inject security into source code
play

Inject Security into Source Code How 2018 Will Shift Your Security - PowerPoint PPT Presentation

Aug 27, 2023 •253 likes •772 views

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a rsha d Ab a si, CT O Mira i Se c urity Ja c e k Ma te rna , CT O Asse mb la Je ff Ro use , Dir. Pro duc t Ma na g e me nt Ac tive Sta te Wher e

  1. Inject Security into Source Code How 2018 Will Shift Your Security Priorities

  2. Panelists F a rsha d Ab a si, CT O Mira i Se c urity Ja c e k Ma te rna , CT O Asse mb la Je ff Ro use , Dir. Pro duc t Ma na g e me nt Ac tive Sta te

  3. Wher e we’ve been > T ra c k re c o rd: > 20 ye a rs wo rking with o pe n so urc e la ng ua g e s & e nte rprise s, 97% o f F o rtune 500 c o mpa nie s trust us > 5 L a ng ua g e s: Pytho n, Pe rl, T c l, Go & Rub y > 64+ Pla tfo rms: Windo ws, Ma c , L inux, AI X, So la ris, HP-UX... > So lutio ns to he lp e nte rprise s b e ne fit fro m o pe n so urc e

  4. Wher e we’r e going E na b le e nte rprise s to ke e p up with the pa c e o f c o de r inno va tio n b y re mo ving fric tio n a t a ll po ints in the SDL C: > Stre a mline c o nfig ura tio n o f o pe n so urc e la ng ua g e s > Allo w c o ntro l o f a pplic a tio n se c urity & c o mplia nc e > E sta b lish inte g rity a t a ll sta g e s in the so ftwa re de ve lo pme nt life c yc le (SDL C) A Sa a S Pla tfo rm to stre a mline the e ntire de v pro c e ss & ma ke thing s a s se c ure a s po ssib le , le a d with a Pytho n runtime o ffe ring .

  5. Inj ecting S ecurity Into S ource Code Farshad Abasi | 2018-01-23 | v0.1

  6. S hifting security to the left • About 56% of all software defects arise during the requirement phase, 27% during design phase, and only 7% during development • Defects identified and resolved during requirement & design are about 100 times less costly to fix than those discovered after • Goal is to address security earlier, not create more work for devs • S hift left does not mean the roles and responsibilities of quality and security go away

  7. Continuous security in a CI / CD environment • S ecurity tools should be integrated into the CI / CD pipeline • Integration allows ” low hanging fruit” to be caught earlier and regularly • Can't afford to wait until the end of the build-and-release pipeline to perform a detailed security scan • Information security platforms should expose functionality via APIs • Allows for automation and integration of security into DevOps and the developer’s preferred tool chain

  8. Making security easier for Dev teams • S tart with secure development and training • Don’ t make developers become security experts or switch tools • Adopt the concept of people-centric security • Empower developers to take personal responsibility for security • Compensate for this with monitoring, following a "trust and verify" mindset • Use of frameworks and tools to handle security • Input validation to be done by development framework or plug-in • CS RF tokens to be generated, inserted and verified by framework • IDE plug-ins

  9. Microservices architecture and impact on security • Microservices break larger services/ apps into smaller independent ones • Loosely coupled as opposed to tightly coupled • May not include any security controls that were previously part of the larger service/ application (e.g. authentication, authorization, input validation) • Typically developed in an agile manner by DevOps teams • Need to ensure some security is built into the dev pipeline to catch low hanging fruit • S hould enforce security at a single point (i.e. gateway) and maintain end-to-end trust throughout the j ourney • Use of trust-tokens • End-to-end security assessment across the entire user- j ourney involving different microservices should be performed

  10. Maintain a security focus without slowing delivery • Incorporation of security into DevOps/ Agile should speed up the overall release process • Incorporating as much security as possible into the DevOps/ Agile workflow through automation • S hould be done transparently • Must preserve the agility and speed of DevOps/ Agile environment • S hift-left security increases delivery speed by reducing: • number of eyeballs at a given time, resulting in smaller/ efficient teams • total gates with manual checks

