How to e ff ect change in the Epistemological Wasteland of - - PowerPoint PPT Presentation

how to e ff ect change in the epistemological wasteland
SMART_READER_LITE
LIVE PREVIEW

How to e ff ect change in the Epistemological Wasteland of - - PowerPoint PPT Presentation

Jul 22, 2023 676 likes •2.24k views

How to e ff ect change in the Epistemological Wasteland of Application Security James Wickett How to effect change in the Epistemological wasteland of Application Security - @wickett James Wickett S R . E NGINEER , S IGNAL S CIENCES A

slide-1
SLIDE 1

How to effect change in the Epistemological Wasteland of Application Security

James Wickett

slide-2
SLIDE 2
slide-3
SLIDE 3

How to effect change in the Epistemological wasteland of Application Security

  • @wickett
slide-4
SLIDE 4

@wickett #ruggeddevops

James Wickett

  • SR. ENGINEER, SIGNAL SCIENCES

AUSTIN, TX HANDS-ON GAUNTLT BOOK DEVOPS DAYS GLOBAL ORGANIZER LASCON ORGANIZER

slide-5
SLIDE 5

Application Security Monitoring and Instrumentation Application Security you can use! An approach that integrates with devops organizations Productizing the Etsy security approach

slide-6
SLIDE 6

signalsciences.com

slide-7
SLIDE 7

@wickett #ruggeddevops

Software development has been a constant experiment in how we know anything Application Security abdicated runtime responsibility and effectively abdicated development responsibility through incoherent philosophical approaches and fostering organizational silos DevOps is here to stay, and security can actually be a part of it Ops found a way to add value, security needs to find that same path There are three ways we can add value: at development, at deploy, at runtime

Summary

slide-8
SLIDE 8

@wickett #ruggeddevops

A study in how we know anything in Application Security

slide-9
SLIDE 9

@wickett #ruggeddevops

Spoiler Alert: We don’t !

slide-10
SLIDE 10

@wickett #ruggeddevops

  • nce upon a time…
slide-11
SLIDE 11

@wickett #ruggeddevops

Epistemological Problem of Software Development

slide-12
SLIDE 12

@wickett #ruggeddevops

We optimize for the probable

slide-13
SLIDE 13

@wickett #ruggeddevops

Unit Testing

slide-14
SLIDE 14

@wickett #ruggeddevops

Integration Testing

slide-15
SLIDE 15

@wickett #ruggeddevops

Happy Path Engineering

slide-16
SLIDE 16

@wickett #ruggeddevops

We also optimize for the possible

slide-17
SLIDE 17

@wickett #ruggeddevops

Over Engineering

slide-18
SLIDE 18

@wickett #ruggeddevops

The scaling algo that never got used…

slide-19
SLIDE 19

@wickett #ruggeddevops

There is too much to choose from in the realm of possible

slide-20
SLIDE 20

@wickett #ruggeddevops

Actually, we optimize for the perceived probable

slide-21
SLIDE 21

@wickett #ruggeddevops

How do we know what to create?

slide-22
SLIDE 22

@wickett #ruggeddevops

This is the problem

slide-23
SLIDE 23

@wickett #ruggeddevops

Epistemological Problem of Software Development

slide-24
SLIDE 24

@wickett #ruggeddevops

We gather data and rhetoric to support

  • ur theories
slide-25
SLIDE 25

@wickett #ruggeddevops

There are 3 major arcs in the history of Software Development

slide-26
SLIDE 26

@wickett #ruggeddevops

First Arc: Agile

slide-27
SLIDE 27

@wickett #ruggeddevops

Agile avoids the problem

slide-28
SLIDE 28

@wickett #ruggeddevops

Agile reminds that we dont know what we are building

slide-29
SLIDE 29

@wickett #ruggeddevops

slide-30
SLIDE 30

@wickett #ruggeddevops

Behavior Driven Development

slide-31
SLIDE 31

@wickett #ruggeddevops

BDD = Agile + feedback

slide-32
SLIDE 32

@wickett #ruggeddevops

Behavior Driven Development is a second-generation, outside–in, pull- based, multiple-stakeholder, multiple- scale, high-automation, agile

