Minion: Blaze your own security scan

Transcript

1. None

2. Text Minion: Blaze your own security scan Yeuk Hon Wong

   Security Assurance team, Summer Intern '13

3. Follow along ... https://github.com/yeukhon/talks/pdf/intern2013.pdf https://speakerdeck.com/yeukhon/intern2013

4. Scopes • Minion • IonMonkey fuzzing with UBSan • Security

   Review • QA

5. Live QA? • #websectools or #security on irc.mozilla.org • Send

   to yeukhon on IRC • I'll address questions at the end

6. In a typical security review... • Reviewers determine threat analysis

   after learning about the system specification, user stories and data flow. • Reviewers run scans and do manual code review • Reviewers signs and publishes security review report (mitigations, and vulnerabilities)

7. Problems • Security review relies on the availability of time

   and collaboration from both the reviewers and developers. • Security scans are usually done by security reviewers. • Security reviews are not agile enough! Y U NO CHECK XSS BEFORE YOU git push upstream?

8. Solutions? We need a developer-first solution. Your security reviewers are

   go-to person for advice and for formal security review, not for your daily build .

9. Be hold > o < credit: @nurikidy

10. Minion? Create a platform where developers can kick off a

    scan. URL, a mouse click, and wait for report.

11. Minion? View scan report online and offline. Give me the

    URL. IRC or emails are fine. No need for formal Viydo conference.

12. Minion? Duck-typing tools. “if it quacks like a tool, it's

    a tool.”

13. Minion?

14. Minion? Customize an attack plan that works for your use

    case. Write a configuration file with different parameters for one or multiple scan tools.

15. Minion?

16. Minion? Keep a history of scans. Imagine doing git blame

    scan1 scan2 on issueX? Or even correlate with other projects? \o/

17. Minion? Keep a history of scans. Imagine doing git blame

    scan1 scan2 on issueX? Or even correlate with other projects? \o/

18. Minion? Open source. Do whatever you want responsibly.

19. MINION DEMO credit: @nurikidy

20. Minion today 0.3 was announced on July 30th (https://blog.mozilla.org/security/2013/07/30/introducing-minion/) Slowly

    gaining more contributors and users Received first major pull request from contributor (https://github.com/mozilla/minion-frontend/pull/103) • Focusing on growing the community • Just completed site ownership verification this week (08/13/2013)

21. Minion Roadmap • Focus on growing community • Improve plugin

    and reporting quality • Grow plugin ecosystem • Front-end UI changes (e.g. add a landing page) • Enabling result artifacts storage https://blog.mozilla.org/security/2013/07/30/introducing-minion/

22. Minion UI mock-up A quick shoutout to my roommate Liu

    Liu for making a Minion UI mock-up for me. Disclaimer: we don't have any decision on how the future UI will look like, but I want to acknowledge his contribution.
23. None
24. None

25. Minion: building a community And we need your contributions.

26. Minion: potentials (I think) • Make security reviews more agile

    (think of continuous integration). • Help developers (and students!) learn more about application security. • I imagine growing Minion like growing OpenStack or Docker. • Create a security tool ecosystem. • Help standardizing security alert report schema.

27. Minion: resources Source code: https://github.com/mozilla/minion Mailing list: http://groups.google.com/group/mozilla-minion-dev Minion wiki:

    https://wiki.mozilla.org/Security/Projects/Minion We also use the #websectools channel on irc.mozilla.org

28. Beyond Minion Fuzzing and security review

29. Fuzzing • I was fuzzing IonMonkey using UBSan (undefined behavior

    sanitizer) • Found several interesting undefined behavior bugs: - runtime error: load of value 98, which is not a valid value for type 'bool' (js::DefineOwnProperty); - JS engine creates unaligned reference to JSObject (0x42) • MDN: https://developer.mozilla.org/en- US/docs/Building_SpiderMonkey_with_UBSan

30. Security Review • Currently reviewing a simple community Django web

    app with Jacob Haven (another security assurance intern).

31. One week to go … Beyond Mozilla internship

32. Farewell Big thanks to my own team: Stefan Arentz Yvan

    Boily Simon Bennetts Mark Goodwin

33. Farewell Also to our fuzzers and to our OpSec *

    Jesse Ruderman * Gary Kwong * Joe Stevenson * Julien Vehent * Guillaume Destuynder * Nicolas Pierron (JS team) And to the rest of the Security Assurance team!

34. I am everywhere • IRC: yeukhon • twitter: @jwxie •

    github / bitbucket: yeukhon • email: [email protected]

35. Additional credits • Thanks to @nurikidy for the awesome Mozilla

    Minion logo. • Thanks to all of you.

36. QA