  11. Immutable infrastructure and impact on security • Traditional mutable systems are patched and maintained • E.g. admins can S S H into a server and upgrade packages, adj ust configuration, or push patches via an agent • Immutable infrastructure components are replaced rather than changed • Changes to the infrastructure (or even an admin account) are not allowed • If changes are required, a new server is built from a base image + packages • If changes are detected a violate a set criteria, that instance is replaced • Immutability results in increased security • Patching/ updating large number of servers is not required as you can create one image and push out new instances quickly • Existing applications need to be re-architected to align with this model

  12. S ecurity of code in production • Require manual approval in the pipeline to put sensitive components from dev into production • E.g. those handling sensitive data or functionality • Use automated installers and uninstallers • Deploy using a least privilege security model • Apply change control and configuration management • Captures the baseline configuration to help identify malicious changes • Ability to track changes is useful from a security perspective • Can prevent unauthorized changes and roll back those that may have introduced security vulnerabilities

  13. DevS ecOps and inj ecting security into S DLC • Barriers must be removed between security and application teams • Dev Similar to how DevOps overcomes the divide S oftware releases between Dev and Ops teams & updates • S ecurity requirements must be clearly communicated and easily integrated into the complete process Sec Ops Confidentiality, R eliability, Integrity, performance, • S ecurity review and testing must be Availability scaling integrated at multiple points in DevOps workflows

  14. DevSecOps Shifting security “Left”

  15. Software is eating the world. Companies are under pressure to move FAST.

  16. While, Enterprises are spending more on cybersecurity than ever.

  17. $100,000,000,000

  18. BUT, breaches are at an all time high. “The dramatic increase in cyber attack frequency, complexity, and size over the past year suggests that the economics of hacking have turned a corner.” - Radware, 2017

  19. “90% of security incidents relate to vulnerabilities in code.” - US Dept. of Homeland Security

  20. Why?

  21. CENTRAL IT Shadow IT TEAM IT

  22. Companies have a Need for Speed.

  23. DevOps.

  24. Value Dev _ Ops.

  25. Value Availability Dev _ Ops. Efficiencies that speed up software lifecycle.

  26. DevOps and Security silos Source Builds Production Code Sec team out of the “loop” with DevOps

  27. Controls and Security can no longer be side-lined.

  28. Dev Sec Ops.

  29. Value Dev _ Sec _ Ops.

  30. Value Availability Dev _ Sec _ Ops.

  31. Value Availability Dev _ Sec _ Ops. Trust Validate building blocks without slowing lifecycle.

  32. Shift security “Left” Effort ROI

  33. Shift security “Left” Source Builds Production Code Spending further “Left” increases returns

  34. But, to reach DevSecOps your company must: 1. Adopt an automation culture 2. Deploy agile software lifecycle 3.Integrate security into your culture

  35. Competition is driving faster release cycles

  36. DevOps Cycle

  37. DevSecOps

  38. Security: Shift Left or Shift Out #1 problem is time to market

  39. Security must be baked in.

  40. Security Automation (It’s table stakes.)

  41. Open Source: Accelerates Innovation but Introduces Risk 60% 85% Open Source Repositories # of open source modules by language – Unknown or Out Security Vulnerabilities* of Compliance Licenses* Python Perl Go Ruby Developers 110,000 35,000 20,000 133,000 Node.js (npm): 575,000 * Based on 2017 Black Duck Open Source Security and Risk Analysis audit.

