Defensive team – who are security engineers and how they help teams to develop secure applications

042b7c0e45c53de46667f07de2fb2614?s=47 vixentael
December 13, 2018

Defensive team – who are security engineers and how they help teams to develop secure applications

Who is a blue team and how they prevent business risks against company assets? What is secure development, secure architecture, secure coding? A lecture for Women in Appsec community and infosec students.

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

December 13, 2018
Tweet

Transcript

  1. Blue teams security engineering @vixentael

  2. @vixentael Product Engineer github.com/vixentael/ my-talks cryptographic software, security consulting, developers

    training
  3. None
  4. Real risk Compliance demands 1999 @vixentael

  5. Business Risk Compliance demands 2018 @vixentael

  6. “Bad security” leads to reputation risks (Equifax) legal responsibility (GDPR,

    HIPAA, PCI DSS) operations (Google, Facebook) https://www.cossacklabs.com/blog/gdpr-for-engineers.html competitors advantage @vixentael
  7. financial damage “Bad security” leads to @vixentael

  8. twitter.com/c_pellegrino/status/981409466242486272 @vixentael @vixentael

  9. @vixentael twitter.com/c_pellegrino/status/981409466242486272 @vixentael

  10. @vixentael twitter.com/c_pellegrino/status/981409466242486272 @vixentael

  11. mln records 0 200 400 600 800 1,000 February March

    April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month @vixentael
  12. mln records 0 200 400 600 800 1,000 February March

    April May June July August September https://www.itgovernance.co.uk/blog/category/cyber-security/ Million of records leaked per month @vixentael
  13. financial damage “Bad security” leads to @vixentael

  14. Blue team

  15. Proactive vs reactive Secure Development Secure Architecture Secure Operations Processes

    Pentests / Audits Compliance Incident Response @vixentael
  16. Blue team The Security Stakeholder (defining the what and what

    not) The Evangelist (raising the bar) The Security Expert (helping with the how) Security Automation (continuous security) Incident response, investigations and forensics https://xebia.com/blog/being-an-agile-security-officer/ @vixentael
  17. None
  18. None
  19. None
  20. prevent business risks against company assets Blue team @vixentael

  21. Assets we protect 1. Sensitive data 2. Encryption keys 3.

    Credentials 4. Technical credentials 5. ACL 6. Systems and nodes @vixentael
  22. @vixentael is any kind of data, that will break business

    objectives or prosperity of those who use data, if leaked. Sensitive data – @vixentael
  23. Confidentiality Integrity Availability CIA triad @vixentael

  24. Processes we protect Continuity Capacity Availability } Component security Technical

    assets security SRE practices @vixentael
  25. Business risk is the possibility a company will have lower

    than anticipated profits or experience a loss rather than taking a profit. @vixentael
  26. Risks - unauthorized access - use - disclosure - disruption

    - modification - inspection - recording - destruction - Strategic risks - Operational risks - Reputational risks - Compliance risks @vixentael
  27. Risks Can’t we just fix all the bugs? - unauthorized

    access - use - disclosure - disruption - modification - inspection - recording - destruction @vixentael
  28. Secret of pragmatic security 1. Focus on real risks 2.

    Prioritize: - impact - probability @vixentael
  29. InfoSec processes - Planning: Risk assessment - Building: - Secure

    Software Development - Infrastructure security - Doing: - Compliance / certification - Security verification (audit, pentests, appsec) - Operations / processes @vixentael
  30. InfoSec processes - Planning: Risk assessment - Building: - Secure

    Software Development - Infrastructure security - Doing: - Compliance / certification - Security verification (audit, pentests, appsec) - Operations / processes @vixentael
  31. Secure development, secure architecture, secure coding

  32. Secure software development lifecycle methodology MS SDL OWASP S-SDLC www.microsoft.com/en-us/sdl

    www.owasp.org/index.php/ OWASP_Secure_Software_Development_ Lifecycle_Project @vixentael
  33. SSDLC -distills common sense from experience
 of building secure software.

