat model Security plan Secure coding

    Security verification Secure operations SSDLC Response @vixentael
  22. 35.

    Risk evaluation Risk assessment Threat model Security plan Secure coding

    Security verification Secure operations SSDLC Response Requirements Design/architecture Development Testing Operations @vixentael
  23. 36.

    Secure architecture prevents the infosec-related business risks in a consistent,

    pre-designed structure that corresponds to the business goals. @vixentael
  24. 37.

    Addressing security risks at architecture level 1. Designing systems that

    focus on preventing risks instead of focusing on preventing vulnerabilities. 2. Implement security in cost-efficient, maintainable and verifiable way. @vixentael
  25. 38.

    Trust 1. System’s trust is equal to trust to the

    weakest link. 2. Good architecture allocates trust appropriate to practical constraints. @vixentael
  26. 39.

    perimeter firewall access control internal network Trust authentication internal access

    control access/key management configuration management code encryption node security @vixentael
  27. 40.

    Threats Threats are technical opportunities to materialize business risk in

    chosen architectures. Combined with actual trust and position of weak components they create attack vectors. @vixentael
  28. 41.

    Attack surface – the combination of nodes, processes and applications

    that need to be compromised for damage to be done. Attack surface is created by components that open potential opportunity to inflict damage and materialize business risk, along with their risk level. @vixentael
  29. 42.

    Managing attack surface Goal of security architecture is appropriate management

    of attack surface: observability minimization control attack surface @vixentael
  30. 45.

    @vixentael Secure Development – a process of choosing and implementing

    security controls appropriate to business risks. @vixentael
  31. 46.

    Security controls Proactive: 
 - prevent risk Reactive: 
 -

    detect incident
 - correct / limit damage Physical Procedural Technical Legal @vixentael
  32. 47.
  33. 48.

    Proactive controls Data security encryption Access security authentication, firewalls, OS

    Node security firewalls, compartmentalization, OS @vixentael
  34. 49.

    Data security integrity checks, authenticated crypto Access security honeypots, access

    logging Node security IDS, monitoring Reactive controls: detect @vixentael
  35. 50.

    Data security key management, backups Access security credential management, jailbans

    Node security infrastructural management Reactive controls: limit damage @vixentael
  36. 51.

    1. Identify sensitive data, understand sensitive data lifecycle, classify data.

    2. Identify risks to data. 3. Build trust model, understand risk impact. 4. Prioritize risk vectors. 5. Select and implement proper security controls for exploitable high risk vectors (to prevent risks and to identify leaks). Data protection 101 @vixentael
  37. 52.

    Encryption libraries should ★ use strong & audited crypto ★

    work everywhere ★ hide cryptographic details ★ be hard to mis-use ★ have integration with key storage @vixentael
  38. 56.

    @vixentael Core principles Principle of least privilege. “Secure by default”.

    Compartmentalization. Access separation. Echelonization. Defense in depth, security measures escalate with sensitivity/risk. Independent defences. No single point of security failure. @vixentael
  39. 57.

    @vixentael Core principles Balance security with usability. Break usability too

    much - security control will be overridden or broken. Log everything. Or be like ¯\_(ツ)_/¯ when things go bad. Have a contingency plan. Nobody is perfect. Have incident reaction plan from day 0. @vixentael
  40. 58.

    Ensuring security Monitoring Automated security testing Automated security verification Security-conscious

    SLOs and metrics IDS SIEM Security-centric tests SAST / DAST Dependency monitoring Automated vulnerability scanning Automated OSINT @vixentael
  41. 59.

    Problems with implementing security practices control override, angry users performance

    penalty additional operations lost access Usability vs security: Performance vs security: Maintainability vs security: Reliability vs security: @vixentael
  42. 61.

    Home reading https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security for startups https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27 Security as

    a Product https://www.cossacklabs.com/blog/hiring-external-security-team.html Hiring External Security Team: What You Need To Know https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html What Do We Really Need To Encrypt. Cheatsheet