How trends in IT force Security to behave as an Immune System
RED TEAM, BLUE TEAM OR WHITE CELLS?
This work is licensed under a Creative Commons
Attribution-ShareAlike 4.0 International License.
Image: Yersinia pestis (bubonic plague) a CC NC ND image by Philip Moyer -
https://www.flickr.com/photos/59039691@N00/2539168777/
Frank Breedijk• Security Officer at Schuberg Philis
• (Official) Security dude since 2000
• Author of Seccubus
Coordinates:• https://www.linkedin.com/in/seccubus
• @Seccubus on Twitter
WHO AM I?
Barriers – First line of defense• Skin
• Stomach acid
• Acidic oil on skin
Sort of our firewalls, IPS, Anti-virus
IMMUNE SYSTEM 101 – NONSPECIFIC
Image: boom barrier a CC NC SA image by miez!
https://www.flickr.com/photos/41449558@N06/6941463985/
Hard shell, soft
center…
OLD STYLE SECURITY APPROACH
Image: Egg with glowing eyes a CC NC SA image by Keith Marshall
https://www.flickr.com/photos/69877992@N00/304559359/
The ugly truth has been revealed
We still suck at making good eggshells…
THE EGG HAS HATCHED
Image: P1010649 a CC SA image by Rick Kimpel
https://www.flickr.com/photos/18606128@N00/201198827/ Image: @akaasjager’s top by Frank Breedijk
No matter how well you secure an
infrastructure, there is always somebody who
can break into it.
JOIN THE RED TEAM, WE HAVE COOKIES…
Image:
http://devopsreactions.tumblr.com/post/4916808
8989/backup-and-dr-testing
Humans are not wrapped in bubble wrap
(mostly)
Humans ingest parts of their environment
Humans interact in funny ways
While we do get sick,
we don’t die often…
THE IMMUNE SYSTEM IS AWESOME!
Image: Bubble mummy a CC NC SA image by Katie Laird
https://www.flickr.com/photos/48889057845@N01/8583055777/
Not just barriers
Inflamation• Getting materials where they need to be
• Making life a bit harder for the attacker
Phagocytes• Know what a bacterium/virus looks like
• Eat it
Comparable to
incident response…
IMMUNE SYSTEM 101 – NONSPECIFIC
Video source: https://www.youtube.com/watch?v=aWItglvTiLc
Mist, schon Vormittags Brand! a CC NC SA image by André
https://www.flickr.com/photos/30982194@N05/3700447633/
When a white cell eats an antigen it represents
its receptor on its outside
The immune system ( the T and B
Lymphocytes) create anti-bodies and effector T-
Cells
Antibodies fit the antigen receptors and kill
antigens
Effector T-Cells kill infected body cells
Antibodies make you immune
IMMUNE SYSTEM 102 – SPECIFIC / ADAPTIVE
Preferably before they can do harm
ANTIBODIES KILL ANTIGENS
A CC NC SA image by Alex
https://www.flickr.com/photos/95222260@N00/5190067591/
The body has several feedback loops like this
Fast• Pain, bad taste
• ‘Must not continue’
• ‘Must not do that again’
Moderate• Generation of antibodies
Slow• Evolutionary
• ‘Survival isn’t mandatory’
FEEDBACK LOOPS
Image: Lightning Loop a CC image by Dakota Ray
https://www.flickr.com/photos/54782241@N05/5855339649/
Sometimes the body cannot create enough
anti-bodies
Sometimes it cannot do it fast enough
A treatment with anti-biotics will help
Anti-biotics just kill any bacteria
Good bacteria suffer as well
ANTI-BIOTICS
Image: Radioactive Injection a CC NC SA image by Taran Rampersad
https://www.flickr.com/photos/35468158048@N01/2102121338/
Firewalls• What is not exposed cannot be attacked
Web Application Firewall• OWASP Common Rule Set
Intrusion Prevention Systems
Minimize you exposure
Keep out people that are
clearly up to no good
INFOSEC IMMUNITYNONSPECIFIC IMMUNITY - BARRIERS
Source: http://devopsreactions.tumblr.com/post /46061575774/surviving-a-
ddos-attack
Current feedback loops are too slow• Developer writes/tests code on own laptop
• Developer checks in code
• Code gets picked up by build system
• Is (maybe) unit tested
