Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOops - Stories of DevSecOps Failures and ...

Abhay Bhargav
November 15, 2020

DevSecOops - Stories of DevSecOps Failures and Success

Abhay Bhargav

November 15, 2020
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. Copyright © we45 2020 abhaybhargav Yours Truly • Founder @

    we45 • Chief Architect - Orchestron • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide
  2. abhaybhargav we45 Today… • Stories. Inspired by Real-Life Events •

    Problems of varied size, scale and complexity • Compressed into a single scenario for ease of understanding
  3. Copyright © we45 2020 Prelude • B2B - Cloud Storage

    Product Company • Diverse Suite of Products - Core Suite, Client Apps, etc • We work with them as an extended AppSec Team • Diverse Stack: Java, NodeJS, Native Mobile Apps, AWS, Containers, nascent Kubernetes Deployment • Combination of monoliths and newer microservices style apps
  4. Copyright © we45 2020 The Good • AppSec Training for

    Developers - Mandatory - During the year • Automated Security Checks in the CI Pipeline - Triaged and reported • Automated Vulnerability Management Tools • Exploring Bug-Bounty program in addition to internal pen testing
  5. Copyright © we45 2020 The Good • AppSec Training for

    Developers - Mandatory - During the year • Automated Security Checks in the CI Pipeline - Triaged and reported • Automated Vulnerability Management Tools • Exploring Bug-Bounty program in addition to internal pen testing
  6. Copyright © we45 2020 Breaking down the Problem 1. Similar

    classes of AppSec issues cropping up across different products and services 2. Automated Checks in place - But Triaging and fixing would result in delays 3. Architectural Issues not identified soon enough - Resulting in (1)
  7. Copyright © we45 2020 abhaybhargav DevSecOps Plan Code Build Test

    Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST GitOps, Security in IaC SOAR/UEBA
  8. Copyright © we45 2020 Developers are our Customers • Devs

    have high pressure deadlines like the rest of us • Security being hard is likely to be Security NOT done • Happy Path: Security through HIGHER Dev Productivity
  9. Copyright © we45 2020 Which means… • Classifying and Baselining

    Types of Security Bugs • Security Engineering - Secure Defaults • Better Security Training for Developers
  10. Copyright © we45 2020 Approach to Mitigation • Most Effective

    & Scalable => Scalably Reducing Risk (Classes of Risk) • Effective NOT Scalable => Finding Individual Bugs • Baseline (Eliminate) the easy bugs
  11. Copyright © we45 2020 Threat Scenarios/Vulns by Complexity Easy Medium

    Complex Missing TLS (SSL) SQL Injection Multi-Step/Event-Driven Flaws Security Headers Session-Fixation and Session Based Flaws Business Logic Flaws Missing Security Defaults (Passwords, Configs) XSS Flaws Authorization Flaws (Param Pollution) Calling obviously dangerous functions (eval, etc) Most other OWASP Top 10 Bugs
  12. Copyright © we45 2020 Threat Scenarios/Vulns by Complexity Easy Medium

    Complex Missing TLS (SSL) SQL Injection Multi-Step/Event-Driven Flaws Security Headers Session-Fixation and Session Based Flaws Business Logic Flaws Missing Security Defaults (Passwords, Configs) XSS Flaws Authorization Flaws (Param Pollution) Calling obviously dangerous functions (eval, etc) Most other OWASP Top 10 Bugs Certain Crypto Flaws
  13. Copyright © we45 2020 Tradeoffs? Safe:Easy • There’s easy ways

    to achieve X for any developer • And there’s safe ways for a developer to achieve X • The objective is to make the safe way, as easy as possible
  14. Copyright © we45 2020 Sec Engineering: Secure Defaults • Falls

    into the Bucket of Security Engineering • Idea is to default to secure behavior rather than teaching folks, complex ways to create secure behavior • Has seen lots of success in: • Secrets and Crypto • Authentication/AuthZ • Injection and XSS
  15. Copyright © we45 2020 –Google’s Tink Library Docs. Tink is

    a misuse resistant crypto library “Using crypto in your application shouldn't have to feel like juggling chainsaws in the dark.”
  16. Copyright © we45 2020 Crypto - Secure Default • Misuse

    Resistant • Strong Algos only • Strong padding techniques • Easy to use • No exposure to padding/nonces/IV • Secure by default Functions only • Explicit Insecure Modes only
  17. Copyright © we45 2020 Other examples of Secure Defaults •

    Secure wrapper Libraries to existing Libraries with insecure defaults • Secure-By-Default Libraries and Frameworks •
  18. Copyright © we45 2020 Secure Defaults: Tooling • SAST rules

    to identify use of insecure libraries • Personally love Semgrep, CodeQL for this • Lower false-positives when scanning for specific items
  19. Copyright © we45 2020 Examples of Feedback Loops • Closer

    to Developer: IDE • Git hooks • Pull Requests
  20. Copyright © we45 2020 Agile AppSec/DevSecOps/Continuous AppSec Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection
  21. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection
  22. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories
  23. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria
  24. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines
  25. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases
  26. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models
  27. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation
  28. Copyright © we45 2020 Agile Threat Modeling Plan Code Build

    Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Deployment Security Security monitoring & attack detection Model Stories Security Acceptance Criteria Mitigations & Baselines Security Test Cases Attack Models Test Automation Detection Models
  29. Copyright © we45 2020 Some Background • Story-Driven Threat Modeling

    is threat modeling against user stories/ functionality definitions in the sprint. • The idea is to break threat modeling down by feature to produce useful, effective, yet efficient threat models • Not perfect, and still doesn’t negate the need for a system-wide threat model. But most effective in Agile Development
  30. Copyright © we45 2020 Pre-requisites • Cross-Functional Team running the

    Threat Model • Leave your egos at the door • Run in Sprint Planning Meeting • Consider multi-stage approach
  31. Copyright © we45 2020 Success Factors • Focus on “Good-enough”

    Threat Models • Keep the feature in scope - don’t dwell too outside of it • Cross-Functional Team • Just enough Information
  32. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story What abuses against Functionality
  33. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story What abuses against Functionality
  34. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality
  35. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life
  36. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life
  37. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations
  38. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations
  39. Copyright © we45 2020 Put another way…. User Story/Feature Description

    Abuser Story Threat Scenario What abuses against Functionality How Abuse comes to life Mitigations Security Test Case