Context Over Control: Security's New Path @ DeveloperWeek

Transcript

1. Context Over Control Security's New Path

2. Problems for the Security Industrial Complex — Threat landscape shifting

   — The breaches aren't stopping — Negative developer economics — Productivity deceleration

3. Clearly something is wrong. The root of the problem is

   twofold: we're protecting the wrong things, and we're hurting productivity in the process. — Steven Bellovin

4. The Penalties of the Shift Left — Increase in security

   work — New gates and added complexity — Decoding findings (FP vs. TP) — Slower build times

5. many security teams work with a worldview where their goal

   is to inhibit change as much as possible

6. As build times increase, batch sizes increase

7. Security is Outnumbered — 100 Devs — 10 Ops —

   1 Sec

8. James Wickett — Co-founder & CEO @ DryRun Security —

   LinkedIn Learning Author: DevOps, Security — Formerly: Signal Sciences, Verica, NI, Mentor — Austin, TX — @wickett || wickett AT dryrun .security

9. — Security is an Epistemological Wasteland — The Path to

   DevOps Enlightenment for InfoSec — DevSecOps is the Furthering of DevOps into Security — Security Context Delivered To Dev & Ops

10. 4 Radical Things I Believe — Security is a Function

    of Quality — Security is Value not Cost — Developers Care About Security — We need Contextual Security Analysis

11. Control Composition Context

12. Security as Control — Enforcement of rules — Blocking checkpoints

    — (S,D,I)AST embodies this

13. Security as Composition — What are my code dependencies? —

    Where did they come from? — What vulnerabilities or flaws am I inheriting?

14. Security as Context — Who wrote the code? — What

    does the app do? — What are app areas that are important? — Are there any critical functions? — Did the developer pass secure code training? — Is the code brittle in certain areas?

15. Composition vs. Context — What parts were used to make

    — vs. — How it's actually used
16. None
17. None

18. How to Find Crystals — Environmental context — Localized context

    — Expert context

19. Finding More — Growth patterns — Mapping dig results

20. Context of the Past — Rare conditions — One of

    a kind rarely is
21. None

22. Contextual Security Analysis Contextual Security Analysis uses all available context

    gathered as developers are writing code to make contextually aware assertions.

23. Security Context — Commit or PR — Author — Codepaths

    & Functions — Dependencies — Sectool findings — Past problem areas
24. None

25. SLIDE Context Factors — Surface - the application shape —

    Language - the language and framework — Intent - the person making the change — Detection - the output from sectools — Environment - the purpose in the organization
26. None

27. — Diff in PR — Sensitive Codepaths — Routes

28. routes-found: 83 get-/ get-/login post-/login get-/logout get-/forgot post-/forgot get-/reset/:token post-/reset/:token

    get-/signup post-/signup ...

29. # sensitive-codepaths.yml sensitive-codepaths: - './middleware/auth.js' - './path/to/my/app.conf' - ...

30. — Language used — Framework — Template language

31. app.set('views', path.join(__dirname, 'views')); app.set('view engine', 'pug'); app.use(compression()); ...

32. — Author's relationship to codebase — Author's history — Comments,

    reviews, PR details

33. — Static — Dynamic — Secrets — Dependencies

34. static-findings: - controllers/home.js: Unvalidated Redirect and Forwards - app.js: Session

    HttpOnly Misconfigured in Node Express - app.js: Default Session Name used in Session Cookie in Node Express

35. — Compliance — Branch rules — Organization needs

36. Benefits of Contextual Security Analysis — Better decision-making — Improved

    collaboration — Greater agility — Increased visibility

37. Get the Free Contextual Security Analysis Guide dryrun.security/csa

38. Ideas to Get Started — SLIDE into CI/CD workflow (ref

    arch: Monocle) — Try a Sensitive Codepath workflow — Use AI for security bug triage

39. GitHub Action for Sensitive Codepaths — This GitHub action checks

    for changes in specified sensitive codepaths in your repository. — wickett/sensitive-codepaths — github.com/marketplace/actions/sensitive-codepaths-check — MIT License
40. None
41. None

42. Book Recommender API in Node Express — Let auth'ed users

    upload books — Ask the API endpoint /random-book
43. None
44. None
45. None
46. None

47. name: Check changes in specified codepaths on: pull_request: types: -

    opened - synchronize jobs: check_changes: runs-on: ubuntu-latest steps: - uses: wickett/[email protected] with: token: ${{ secrets.MY_GITHUB_PAT }}

48. # sensitive-codepaths.yml codepaths: - './middleware/auth.js' - './path/to/another/file.js' - './path/to/some/directory'

49. None

50. Steps for Contextual Security Analysis 1. Democratize Security Tools 2.

    Ask Security for Context 3. Synthesize Output

51. /sb: What is the Default Session Name used in Session

    Cookie in Node Express vulnerability and why is it a security issue? /sb: How do we do auth in for this application? /sb: Can your provide the security guidelines for this application?

52. The Summary — Control vs. Composition vs. Context — Contextual

    Security Analysis — The SLIDE Model — CSA Guide

53. Get an Automated Security Buddy On Your Next Pull Request

    Private beta signup: dryrun.security [email protected]

54. Stay in Touch

55. Appendix

56. Contact Info — [email protected] — linkedin.com/in/wickett — @wickett

57. None