Be Agile, Not Vulnerable: Security engineering in an agile world

Transcript

1. Be Agile, Not Vulnerable: Security Engineering in an agile world

   Jacob Kaplan-Moss [email protected]

2. Every day, Heroku deploys 100 times

3. about:me

4. Co-BDFL about:me

5. Director of Security Co-BDFL about:me

6. Security is a process, not a product.

7. Heroku’s security team: @jacobian @tmaher

8. Security is everyone’s responsibility.

9. The OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013 1. Injection 2. Broken authentication

   and session management 3. XSS 4. Insecure direct object references 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function-level access control 8. CSRF 9. Components with known vulnerabilities 10. Unvalidated redirects

10. A thought experiment...

11. You’re working on an API library. There are three formats

    in common use in these types of API. Do you support all three of them? Does this decision have security ramifications?

12. You need to store some configuration data. A is a

    common dependency, very readable, and used by most Python developers. B is less common, harder to read and write, and isn’t used as often. Which do you choose? Does this decision have security ramifications?

13. You’re implementing a serialization format. At first it only supports

    primitive types, but users quickly request that you extend the language to allow serialization of arbitrary objects. Do you say yes? Does this decision have security ramifications?

14. Did you just create a vulnerability?

15. 2013 Ruby/Rails YAML Vulnerabilities http://www.sitepoint.com/anatomy-of-an-exploit-an-in-depth-look-at-the-rails-yaml-vulnerability/ http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/

16. “LOL Rails suxxors amirite!?”

17. STFU.

18. Real-world security issues are multifaceted.

19. “Secure by default” matters.

20. You can’t prove that software is secure. You can only

    fail to prove that it’s insecure.

21. “There are known knowns; there are things we know that

    we know. There are known unknowns; that is to say, there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know we don't know.” — Donald Rumsfeld

22. If an issue of this magnitude was discovered in your

    stack, would you be prepared to respond?
23. None

24. How severe are these issues?

25. “not too bad” “no big deal” “kinda serious”

26. “The sky is falling!” . . . . . “No

    big deal.”

27. A good security policy Lays out standard terminology used when

    talking about security issues. Explains the expectations and commitments around vulnerability handling. Creates a transparent, repeatable assessment mechanism.

28. Terminology Advisory Low Medium High Critical

29. Advisory Issues that the security team wishes to communicate but

    that carry no specific required action. May sometimes contain recommended actions, but no specific response is required to an advisory, and no timeline is defined.

30. Low Issues that need to be resolved, but have either

    a low risk of exploit or low consequences for an exploit. Should not interrupt day-to-day operations, but should be scheduled for the next appropriate slack time.

31. Medium Issues that carry a noticeable risk, but are still

    theoretical, not ongoing, or have a low impact. Expect Medium vulnerabilities to cause limited interrupts, but otherwise have minimal impact on normal operations.

32. High Carry a substantial risk to your customers, finances, reputation

    or otherwise. Expect High-level vulnerabilities to interrupt several developers, perhaps from multiple teams.

33. Critical Critical vulnerabilities threaten the integrity of your company, contain

    substantial financial risk, or are otherwise “sky is falling”-level issues. These are literally existential threats to your company. Critical vulnerabilities are “all hands on deck” moments.

34. Assessment

35. Start here: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

36. Risk = Likelihood × Impact

37. Likelihood: How likely is it that this issue will be

    discovered and exploited?

38. Impact: If exploited, what are the ramifications on the company?

39. 4. What resources are required for an attacker to exploit

    the vulnerability? (0) Full superuser-level access (sudo access) (2) Staff-level access (access to internal tools) (4) Special access required (needs a particular type of account) (7) Limited access required (anyone with an account) (9) No access or resources required

40. E.g.: PostgreSQL argument injection vulnerability http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899 http://bit.ly/13ds9X0

41. Likelihood: threat agent

42. 1. How technically skilled is the attacker? (3) Network and

    programming skills - The attack requires a carefully required connection string, so we assume an attacker would need some network and programming skills.

43. 2. How motivated is this attacker? (9) High reward -

    in a worst-case, the attack could be used to remotely access arbitrary databases, which is quite valuable.

44. 3. What resources and/or opportunities are required for this attacker

    to find and exploit the vulnerability? (9) No access or resources required

45. 4. How large is group of potential threat agents? (9)

    Anonymous Internet users

46. Likelihood: ease of discovery and exploit

47. 5. How easy would it be for an attacker to

    discover this vulnerability? (3) Difficult - the vulnerability existed in PostgreSQL for many years and went undiscovered, and was eventually only discovered by a core contributor.

48. 6. How easy would it be to actually exploit the

    vulnerability, assuming knowledge that it exists? (5) Easy - once you know of the vulnerability, it's easy to craft a proof of concept.

49. 7. How well-known is this vulnerability among the community of

    potential attackers? (1) Unknown

50. 8. How likely is it that we'd detect an exploit

    (or attempt)? (6) Logged and and reviewed eventually

51. Total likelihood: (3+9+9+9+3+5+1+6)/8 5.625

52. Impact: confidentiality and integrity

53. 1. How much private data would be disclosed, and how

    sensitive would that data be? (9) Complete data disclosure

54. 2. How much data could be corrupted, and how damaged

    would that data be? (7) Extensive corruption to much customer data with difficult or incomplete recovery possible.

55. Impact: availability and accountability

56. 3. How much downtime would an exploit cause, and how

    vital would that downtime be? (9) Complete outage

57. 4. How easy would it be to trace an exploit

    back to the attacker? (7) Partially traceable

58. Impact: business factors

59. 5. How much financial damage would we suffer as a

    result of an exploit? (7) Significant and noticeable effect on annual profit

60. 6. Would an exploit result in reputation damage that would

    harm our business or our brand? (7) - worse than "loss of public goodwill", not quite "long-term or permanent brand damage"

61. 7. How much legal/regulatory exposure would an exploit introduce? (5)

    Clear violation of regulation/law

62. 8. How much personally identifiable information (e.g. customer emails/ passwords/credit

    cards) would be exposed? (9) All of it.

63. Total impact score: (9+7+9+7+7+7+5+9)/8 7.5

64. Likelyhood Likelyhood Likelyhood 0 to <3 3 to <6 6+

    Impact 0 to < 3 Advisory Low Medium Impact 3 to <6 Low Medium High Impact 6+ Medium High Critical

65. Likelyhood: 5.625 Likelyhood: 5.625 Likelyhood: 5.625 0 to <3 3

    to <6 6+ Impact: 7.5 0 to < 3 Advisory Low Medium Impact: 7.5 3 to <6 Low Medium High Impact: 7.5 6+ Medium High Critical

66. 5. How easy would it be for an attacker to

    discover this vulnerability? (3) Difficult - the vulnerability existed in PostgreSQL for many years and went undiscovered, and was eventually only discovered by a core contributor.

67. Be safe out there! Jacob Kaplan-Moss [email protected]