What is Rugged all about? Matt Konda He would want me to tell you - - PowerPoint PPT Presentation

what is rugged all about
SMART_READER_LITE
LIVE PREVIEW

What is Rugged all about? Matt Konda He would want me to tell you - - PowerPoint PPT Presentation

Mar 18, 2023 482 likes •1.74k views

What is Rugged all about? Matt Konda He would want me to tell you Software is eating the world. DevOps and Security is a rare opportunity. Makes security positive, cultural+ Show the Rugged Manifesto Honey Badger =

slide-1
SLIDE 1

What is ‘Rugged’ all about?

Matt Konda

slide-2
SLIDE 2
slide-3
SLIDE 3
slide-4
SLIDE 4
slide-5
SLIDE 5
slide-6
SLIDE 6
slide-7
SLIDE 7

He would want me to tell you

  • Software is eating the world.
  • DevOps and Security is a rare
  • pportunity.
  • Makes security positive, cultural+
  • Show the Rugged Manifesto
  • Honey Badger = Security + DevOps …
  • Empathy, Empathy, Empathy
  • Bridge communities!
slide-8
SLIDE 8

He would want me to emphasize

  • Instrumentation
  • Be Mean To Your Code
  • Complexity is the Enemy
  • Change Management (Automation

through tooling)

  • Empathy (Did I say that yet?)
slide-9
SLIDE 9

He would want me to mention

  • By updating our software (and it’s

dependencies) we can address a huge amount of attack surface.

  • DevOps should be good at this.
  • Empathy (Did I say that yet?)
slide-10
SLIDE 10
slide-11
SLIDE 11

OWASP?

slide-12
SLIDE 12

Introduction

1997 2006 2014 Consultant Engineer Software Architect Director of Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda mkonda@jemurai.com DevOps Growing
slide-13
SLIDE 13

This was a setup. Chicago style.

slide-14
SLIDE 14
slide-15
SLIDE 15
slide-16
SLIDE 16

But in Chicago, we make the best of every situation.

slide-17
SLIDE 17
slide-18
SLIDE 18

Positive Software Security

Matt Konda

slide-19
SLIDE 19

Let’s learn what we can from Rugged (applied to DevOps)

slide-20
SLIDE 20

I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

slide-21
SLIDE 21

I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

slide-22
SLIDE 22

I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

slide-23
SLIDE 23

Reminiscent of the Agile Manifesto Perhaps?

slide-24
SLIDE 24

Let’s talk about adversaries…

slide-25
SLIDE 25
slide-26
SLIDE 26

This year, organized crime became the most frequently seen threat actor for Web App Attacks.

Source: Verizon 2015 Data Breach Investigations Report
slide-27
SLIDE 27
slide-28
SLIDE 28
slide-29
SLIDE 29

Threat model

slide-30
SLIDE 30
slide-31
SLIDE 31
slide-32
SLIDE 32
slide-33
SLIDE 33
slide-34
SLIDE 34
slide-35
SLIDE 35

Security Examples

slide-36
SLIDE 36

SELECT "orders".* FROM "orders" WHERE (rewards_code = 'a') union select id, 'product', 1, 1, 'cc', 'cvv', 'expiration', email as first_name, encrypted_password as last_name, created_at, updated_at, id, 'reward' from users; --')

slide-37
SLIDE 37

Getting Rugged?

Train. Search for string concatenation: +, append prefer parameterized queries! Do code review. Use static analysis. Use web app scanning.

slide-38
SLIDE 38

Output Encoding

< &lt; > &gt;

slide-39
SLIDE 39

Getting Rugged?

Train. Search for {{{, innerHTML, .raw, utext, etc. Do code review. Use static analysis. Use web app scanning.

slide-40
SLIDE 40

Insecure Direct Object Reference

Hani Joanne Salary Record Salary Record ?

Authorization fail!

slide-41
SLIDE 41
slide-42
SLIDE 42
slide-43
SLIDE 43

Some Specifics Around Process

slide-44
SLIDE 44

Security in the SDLC

  • Building software is a process.
  • The best way to make software secure is to make security

part of the process.

  • There are many ways to do this - none is perfect.
  • Find a way to make the security fit your process.
slide-45
SLIDE 45 Requirements Design Code Test Maintenance

Classic Waterfall Delivery

slide-46
SLIDE 46 Requirements Design Code Test Maintenance

Classic Waterfall Delivery Security

slide-47
SLIDE 47 Story

Continuous Delivery: The Unit of Work is a Story

Requirements Design Code Test
slide-48
SLIDE 48 Story

Continuous Delivery: The Unit of Work is a Story

Requirements Design Code Test Security Requirements Security Unit Tests Exploratory Testing Static Analysis on Commit Code Review Threat model / attack surface Checklists Understand Dependencies
slide-49
SLIDE 49

continuous delivery

slide-50
SLIDE 50

Classic security sees this and wants to …

slide-51
SLIDE 51

continuous delivery

slide-52
SLIDE 52

Baseline Security Requirements

slide-53
SLIDE 53

ARE STAKEHOLDERS ASKING FOR SECURITY?

