Automate All of the Things

Transcript

1. Automate All The Things Matt Konda @mkonda

2. None

3. Start with a big Thanks.

4. Introduction 90’s 2006 2014 Consultant Engineer Software Architect Director of

   Engineering Rabble Rouser: Perl, Java Java Applet C++ J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 MS in CS Founder Consultant Agile Cloud Clojure Graph Database Independent. Focus developers. Consulting. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] CEO Services. Product. Teaching Growing Teams Forward OWASP Board Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015, 2016 Goto Chicago 2016 OWASP Chicago
5. None

6. Natural reaction to asymmetry and resource constraints. Common Client Goal

7. So open ended as to be meaningless and yet obviously

   a Good Thing™ Automate All The Things

8. Wait … Why automate? What are all the things?

9. We automate because • We don’t have enough resources •

   Time == Money • Even if we have $ we can’t find people with skills • Survives attrition • We’re not very good at repetitive detailed work • Its actually possible now
10. None

11. If we don’t, we’re behind.

12. No panacea

13. Automation Myths • Its easy and doesn’t take a lot

    of time • It solves the resource problem • Once its done it just runs

14. Constant Change • Developer libraries • Security tools • Cloud

    capabilities • Your architecture

15. Last mile

16. Fixes

17. Wait … Why automate? What are all the things?

18. This is an exciting part.

19. Because the list of things is growing so fast.

20. Glue

21. None

22. Intended to make it easy to do security automation.

23. None

24. Mounter Currently: git repo, filesystem, iso, docker image

25. Mounter Currently: clamav, hashdeep Files

26. Mounter Currently: brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, scan.js

    Future: many more possible. Designed for extension. Files Code

27. Mounter Currently: ZAP (in progress) Future: guantlt, etc. Files Code

    App

28. Mounter Currently: Prevents false positives in JIRA. Files Code App

    Filter

29. Mounter Currently: Reports to JIRA, csv, json, text. Files Code

    App Filter Reporter
30. None

31. Extension Points • Mounters: mount, supports? • Tasks: run, analyze,

    supported? • Filters: filter • Reporter: run_report Mounter Files Code App Filter Reporter “Tasks”

32. Other Internals • Within “Tasks”, each of the files, code

    and app phases of the pipeline can be run selectively. Mounter Files Code App Filter Reporter “Tasks”

33. ruby bin/glue -l code (Code analysis) -d (Turn on debug)

    -f text (Output format) /area53/app/

34. Some valid…

35. Still noisy … but you can dismiss and move on

    and hopefully rarely see them.

36. What if it just automatically ran against every company github

    project?
37. None
38. None

39. Lab 1: Running Glue from Docker 1. docker-machine create --driver

    virtualbox default 2. eval $(docker-machine env default) 3. docker pull owasp/glue:0.9 4. docker run —rm owasp/glue:0.9 -h 5. docker run —rm owasp/glue:0.9 -t brakeman https://github.com/Jemurai/ triage.git

40. Lab 2: Running Glue on Your Project docker run —rm

    -v /Users/mk/code/loca:/tmp/target/ owasp/glue:0.9 \ -d \ -t owaspdependencycheck \ -f csv \ /tmp/target/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.

41. Lab 2: Running Glue on Your Project 1. docker run

    —name glue owasp/glue:0.9 2.docker exec -it glue bash docker ps FIND YOUR IMAGE NAME * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.

42. Lab 3: Getting into the Glue Docker Image 1. docker

    run -rm —i -t —entrypoint=/ bin/bash owasp/glue:0.9 2. cd lib 3. ../bin/glue -h Now you’re running from source. We can change anything …

43. Key Takeaways • Make it portable • Put results in

    JIRA (or Pivotal or wherever developers are working) • Minimize / reduce noise • Start small and grow into it

44. Stage 0 • Hope your dev teams are using some

    kind of continuous integration eg. Jenkins • Hope your dev teams have a process you can build into. • Hope your team has some coding skills.

45. Goal: Usability

46. Goal: Continuous

47. Goal: Pipelines

48. Stage 1 • Detect vulnerable dependencies • Glue: Dependency Check

    • Glue: Retire.js • Glue: Bundle Audit • Detect secrets in source • Glue: SFL • Glue: Trufflehog

49. Stage 2 • Full static analysis • Brakeman / Dawn

    • PMD / Checkstyle / FindSecBugs (Weak sauce) • Implemented Checkmarx via API • ESLint / Synk / Node Security Project • Bandit

50. Stop for visibility.

51. Metrics and Inventory

52. Automating the inventory and metrics …

53. Stage 3 • Full dynamic analysis • ZAP • Burp

    • AWS Scout

54. Goal: Extensibility

55. Stage 4 • Extending Glue • Docker image analysis •

    Mesos • SSL/TLS • Building a custom UI • Self service • Better GitHub integration

56. Other opportunities

57. Testing • Security Unit/Functional • Great way to test for

    authorization flows • Business logic abuse cases

58. Vault • Passwords out of source code • Expiring credentials

    • Postgres • AWS • Transit (encryption as a service) • CA • CA for OpenSSH • TOTP

59. Certbot • Certificate expiring monkey • No that’s not a

    real thing … yet • But we can use Let’sEncrypt or Vault and some scripting to ensure our internal net is all mutually authenticated TLS.

60. Data Cleansing • Copying data to test …

61. Audit • Map real events to audit areas. • Build

    reporting. • Easily produce evidence. • By control id.
62. None

63. Cloud API • Lamba’s / Functions to review logs •

    Auto provision WAF in front of any 80, 443 • Scout

64. Use API to Analyze https://github.com/nccgroup/Scout2

65. Automation can do a lot more for us than it

    used to be able to do.

66. Secrets Dependencies Config Issues Static Analysis Assured TLS Dynamic Audit

    Security Testing

67. The Jemurai Point of View

68. It is not a panacea.

69. Remember the last mile

70. EVIL False Positives Are

71. But then … Automate all the things!