• Is manually tested for functionality
• Many changes are accumulated in a release
• Release is deployed in acceptance
• Pentest is conducted on acceptance
• Issues are discovered
The shorter the feedback loop
the greater the learning effect
INFOSEC IMMUNITYFAST FEEDBACK LOOP
Source: http://www.gifbay.com/gif/description-141598
Integrate security tools into your build street
Plenty of code quality tools out there:• Commercial: HP, IBM, Veracode, WhiteHat Security,
Qualys, Checkmarkx, Trustwave, Apptherity, Contrast
Security, Pradco, Acunetix, N-Stalker, Virtual Forge, Trend
Micro, Burp Suite
• Open Source: Skipfish, Nikto, ZAP, Seccubus, Gauntlt
Include checking for
vulnerable
sub-components
INFOSEC IMMUNITYFASTER FEEDBACK LOOPS
Train developers• Good patterns prevent injuries
• Learns developers to spot potential security issues early
Do (peer) code review• Don’t commit directly, use pull requests
Include security in your scrum• Standups
• Sprint planning
• Backlog grooming
• Acceptance by product owner
INFOSEC IMMUNITYLEARN FROM OTHERS
Source: http://devopsreactions.tumblr.com/post/48511362536
/i-dont-need-to-test-that-what-can-possibly-go-wrong
Having Security review all changes simply
doesn’t scale
PEER REVIEW IS KEY
Source: http://securityreactions.tumblr.com/post/
67562914945/java-source-code-review
Learn from the failures of others• Including ‘Darwin Award winners’
Learn from good examples• Share your successes
INFOSEC IMMUNITYFAST FEEDBACK LOOP
Source: http://testerreactions.tumblr.com/post/50489315537
/new-implementation-first-verification
Heartbleed affected 2/3 of all SSL servers
A small mistake implementing a ping
“We can’t even add Ping, how the heck are we going to fix everything else?” – Dan Kaminsky
Vulnerability introduced in code in December 2011
Vulnerability in production code since March 2012
Publicly known in August 2014
INFOSEC IMMUNITYNONSPECIFIC IMMUNITY – INFLAMATION
Finding and fixing incidents
But, also representing these incidents
to the feedback loops
INFOSEC IMMUNITYNONSPECIFIC IMMUNITY - PHAGOCYTES
Source: http://securityreactions.tumblr.com/post/59198452899/crypto-
implementation-in-whistle-im
Feed back security findings
Feed back as WAF signatures• Anti-bodies / Band-aid
Feed back as Unit Tests• Anti-bodies
• Shortens feedback loop to developers
Feed back al lessons learned• Learn from those that have had (major) incidents
INFOSEC IMMUNITYFASTER FEEDBACK LOOPS
Image: TV Vortex a CC image by Alexis O’Connor
https://www.flickr.com/photos/10088577@N00/707845930/
alert tcp $EXTERNAL_NET any -> $HOME_NET
$HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash
Vulnerability Requested (header) “; flow:established,to_server;
content:”() {“; http_header; threshold:type limit, track by_src,
count 1, seconds 120; sid:2014092401;)
Of course it is not a permanent solution
But, it makes life a little bit harder for the
attacker
It buys you system so time to come up with a
fix
WAF SIGNATURES FOR VULNERABILITIES
Bleeding Kitty a CC image by Daniel Lobo
https://www.flickr.com/photos/62518311@N00/13900006125/
If a security issue has been discovered
Or, if you are building a sensitive function
Make sure you write a security unit test
EXAMPLE 1
FEED BACK SECURITY UNIT TESTS
If a security issue has been discovered
Or, if you are building a sensitive function
Make sure you write a security unit test
EXAMPLE 2
FEED BACK SECURITY UNIT TESTS
17 class ApiRbacTest(ResourceTestCaseWithHelpers):
18 fixtures = (
19 'auth_user',
20 'team',
21 )
22
23 def test_candidate_resource(self):
24 bundle = self.create_bundle_for_resource_test(models.Candidate)
25
26 def test_list_endpoints(url):
27 # As an anonymous user.
