FutureStack 2015 - Continuous security for continuous development
Continuous Security - TCCC
-
Upload
wendy-istvanick -
Category
Technology
-
view
191 -
download
1
Transcript of Continuous Security - TCCC
Continuous SecurityEmbracing Security Automation
1
What I Will Cover
Attack Volumes
Recent Attacks
Taking an Agile Approach
Project Overview
Tool Survey
Wrap Up
2
Attack Volumes
3
4
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
High Profile Attacks
5
Target
Unnecessarily Exposed Data
Phishing Attack
Non-Segmented Network
Out of Date Software
Exposed Secrets
In Memory Data
7
Stolen Vendors Credentials
Improper ConfigurationsImportant Anti-Virus Feature Turned Off
POS Systems Running on Windows XP
Unencrypted Data In Transit
Non-Segmented Network
Inadequate Monitoring
Home Depot
8
Sally Beauty
10
Credentials Taped to Laptop
Network Admin Credentials in VB
Scripts
Installed Malware on Cash
Registers
An Agile Approach
11
Testing
12
Unit Tests
Service Tests
UI Tests
Continuous Delivery
13
Code
Code
Code
Config
Build Test
Package
Integration
Staging
Production
Env1
Env2
Env3
Testing Environments
Build Test & Release
How Can We Apply This to Security?
14
Project Overview
15
16
17
Recipe
IngredientIngredient
Type
Diet
DietType
IngredientIngredient
Type
IngredientIngredient
Type
Diet
DietType
18
Tool Survey
19
If checking
for vulnerable components
is good,
we will do so every time
we commit code.
20
Objenesis
Vulnerable Components
21
GuavaMyBatis JUnit Hamcrest
Hamcrest Hamcrest
Mockito
Vulnerable Components
22
http://www.aspectsecurity.com/research-presentations/the-unfortunate-reality-of-insecure-libraries
We studied the 31 most popular
Java frameworks and security libraries
downloaded from the [maven central]
and discovered that 26% of these
have known vulnerabilities.
More than half of the Global 500
use software built using components
with vulnerable code.
Vulnerable Components - Examples
23
https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities
Apache CXF Authentication Bypass
Spring Remote Code Execution
Checkmarx CxSAST
CSharpSafeNuGet - MSBuild Task
OWASP Dependency Check
JavaOWASP Dependency Check
RubyBundler Audit
Dawnscanner
Vulnerable Components - The Tools
24
Vulnerable Components - Tool Integration
25
If updating
our dependencies
is desired,
we will
run canary builds regularly
to tell us when we can update.
26
Objenesis
Upgrading Dependencies
27
GuavaMyBatis JUnit Hamcrest
Hamcrest Hamcrest
MockitoMockito
Hamcrest
Objenesis
Upgrading Dependencies - The Tools
28
Code
Code
Code
Config
Build Test
Package
Integration
Staging
Production
Env1
Env2
Env3
Testing Environments
If not exposing secrets
is important,
we will ensure
they are never committed
to our version control system.
29
Exposing Secrets
30
A talisman is an object which is
believed to contain certain
magical or sacramental
properties which would provide
good luck for the possessor or
possibly offer protection from
evil or harm.
Exposing Secrets - The Tools
31https://en.wikipedia.org/wiki/Talisman
Exposing Secrets - Tool Integration
32
Exposing Secrets - Tool Integration
33
19:54:42.329 :findSecrets FAILED19:54:42.336 19:54:42.336 BUILD FAILED19:54:42.336 19:54:42.336 Total time: 3.085 secs19:54:42.339 19:54:42.339 FAILURE: Build failed with an exception.19:54:42.339 19:54:42.339 * What went wrong:19:54:42.339 Execution failed for task ':findSecrets'.
java/build.gradle
java/gradle/wrapper/gradle-wrapper.jar
java/gradle/wrapper/gradle-wrapper.properties
java/gradlew
java/gradlew.bat
java/notReallyAn._rsa
…
java/src/vulnerableCheckSuppression.xml
The following errors were detected in
java/notReallyAn._rsa
The file name "java/notReallyAn._rsa" failed checks
against the pattern ^.+_rsa$
If searching for
possible attack vectors
for our web sites
is good,
we will
automate this search.
to our version control system.
34
Finding Vulnerabilities
35
Finding Vulnerabilities - The Tools
36
HTML
Ajax
Extensions
Port Scanning
Fuzzing
LDAP Injection
Session Fixation
Finding Vulnerabilities - Tool Integration
Plugins
Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin)
Maven (https://github.com/pdsoftplan/zap-maven-plugin)
Grails (https://grails.org/plugin/zap-security-tests)
Command Line Interface
37
Wrap Up
38
Potential Downsides
False Positives
Longer Running Builds
Won’t Catch Everything
New Things Everyday
39
Attack Tie Backs - Target
Secrets may not have been
discovered
Up to date vendor system may
have eliminated vulnerabilities
ZAP testing might have
highlighted network navigability
40
Attack Tie Backs - Home Depot
41
Up to date POS OS may have
eliminated vulnerabilities
ZAP testing might have
highlighted network navigability
Attack Tie Backs - Sally Beauty
Secrets may not have been
discovered
42
Application Code: https://github.com/wendyi/continuousSecurity
Pipelines: https://github.com/wendyi/continuousSecurityCi
Slides:http://www.slideshare.net/WendyIstvanick
Trello: https://trello.com/b/SVoLynan/continuous-security
Links
43
Next Steps
Finish Wiring Up Existing Checks
Contribute Talisman Changes
Finish End to End Code
Wire Up ZAP
Set Up Canary Builds
Find Other Tools to Include
44
Thank YouQuestions?
45