  • methodology. It describes a cycle of

interactions with well-defined

  • utputs, resulting in the delivery of

working, tested software that matters. Dan North , 2009

slide-33
SLIDE 33

@wickett #ruggeddevops

Amplify Feedback Loop

slide-34
SLIDE 34

@wickett #ruggeddevops

Agile emphasizes feedback to developers from their overlords and sometimes even customers

slide-35
SLIDE 35

@wickett #ruggeddevops

TLDR; Rapid Iterations Win

slide-36
SLIDE 36

@wickett #ruggeddevops

Agile is

  • ur guiding

Light

slide-37
SLIDE 37

@wickett #ruggeddevops

The world has changed since Agile

slide-38
SLIDE 38

@wickett #ruggeddevops

We don’t sell CD’s anymore

slide-39
SLIDE 39

@wickett #ruggeddevops

Software as a Service

slide-40
SLIDE 40

@wickett #ruggeddevops

The last fifteen years have brought a complete change in

  • ur delivery cadence,

distribution mechanisms and revenue models

slide-41
SLIDE 41

@wickett #ruggeddevops

Second Arc: DevOps

slide-42
SLIDE 42

@wickett #ruggeddevops

DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM ADMINISTRATION

  • THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK
slide-43
SLIDE 43

@wickett #ruggeddevops

DEVOPS

slide-44
SLIDE 44

@wickett #ruggeddevops

Agile Infrastructure

slide-45
SLIDE 45

@wickett #ruggeddevops

http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

slide-46
SLIDE 46

@wickett #ruggeddevops

Less WIP Less technical debt

slide-47
SLIDE 47

@wickett #ruggeddevops

Customers actually using the feature while the developer is working on it

slide-48
SLIDE 48

@wickett #ruggeddevops

Great side effect: Produces Happy Developers

slide-49
SLIDE 49

@wickett #ruggeddevops

slide-50
SLIDE 50

@wickett #ruggeddevops

slide-51
SLIDE 51

@wickett #ruggeddevops

Devops realized that ops doesn’t know what devs know and vice versa

slide-52
SLIDE 52

@wickett #ruggeddevops

Dev : Ops 10 : 1

slide-53
SLIDE 53

@wickett #ruggeddevops

DevOps is an Epistemological breakthrough joining people around a common problem

slide-54
SLIDE 54

@wickett #ruggeddevops

Culture is the most important aspect to devops succeeding in the enterprise

  • Patrick DeBois
slide-55
SLIDE 55

@wickett #ruggeddevops

Culture is shaped in part by values

slide-56
SLIDE 56

@wickett #ruggeddevops

slide-57
SLIDE 57

@wickett #ruggeddevops

Mutual Understanding Shared Language Shared Views Collaborative Tooling

slide-58
SLIDE 58

@wickett #ruggeddevops

DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED COMPUTING AND CLOUD] ENVIRONMENT.

  • TOM LIMONCELLI
slide-59
SLIDE 59

@wickett #ruggeddevops

https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf

slide-60
SLIDE 60

@wickett #ruggeddevops

TLDR; High-performing IT

  • rganizations experience 60X

fewer failures and recover from failure 168X faster than their lower-performing peers. They also deploy 30X more frequently with 200X shorter lead times.

slide-61
SLIDE 61

@wickett #ruggeddevops

Culture Automation Measurement Sharing

  • @

d a m

  • n

e d w a r d s , @ b

  • t

c h a g a l u p e

slide-62
SLIDE 62

@wickett #ruggeddevops

Devops gone wrong

slide-63
SLIDE 63

@wickett #ruggeddevops

“THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW BADLY WE NEED A CULTURAL SHIFT”

  • @PATRICKDEBOIS

http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops

slide-64
SLIDE 64

@wickett #ruggeddevops

Third Arc: Continuous Delivery

slide-65
SLIDE 65

@wickett #ruggeddevops

Continuous Delivery is not merely how often you deliver but how little you can deliver at a time

slide-66
SLIDE 66

@wickett #ruggeddevops

Delivery Pipelines are rad!

slide-67
SLIDE 67

@wickett #ruggeddevops

Batch Size of 1

slide-68
SLIDE 68

@wickett #ruggeddevops

Separation of Duties Considered Harmful

slide-69
SLIDE 69

@wickett #ruggeddevops

Give power to the Developers to deploy

slide-70
SLIDE 70

@wickett #ruggeddevops

Reduce Code Latency Increase Code Velocity

slide-71
SLIDE 71

@wickett #ruggeddevops

3 Arcs: Agile DevOps Continuous Delivery

slide-72
SLIDE 72

@wickett #ruggeddevops

The next Arc: Security Rugged

slide-73
SLIDE 73

@wickett #ruggeddevops

“…Those stupid developers”

  • Security person
slide-74
SLIDE 74

@wickett #ruggeddevops

“Security prefers a system powered off and unplugged”