    -prescribes methodologies which covers 
 most risks in most cases. -is a good start. @vixentael
  34. Risk evaluation Risk assessment Threat model Security plan Secure coding

    Security verification Secure operations SSDLC Response @vixentael
  35. Risk evaluation Risk assessment Threat model Security plan Secure coding

    Security verification Secure operations SSDLC Response Requirements Design/architecture Development Testing Operations @vixentael
  36. Secure architecture prevents the infosec-related business risks in a consistent,

    pre-designed structure that corresponds to the business goals. @vixentael
  37. Addressing security risks at architecture level 1. Designing systems that

    focus on preventing risks instead of focusing on preventing vulnerabilities. 2. Implement security in cost-efficient, maintainable and verifiable way. @vixentael
  38. Trust 1. System’s trust is equal to trust to the

    weakest link. 2. Good architecture allocates trust appropriate to practical constraints. @vixentael
  39. perimeter firewall access control internal network Trust authentication internal access

    control access/key management configuration management code encryption node security @vixentael
  40. Threats Threats are technical opportunities to materialize business risk in

    chosen architectures. Combined with actual trust and position of weak components they create attack vectors. @vixentael
  41. Attack surface – the combination of nodes, processes and applications

    that need to be compromised for damage to be done. Attack surface is created by components that open potential opportunity to inflict damage and materialize business risk, along with their risk level. @vixentael
  42. Managing attack surface Goal of security architecture is appropriate management

    of attack surface: observability minimization control attack surface @vixentael
  43. data Defense in depth encryption authorization authentication / access control

    @vixentael
  44. Bottom-up vs top-down maintain analyze risks, security plan SSDLC iterate

    find weakest part fix @vixentael
  45. @vixentael Secure Development – a process of choosing and implementing

    security controls appropriate to business risks. @vixentael
  46. Security controls Proactive: 
 - prevent risk Reactive: 
 -

    detect incident
 - correct / limit damage Physical Procedural Technical Legal @vixentael
  47. Proactive + Reactive Data security Application security Infrastructure security Monitoring

    Intrusion detection Vulnerability management @vixentael
  48. Proactive controls Data security encryption Access security authentication, firewalls, OS

    Node security firewalls, compartmentalization, OS @vixentael
  49. Data security integrity checks, authenticated crypto Access security honeypots, access

    logging Node security IDS, monitoring Reactive controls: detect @vixentael
  50. Data security key management, backups Access security credential management, jailbans

    Node security infrastructural management Reactive controls: limit damage @vixentael
  51. 1. Identify sensitive data, understand sensitive data lifecycle, classify data.

    2. Identify risks to data. 3. Build trust model, understand risk impact. 4. Prioritize risk vectors. 5. Select and implement proper security controls for exploitable high risk vectors (to prevent risks and to identify leaks). Data protection 101 @vixentael
  52. Encryption libraries should ★ use strong & audited crypto ★

    work everywhere ★ hide cryptographic details ★ be hard to mis-use ★ have integration with key storage @vixentael
  53. ciphers abstraction level complexity libraries suites @vixentael Encryption libraries

  54. libsodium themis tink @vixentael 3DES AES-256-GCM Salsa20 ChaCha ZeroKit Hermes

    Vault Ciphers libraries Suites Acra
  55. @vixentael

  56. @vixentael Core principles Principle of least privilege. “Secure by default”.

    Compartmentalization. Access separation. Echelonization. Defense in depth, security measures escalate with sensitivity/risk. Independent defences. No single point of security failure. @vixentael
  57. @vixentael Core principles Balance security with usability. Break usability too

    much - security control will be overridden or broken. Log everything. Or be like ¯\_(ツ)_/¯ when things go bad. Have a contingency plan. Nobody is perfect. Have incident reaction plan from day 0. @vixentael
  58. Ensuring security Monitoring Automated security testing Automated security verification Security-conscious

    SLOs and metrics IDS SIEM Security-centric tests SAST / DAST Dependency monitoring Automated vulnerability scanning Automated OSINT @vixentael
  59. Problems with implementing security practices control override, angry users performance

    penalty additional operations lost access Usability vs security: Performance vs security: Maintainability vs security: Reliability vs security: @vixentael
  60. #owaspkyiv @vixentael

  61. Home reading https://github.com/forter/security-101-for-saas-startups/blob/english/security.md Organization security for startups https://medium.com/@kshortridge/security-as-a-product-83a78c45ca27 Security as

    a Product https://www.cossacklabs.com/blog/hiring-external-security-team.html Hiring External Security Team: What You Need To Know https://www.cossacklabs.com/blog/what-we-need-to-encrypt-cheatsheet.html What Do We Really Need To Encrypt. Cheatsheet
  62. Community https://github.com/sapran/Ukraine-infosec-conferences Ukrainian security events BSides, OWASP, UISGCon, NoNameCon, WIA,

    WWCode Kyiv – search in Facebook
  63. @vixentael Product Engineer github.com/vixentael/ my-talks cryptographic software, security consulting, developers

    training