Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Application Security in the time of Containers

Application Security in the time of Containers

OWASP, Application Security and other security considerations in a world of containers, CI/CD and DevOps

Akash Mahajan

April 10, 2017
Tweet

More Decks by Akash Mahajan

Other Decks in Technology

Transcript

  1. APPSEC TESTING HAS TO BECOME PART OF THE DEVOPS OR

    BE LEFT BEHIND The reality is, Microsoft Security Dev Lifecycle is about 17 Years Old!
  2. RELEVANT APPSEC RISKS FROM THE POINT OF VIEW OF CONTAINERS

    OWASP Top 10 Issue What is that? A1 Injection Stuff that harms the server A2 Broken AuthN Stuff that lets attackers access parts of the application, which allows them to upload stuff that harms the server A4 Insecure Direct Object Reference A5 Security Misconfiguration Stuff that makes the infra supporting the app insecure A9 Using components with Known Vulnerabilities Stuff that possibly enables any or all of the above, due to using 3rd party stuff
  3. IMMUTABLE INFRASTRUCTURE FTW!!! Akash Mahajan THERE IS NO REASON TO

    HARDEN EVERY TIME, WE JUST START FROM SCRATCH AND TAKE THE LATEST PATCHED VERSION EVERY SINGLE TIME
  4. A9 CAN BE SOLVED WITH PRIVATE REPOS & REGISTRIES MAYBE

    OWASP A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES
  5. WHAT IS THIS THAT IS GOING TO BURST OUR BUBBLE?

    15,000,000 RECORDS FOUND BECAUSE MANAGEMENT HAD WEAK PASSWORD ON APPLICATION 3000 PASSPORTS AND DRIVER’S LICENSES LEAKED BECAUSE THE CONTRACTOR DIDN’T RESET THE CEO’S WEAK PASSWORD ROOT ON RETAIL E-COMMERCE SERVER BECAUSE OUTSOURCED VENDOR ALWAYS USES COMPANY NAME AS CMS ADMIN PASSWORD
  6. Issues OWASP Top 10 Input based A1, A3, A4, A8,

    A10 Logic & Design based A2, A5, A6, A7 Access Control A2, A5, A6, A7 Any other A9 API Testing Can span multiple TAKEAWAY