slide-54
SLIDE 54
slide-55
SLIDE 55
slide-56
SLIDE 56

Story Points

slide-57
SLIDE 57

Estimates to Include Security Considerations

slide-58
SLIDE 58

Here’s why.

slide-59
SLIDE 59

Agile metrics

Credit: rallydev.com

slide-60
SLIDE 60

Story Review

slide-61
SLIDE 61

Incremental Code Review

slide-62
SLIDE 62

Continuous Integration

slide-63
SLIDE 63
slide-64
SLIDE 64
slide-65
SLIDE 65
slide-66
SLIDE 66

Static Analysis

slide-67
SLIDE 67

Checklists

slide-68
SLIDE 68
slide-69
SLIDE 69
slide-70
SLIDE 70
slide-71
SLIDE 71
slide-72
SLIDE 72

Bug Tracking

slide-73
SLIDE 73

Testing

slide-74
SLIDE 74
slide-75
SLIDE 75
slide-76
SLIDE 76

Operationalize

slide-77
SLIDE 77

Understand lifecycle

slide-78
SLIDE 78

Think incremental

slide-79
SLIDE 79

continuous delivery

Code Review Security Unit Tests Security Requirements
slide-80
SLIDE 80

Automate security tools

slide-81
SLIDE 81

continuous delivery

Security Tool Automation: Code analysis Security unit tests Dynamic scanning etc.
slide-82
SLIDE 82

continuous delivery

Security Tests Run Exploratory Testing Includes Security
slide-83
SLIDE 83

A detailed example:

  • Let’s say a feature is being developed
  • Then devs and testers are checking a new feature
  • Let them browse through an attack proxy (like Burp or

ZAP) in passive mode

  • At night or when the system is quiet, use the browsing

pattern as seeds for overnight attacks

slide-84
SLIDE 84

Continuous feedback

slide-85
SLIDE 85

continuous delivery

Feedback!
slide-86
SLIDE 86

EVIL

False Positives Are

a Necessary

slide-87
SLIDE 87

Optimize for relevance

slide-88
SLIDE 88

Provisioning tools

slide-89
SLIDE 89

continuous delivery

Since its easy to provision we can do security testing safely in a new env.
slide-90
SLIDE 90

Audit tools

slide-91
SLIDE 91

continuous delivery

Deployment checks includes security audit checks.
slide-92
SLIDE 92

Self documenting for regulatory and compliance!

slide-93
SLIDE 93

Chaos tools

slide-94
SLIDE 94

Change is good

slide-95
SLIDE 95

continuous delivery

Change is happening. It can be an
  • pportunity
instead of a hassle.
slide-96
SLIDE 96

Complexity is an enemy

slide-97
SLIDE 97

continuous delivery

Small releases reduce complexity. Decomposition to micro-services reduces dependencies and complexity. Right now, security hurts.
slide-98
SLIDE 98

Shared responsibility

slide-99
SLIDE 99

continuous delivery

Another principle of software delivery: build security in! Done means secure! Empowered to do security right!
slide-100
SLIDE 100

Measure results

slide-101
SLIDE 101

Event based model … (Reactive)

slide-102
SLIDE 102

Commit

  • Security Unit Tests
  • Static Code Analysis (Pipeline)
  • Security Requirements
  • Check Dependencies
  • Code Review
  • Checklists
slide-103
SLIDE 103

Deploy

  • Scripted Provisioning / Built in Change Control
  • Provisioning Auditing (Chef Audit, hardening.io)
  • Gauntlt
slide-104
SLIDE 104

Periodic

  • Full app analysis (static, manual pen test)
  • Secure Development Training
  • Baseline Security Requirements Review
  • ASVS Review
  • Data Science on Results
slide-105
SLIDE 105

Security Incident

slide-106
SLIDE 106

Required metasploit struts demo…

slide-107
SLIDE 107

/bin/dependency-check.sh - a struts2-showcase -

  • ut /tmp/ -

s /tomcat-root/struts2-showcase/

slide-108
SLIDE 108 <vulnerability> <name>CVE-2013-2251</name> <cvssScore>9.3</cvssScore> <severity>High</severity> <cwe>CWE-20 Improper Input Validation</cwe> <description>Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.</description> <references> <reference> <source>BID</source> <url>http://www.securityfocus.com/bid/64758</url> <name>64758</name> </reference> …
slide-109
SLIDE 109

Takeaway: lots of your issues might be in your dependencies!

slide-110
SLIDE 110

So what is Rugged all About?

slide-111
SLIDE 111
slide-112
SLIDE 112
slide-113
SLIDE 113
slide-114
SLIDE 114
slide-115
SLIDE 115
slide-116
SLIDE 116
slide-117
SLIDE 117
slide-118
SLIDE 118
slide-119
SLIDE 119

Traditional Plan Original goal

slide-120
SLIDE 120

Traditional Plan Original goal Actual GOAL Agile Plan

slide-121
SLIDE 121

empathy

slide-122
SLIDE 122

accountability

slide-123
SLIDE 123

culture

slide-124
SLIDE 124