  42. You Got This Security must be baked in

  43. Solution: Shift Issue Resolution Left ActiveState Platform Policy Definitions GPL License Substitute Component Older Version Newer Version Supplied IDE Vulnerability Patch Provided Adds a component/ library ActiveState Identifies Issues (based on your policy) and Provides a Solution in the IDE Dev

  47. Drill Down

  48. Q&A

  49. T ha nk you to our pa ne lists F arshad Abasi, Mirai Se c urity farshad.abasi@miraise c urity.c o m Jac e k Mate rna, Asse mbla jac e k@asse mbla.c o m Je ff Ro use , Ac tive State je ffr@ac tive state .c o m

  50. Find Us T e l: 1.866.631.4581 We bsite : www.ac tive state .c o m T witte r: @ ac tive state F ac e bo o k: / ac tive state so ftware E arly Ac c e ss Sig nup: https:/ / start.ac tive state .c o m/ e arly-ac c e ss/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code

Source Code Analysis for Security through LLVM Lu Zhao HP Fortify lu.zhao@hp.com Static Code Analyzer for Security Static Code Analyzer for Security (HP Fortify SCA) C/C++ Java Vulnerabilities LLVM Language independent Services C/C++ Swift

325 views • 31 slides
Compiling and Linking C code Assembly C Source C Source C Source Source .c Code Code Code

Compiling and Linking C code Assembly C Source C Source C Source Source .c Code Code Code

Advanced Programming Modular Programming in C Modular Programming Intro n It is not possible to create complex programs using a single source file: n Compiling is slow n Difficult reuse of functions n Impossible collaboration among

513 views • 17 slides
deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject

Active Adversary Lecture 7 CCA Security MAC Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob and get them decrypted Chosen Ciphertext Attack (CCA) If Bob decrypts all ciphertexts for Eve,

352 views • 14 slides
Application Security The source code perspective Authors: Francesco Consiglio Marco Borza

Application Security The source code perspective Authors: Francesco Consiglio Marco Borza

Application Security The source code perspective Authors: Francesco Consiglio Marco Borza Implementation Challenges Iron Triangle Security as an afterthought The Secure SDLC in the Waterfall Model SDLC vs Secure SDLC Cost Reduction

1.3k views • 11 slides
Similar code fragment A code fragment that has similar part to it in source code

Similar code fragment A code fragment that has similar part to it in source code

Similar code fragment A code fragment that has similar part to it in source code introduced in source code because of various reasons. e.g. copy-and-paste makes software maintenance difficult. It is necessary to It is

488 views • 9 slides
Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code Regardless of user running the code Regardless of whether the code is in the same application with other code Other code can be more, less, or

695 views • 21 slides
in practice source code source code javac scalac groovyc jrubyc 0xCAFEBABE byte code

in practice source code source code javac scalac groovyc jrubyc 0xCAFEBABE byte code

Java byte code in practice source code source code javac scalac groovyc jrubyc 0xCAFEBABE byte code source code javac scalac groovyc jrubyc 0xCAFEBABE byte code class loader interpreter JIT compiler JVM source code javac

1.6k views • 149 slides
vs. When Security is not a Developer's fault. Rodrigo Chiossi r.chiossi@samsung.com Rodrigo

vs. When Security is not a Developer's fault. Rodrigo Chiossi r.chiossi@samsung.com Rodrigo

vs. When Security is not a Developer's fault. Rodrigo Chiossi r.chiossi@samsung.com Rodrigo Chiossi Android Builders Summit 2013 AndroidXRef : One year ago Online source code cross reference of the Android source code. All major

947 views • 21 slides
The Human Component in Automated Bug Finding Christian Holler (:decoder) Staff Security Engineer

The Human Component in Automated Bug Finding Christian Holler (:decoder) Staff Security Engineer

The Human Component in Automated Bug Finding Christian Holler (:decoder) Staff Security Engineer ~ 16M lines source code ~ 16M lines source code Last month: 340 authors with 2,475 commits Interfaces Media Formats Markup Fonts Languages

1.12k views • 72 slides
Blaise Source Code Blaise Source Code Editing System Presenter: Danilo Gutierrez C Co-author:

Blaise Source Code Blaise Source Code Editing System Presenter: Danilo Gutierrez C Co-author:

Blaise Source Code Blaise Source Code Editing System Presenter: Danilo Gutierrez C Co-author: Sheila Deskins th Sh il D ki Health and Retirement Study (HRS) The 11th International Blaise Conference Annapolis, Maryland September 2007

577 views • 47 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
What is a Compiler? Compiler A program that translates code in one language (source code) to

What is a Compiler? Compiler A program that translates code in one language (source code) to