  • Developer
slide-75
SLIDE 75

@wickett #ruggeddevops

Cultural Unrest with security in most organizations

slide-76
SLIDE 76

@wickett #ruggeddevops

Compliance Driven Culture

slide-77
SLIDE 77

@wickett #ruggeddevops

“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”

slide-78
SLIDE 78

@wickett #ruggeddevops

Security is where ops was 5 years ago…

slide-79
SLIDE 79

@wickett #ruggeddevops

Dev : Ops : Sec 100 : 10 : 1

slide-80
SLIDE 80

@wickett #ruggeddevops

Understaffing means no one thinks security helps the business win

slide-81
SLIDE 81

@wickett #ruggeddevops

DevOps changed that for Ops, security can change too

slide-82
SLIDE 82

@wickett #ruggeddevops

Netflix demonstrated that people care about resiliency

slide-83
SLIDE 83

@wickett #ruggeddevops

Innately, we all care

slide-84
SLIDE 84

@wickett #ruggeddevops

Rugged Software Movement

slide-85
SLIDE 85

@wickett #ruggeddevops

#ruggeddevops

slide-86
SLIDE 86

@wickett #ruggeddevops

https://vimeo.com/54250716

slide-87
SLIDE 87

@wickett #ruggeddevops

http://www.youtube.com/watch?v=jQblKuMuS0Y

slide-88
SLIDE 88

@wickett #ruggeddevops

Security’s way forward is to help developers and help

  • perations
slide-89
SLIDE 89

@wickett #ruggeddevops

Start there

slide-90
SLIDE 90

@wickett #ruggeddevops

Let’s review Security’s approach thus far

slide-91
SLIDE 91

@wickett #ruggeddevops

BadIdea #1 Applications can’t be defended—Web App Firewalls Suck! lets do developer training

slide-92
SLIDE 92

@wickett #ruggeddevops

slide-93
SLIDE 93

@wickett #ruggeddevops

slide-94
SLIDE 94

@wickett #ruggeddevops

Awareness campaign OWASP Top Ten

slide-95
SLIDE 95

@wickett #ruggeddevops

We abandoned knowing anything useful about the Runtime

slide-96
SLIDE 96

@wickett #ruggeddevops

Instead Add Defense based on behaviors

slide-97
SLIDE 97

@wickett #ruggeddevops

BadIdea #2 Developers can’t figure it out. lets scan for vulnerabilities instead

slide-98
SLIDE 98

@wickett #ruggeddevops

“here is a 400 page PDF of

  • ur findings to prove your

developers don't get it!”

  • The Pen tester
slide-99
SLIDE 99

@wickett #ruggeddevops

Even with the emphasis

  • n appsec training, in

practice we made it a dark art

slide-100
SLIDE 100

@wickett #ruggeddevops

Integrated rugged testing should sit inside the pipeline

slide-101
SLIDE 101

@wickett #ruggeddevops

BadIdea #3 With the new alignment to vulnerability scanning, there is a tendency to Fix the Low-Hanging Fruit

slide-102
SLIDE 102

@wickett #ruggeddevops

slide-103
SLIDE 103

@wickett #ruggeddevops

we still don't know who is attacking us

slide-104
SLIDE 104

@wickett #ruggeddevops

We still don't actually know what they are attacking

slide-105
SLIDE 105

@wickett #ruggeddevops

Real Threats go Unknown so Developers fix what the automated tooling detected at a certain point in time

slide-106
SLIDE 106

@wickett #ruggeddevops

Add Application Security Telemetry

slide-107
SLIDE 107

@wickett #ruggeddevops

badidea #4 Put in tooling that no

  • ne outside of security

can understand

slide-108
SLIDE 108

@wickett #ruggeddevops

usually in the name

  • f compliance
slide-109
SLIDE 109

@wickett #ruggeddevops

“Get a Web App Firewall dude!”

  • P

C I

  • D

S S R e q 6 . 6

slide-110
SLIDE 110

@wickett #ruggeddevops

slide-111
SLIDE 111

@wickett #ruggeddevops

Choose your own adventure…

slide-112
SLIDE 112

@wickett #ruggeddevops

smallest possible solution you can consider a WAF…

slide-113
SLIDE 113

@wickett #ruggeddevops

Our CDN added ModSecurity Ruleset Huzzah!

slide-114
SLIDE 114

@wickett #ruggeddevops

An appliance that blocks all the things

slide-115
SLIDE 115

@wickett #ruggeddevops

And now you wonder why no one eats lunch with you anymore

slide-116
SLIDE 116

@wickett #ruggeddevops

“every aspect of managing WAFs is an

  • ngoing process. This is the antithesis
  • f set it and forget it technology.

That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required to get and keep the WAF running productively.”