28 TeamGroupPermission.objects.all().delete()
29 self.logout()
30
31 self.assertHttpUnauthorized(self.api_client.get(url))
32 self.assertHttpUnauthorized(self.api_client.put(url))
33 self.assertHttpUnauthorized(self.api_client.post(url))
34 self.assertHttpUnauthorized(self.api_client.patch(url, data=bundle.data_list))
35 self.assertHttpUnauthorized(self.api_client.delete(url))
36
37 # As a user with read-only permissions.
38 self.add_permission_for_user('admin', 'comp_sbp', settings.PERMISSIONS.SHOW_ATS)
39 self.logout()
40 self.login('admin', 'admin')
41
42 self.assertHttpOK(self.api_client.get(url))
43 self.assertHttpUnauthorized(self.api_client.put(url, data=bundle.data_list))
44 self.assertHttpUnauthorized(self.api_client.post(url, data=bundle.data_detail))
45 self.assertHttpUnauthorized(self.api_client.patch(url, data=bundle.data_list))
46 self.assertHttpUnauthorized(self.api_client.delete(url))
47
48 # As a user with read-write permissions.
49 self.add_permission_for_user('admin', 'comp_sbp', settings.PERMISSIONS.EDIT_ATS)
If a security issue has been discovered
Or, if you are building a sensitive function
Make sure you write a security unit test
EXAMPLE 3
FEED BACK SECURITY UNIT TESTS
So parts of your code
really need to be
protected
CROWN JUWELS
Crown of King Christian IV a CC NC ND image by Ville Misaki
https://www.flickr.com/photos/75595126@N00/7432041286/
INFOSEC IMMUNITYSIGNATURES ON CRITICAL CODE
New/changed code is checked in
Critical code does NOT match signature
Build failsSecurity team reviews critical
code and signs itBuild ok!
Life (in Infosec) is full of little surprises
Attacks only get better,
they never get worse
DON’T EXPECT TO BE PERFECT
Source: http://imgur.com/c9pCa18
The days of InfoSec Island/Castle have ended
If you didn’t realize this this, don’t worry:
“Survival isn’t mandatory”
Security needs to align to the tools used by
developers
Acting as immune system means• Help stopping blatantly offensive elements
• Provide early feedback
• Cleaning up infections and
• Help build resistance against new vulnerabilities
• Providing a shot of anti-biotics if needed
SUMMARY
Image: Fortress Lérins a CC SA image by Mark Fischer
https://www.flickr.com/photos/80854685@N08/8730781472/
SECURITY IS PART OF ALL THE WAYS OF DEVOP
System thinking• Code not in production isn’t code
• Code that isn’t secure isn’t code
Stop treating security as a silo…
Image: 2010 a CC NC ND image by Annais Ferreira,
http://www.flickr.com/photos/79083322@N00/4453826217/
ALLOW SECURITY TO PROVIDE A STRONG FEEDBACK SIGNAL
The shorter the feedback loops are, the
better the learning effect• Automated security testing
• Unit tests for security
• Signed code
• Allow security to pull the Andon cord
• Have Nagios tests for security?
ALLOW FOR EXPERIMENTATION???
DevOps is THE chance
for security to finally get it right
Image: Rainbolt a CC NC ND image by Brian Auer,
http://www.flickr.com/photos/29814800@N00/1480408255/
Doctor Jack• Registered EDP auditor
• Licensed MD
• Good friend
• ‘Dirty mind is a joy forever…’
THANK YOU…
Frank Breedijk• Security Officer at Schuberg Philis
• (Official) Security dude since 2000
• Author of Seccubus
Coordinates:• https://www.linkedin.com/in/seccubus
• @Seccubus on Twitter
WHO AM I?
Top Related