CS 426 Lecture 1: Course Overview What is a Compiler? Compiler A program that translates code in one language (source code) to code in another language (target code). Usually, target code is semantically equivalent to source code, but not

905 views • 11 slides
Bankruptcy Code The Bankruptcy Code (Chapter 11 of the USC) is the source of all bankruptcy

Bankruptcy Code The Bankruptcy Code (Chapter 11 of the USC) is the source of all bankruptcy

Source of Bankruptcy Law The Bankruptcy Code The Bankruptcy Code (Chapter 11 of the USC) is the source of all bankruptcy law. The code is very detailed, and resort to case law is less necessary than with other areas of law. Federal

365 views • 8 slides
Evolving nVidia GPU parallel source code W. B. Langdon CREST Department of Computer Science

Evolving nVidia GPU parallel source code W. B. Langdon CREST Department of Computer Science

Evolving nVidia GPU parallel source code W. B. Langdon CREST Department of Computer Science 21.3.2012 Evolving GPU source code talk me, time you Using genetic programming to create C source code How? Why? Proof of

453 views • 28 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian

Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks Lucian Cojocar, Kaveh Razavi, Cristiano Giuffrida, Herbert Bos Rowhammer (RH) causes bits to flip Exploit to escalate privilege [Seaborn 15]

437 views • 41 slides
Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I?

Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I?

Code review for Beginners and Experts: Tips & Tricks ukasz K kol Who am I? Software Engineer Technical Team Leader Author of "Idiomatic Python Performance" (Apress) Speaker @ EuroPython, PyCon UK, PySS &

320 views • 15 slides
Declarative Visitors to Ease Fine-grained Source Code Mining with Full History on Billions of

Declarative Visitors to Ease Fine-grained Source Code Mining with Full History on Billions of

Declarative Visitors to Ease Fine-grained Source Code Mining with Full History on Billions of AST Nodes Robert Dyer, Hridesh Rajan, and Tien Nguyen {rdyer,hridesh,tien}@iastate.edu Iowa State University The research and educational activities

582 views • 29 slides
PHOG: Probabilistic Model for Code Pavol Bielik , Veselin Raychev, Martin Vechev Software

PHOG: Probabilistic Model for Code Pavol Bielik , Veselin Raychev, Martin Vechev Software

PHOG: Probabilistic Model for Code Pavol Bielik , Veselin Raychev, Martin Vechev Software Reliability Lab Department of Computer Science ETH Zurich Vision Statistical Programming Tool Probabilistic Model number of 15 million repositories

847 views • 35 slides
Amassing and indexing a large sample of version control systems: towards the census of public

Amassing and indexing a large sample of version control systems: towards the census of public

Amassing and indexing a large sample of version control systems: towards the census of public source code history Audris Mockus audris@avaya.com Avaya Labs Research Basking Ridge, NJ 07920 http://mockus.org/ Why global properties of code?

559 views • 11 slides
Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch,

Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch,

ICML 2020 Adversarial Robustness for Code Pavol Bielik , Martin Vechev pavol.bielik@inf.ethz.ch, martin.vechev@inf.ethz.ch Department of Computer Science 1 Adversarial Robustness panda gibbon Vision + = Explaining and Harnessing

429 views • 32 slides
FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why

FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why

FALCON: AN OPTIMIZING JAVA JIT Philip Reames Azul Systems AGENDA Intro to Falcon Why you should use LLVM to build a JIT Common Objections (and why theyre mostly wrong) 2 WHAT IS FALCON? Falcon is an LLVM based

1.01k views • 66 slides
Mining Source Code Repositories at Massive Scale using Language Modeling Miltos Allamanis,

Mining Source Code Repositories at Massive Scale using Language Modeling Miltos Allamanis,

Mining Source Code Repositories at Massive Scale using Language Modeling Miltos Allamanis, Charles Sutton m.allamanis@ed.ac.uk csutton@inf.ed.ac.uk University of Edinburgh Supported by: Polyglot programmers Multitude of APIs &

2.69k views • 22 slides

More recommend