  • a whitepaper from a WAF vendor
slide-117
SLIDE 117

@wickett #ruggeddevops

slide-118
SLIDE 118

@wickett #ruggeddevops

O k , S e c u r i t y h a s t

  • c

h a n g e … H

  • w

d

  • w

e a d d v a l u e a l r e a d y ?

slide-119
SLIDE 119

@wickett #ruggeddevops

Two ways!

slide-120
SLIDE 120

@wickett #ruggeddevops

Add value to Devs Add value to ops

slide-121
SLIDE 121

@wickett #ruggeddevops

Pray that someone notices

slide-122
SLIDE 122

@wickett #ruggeddevops

slide-123
SLIDE 123

@wickett #ruggeddevops

Pro-Tip #1 Automate security tooling to run in testing

slide-124
SLIDE 124

@wickett #ruggeddevops

Start with Adding just one test for XSS on a few pages in your app

slide-125
SLIDE 125

@wickett #ruggeddevops

slide-126
SLIDE 126

@wickett #ruggeddevops

gauntlt automates security tools

slide-127
SLIDE 127

@wickett #ruggeddevops

GAUNTLT

Open source, MIT License Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr

slide-128
SLIDE 128

@wickett #ruggeddevops

slide-129
SLIDE 129

@wickett #ruggeddevops

slide-130
SLIDE 130

@wickett #ruggeddevops

slide-131
SLIDE 131

@wickett #ruggeddevops

slide-132
SLIDE 132

@wickett #ruggeddevops

slide-133
SLIDE 133

@wickett #ruggeddevops

here’s an XSS attack you can use

slide-134
SLIDE 134

@wickett #ruggeddevops

@slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni --modules=xss --depth=1 --link-count=10 --auto- redundant=2 <url> """ Then the output should contain "0 issues were detected."

slide-135
SLIDE 135

@wickett #ruggeddevops http://theagileadmin.com/2015/06/09/pragmatic-security-and- rugged-devops/

slide-136
SLIDE 136

@wickett #ruggeddevops

github.com/gauntlt/gauntlt-demo

slide-137
SLIDE 137

@wickett #ruggeddevops

Email book@gauntlt.org before the end of the day for a review copy

H a n d s

  • n

G a u n t l t B

  • k

f

  • r

G

  • t
  • A

t t e n d e e s

slide-138
SLIDE 138

@wickett #ruggeddevops

Pro-tip #2 Put security testing in your continuous integration system

slide-139
SLIDE 139

@wickett #ruggeddevops

slide-140
SLIDE 140

@wickett #ruggeddevops

slide-141
SLIDE 141

@wickett #ruggeddevops

https://speakerdeck.com/garethr/battle-tested-code-without-the-battle

slide-142
SLIDE 142

@wickett #ruggeddevops

Pro-Tip #3 Add Application Security telemetry to devs and ops

slide-143
SLIDE 143

@wickett #ruggeddevops

Convert App Security Logs into metrics in the systems dev and ops use

StatsD

slide-144
SLIDE 144

@wickett #ruggeddevops

RunTime Correlation between biz, ops, dev, sec

slide-145
SLIDE 145

@wickett #ruggeddevops

SQLi Attempts + HTTP 500’s

  • r

login spikes + transaction decrease

slide-146
SLIDE 146

@wickett #ruggeddevops

Runtime Instrumentation for Application Security

slide-147
SLIDE 147

@wickett #ruggeddevops

Pro-Tip #4 Get hugs from the auditors and add Hardening and Audit using config management

slide-148
SLIDE 148

@wickett #ruggeddevops

Open Source Hardening Framework chef/puppet/ansible

http://hardening.io/

slide-149
SLIDE 149

@wickett #ruggeddevops

Run Nightly Audits of your Hardening using Config Management (Chef audit mode)

https://www.chef.io/blog/2015/04/09/chef-audit-mode-cis-benchmarks/

slide-150
SLIDE 150

@wickett #ruggeddevops

OS and Config Management

slide-151
SLIDE 151

@wickett #ruggeddevops

reverse the trend Add Value to Devs Add Value to Ops

slide-152
SLIDE 152

@wickett #ruggeddevops

Software development has been a constant experiment in how we know anything Application Security abdicated runtime responsibility and effectively abdicated development responsibility through incoherent philosophical approaches and fostering organizational silos DevOps is here to stay, and security can actually be a part of it Ops found a way to add value, security needs to find that same path There are three ways we can add value: at development, at deploy, at runtime

Summary

slide-153
SLIDE 153
slide-154
SLIDE 154

Thanks !