Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Automate All of the Things

Automate All of the Things

A talk about security automation.

Matt Konda

June 28, 2017
Tweet

More Decks by Matt Konda

Other Decks in Programming

Transcript

  1. Introduction 90’s 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl, Java Java Applet C++ J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 MS in CS Founder Consultant Agile Cloud Clojure Graph Database Independent. Focus developers. Consulting. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] CEO Services. Product. Teaching Growing Teams Forward OWASP Board Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015, 2016 Goto Chicago 2016 OWASP Chicago
  2. So open ended as to be meaningless and yet obviously

    a Good Thing™ Automate All The Things
  3. We automate because • We don’t have enough resources •

    Time == Money • Even if we have $ we can’t find people with skills • Survives attrition • We’re not very good at repetitive detailed work • Its actually possible now
  4. Automation Myths • Its easy and doesn’t take a lot

    of time • It solves the resource problem • Once its done it just runs
  5. Extension Points • Mounters: mount, supports? • Tasks: run, analyze,

    supported? • Filters: filter • Reporter: run_report Mounter Files Code App Filter Reporter “Tasks”
  6. Other Internals • Within “Tasks”, each of the files, code

    and app phases of the pipeline can be run selectively. Mounter Files Code App Filter Reporter “Tasks”
  7. ruby bin/glue -l code (Code analysis) -d (Turn on debug)

    -f text (Output format) /area53/app/
  8. Still noisy … but you can dismiss and move on

    and hopefully rarely see them.
  9. Lab 1: Running Glue from Docker 1. docker-machine create --driver

    virtualbox default 2. eval $(docker-machine env default) 3. docker pull owasp/glue:0.9 4. docker run —rm owasp/glue:0.9 -h 5. docker run —rm owasp/glue:0.9 -t brakeman https://github.com/Jemurai/ triage.git
  10. Lab 2: Running Glue on Your Project docker run —rm

    -v /Users/mk/code/loca:/tmp/target/ owasp/glue:0.9 \ -d \ -t owaspdependencycheck \ -f csv \ /tmp/target/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
  11. Lab 2: Running Glue on Your Project 1. docker run

    —name glue owasp/glue:0.9 2.docker exec -it glue bash docker ps FIND YOUR IMAGE NAME * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
  12. Lab 3: Getting into the Glue Docker Image 1. docker

    run -rm —i -t —entrypoint=/ bin/bash owasp/glue:0.9 2. cd lib 3. ../bin/glue -h Now you’re running from source. We can change anything …
  13. Key Takeaways • Make it portable • Put results in

    JIRA (or Pivotal or wherever developers are working) • Minimize / reduce noise • Start small and grow into it
  14. Stage 0 • Hope your dev teams are using some

    kind of continuous integration eg. Jenkins • Hope your dev teams have a process you can build into. • Hope your team has some coding skills.
  15. Stage 1 • Detect vulnerable dependencies • Glue: Dependency Check

    • Glue: Retire.js • Glue: Bundle Audit • Detect secrets in source • Glue: SFL • Glue: Trufflehog
  16. Stage 2 • Full static analysis • Brakeman / Dawn

    • PMD / Checkstyle / FindSecBugs (Weak sauce) • Implemented Checkmarx via API • ESLint / Synk / Node Security Project • Bandit
  17. Stage 4 • Extending Glue • Docker image analysis •

    Mesos • SSL/TLS • Building a custom UI • Self service • Better GitHub integration
  18. Testing • Security Unit/Functional • Great way to test for

    authorization flows • Business logic abuse cases
  19. Vault • Passwords out of source code • Expiring credentials

    • Postgres • AWS • Transit (encryption as a service) • CA • CA for OpenSSH • TOTP
  20. Certbot • Certificate expiring monkey • No that’s not a

    real thing … yet • But we can use Let’sEncrypt or Vault and some scripting to ensure our internal net is all mutually authenticated TLS.
  21. Audit • Map real events to audit areas. • Build

    reporting. • Easily produce evidence. • By control id.
  22. Cloud API • Lamba’s / Functions to review logs •

    Auto provision WAF in front of any 80, 443 • Scout