Security Automation Workshop

Transcript

1. Security Automation in Software Delivery: A Rugged DevOps Pipeline Matt

   Konda @mkonda

2. Prereqs • Docker Toolbox • http://prereqs.codemash.org/ • pipeline • http://prereqs.codemash.org/

   • docker pull jemurai/pipeline:0.8 (or USB) • A project to analyze

3. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

   Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] DevOps Growing

4. What do I do? • Bug bounty • Breaking •

   Mostly SDLC • Training • Automation

5. Overview • Hands on with Pipeline for labs • Quick

   overview of security tools • DevOps / Continuous Delivery & Rugged • Leveraging security automation where possible

6. Lab 1: Running Pipeline from Docker 1. docker-machine create --driver

   virtualbox default 2. eval $(docker-machine env default) 3. docker pull jemurai/pipeline:0.8 (or: docker load < pipeline-0.8.tar.gz) 4. docker run —rm jemurai/pipeline:0.8 -h 6. docker run —rm jemurai/pipeline:0.8 \ https://github.com/Jemurai/triage.git

7. Checkpoint: 30?

8. Security Tools

9. Static Analysis

10. Static Analysis Live App Scanning

11. Static Analysis Live App Scanning Dynamic Analysis

12. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks

13. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall

14. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring

15. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation

16. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation

17. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation Penetration Testing

18. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation Penetration Testing
19. None

20. B+ C B+ F D D F B A- C

    The items on the left are the OWASP Top 10. The grades are mine and are arbitrary. https://www.owasp.org/index.php/Top_10_2013-Top_10
21. None
22. None

23. There is no substitute for people with knowledge.

24. But we can help ourselves by leveraging tools.

25. We just have to be smart and flexible about it.

26. Lab 2: Running Pipeline on Your Project docker run jemurai/pipeline:0.8

    \ -d \ -f csv \ -v ~/code/location:/tmp/directory/ \ /tmp/directory/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.

27. What are your results?

28. Checkpoint: 60?

29. DevOps / Continuous Delivery

30. None

31. Rugged

32. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

33. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

34. Understand lifecycle

35. Requirements Design Code Test Maintenance Classic Waterfall Delivery

36. Requirements Design Code Test Maintenance Classic Waterfall Delivery Security

37. continuous delivery

38. Classic security sees this and wants to …

39. continuous delivery

40. But we can embrace it.

41. Being able to deploy quickly is my #1 security feature.

    - Nick Galbreath

42. Think incremental

43. Story Continuous Delivery: The Unit of work is a story

    Requirements Design Code Test

44. Story Continuous Delivery: The Unit of Work is a Story

    Requirements Design Code Test Security Requirements Security Unit Tests Exploratory Testing Static Analysis on Commit Code Review Threat model / attack surface Checklists Understand Dependencies

45. continuous delivery Code Review Security Unit Tests Security Requirements

46. Automate security tools

47. continuous delivery Security Tool Automation: Code analysis Security unit tests

    Dynamic scanning etc.

48. continuous delivery Security Tests Run Exploratory Testing Includes Security

49. Lab 3: Getting into the Pipeline Docker Image 1. docker

    run -i -t —entrypoint=/bin/ bash jemurai/pipeline:0.8 2. cd lib 3. ../bin/pipeline -h Now you’re running from source. We can change anything …

50. Checkpoint: 80?

51. Case Study

52. Credit: Matt Tesauro at AppSecEU 2015 http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu

53. Pipeline Design

54. Overview • Pipeline is broken into different chunks to try

    to make it easy and straightforward to extend in expected ways. • These illustrate the challenges of security automation. Mounter Files Code Live Filter Reporter “Tasks”
55. None
56. None

57. Mounter git repo, filesystem, iso, docker image

58. None
59. None

60. Mounter clamav hashdeep Files

61. None

62. Mounter brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, eslint/scan.js, nodesecurityproject.

    Files Code
63. None
64. None
65. None

66. Mounter Currently: ZAP Future: guantlt, etc. Files Code Live

67. None

68. Recap of “Tasks” • File: AV, FIM • Code: •

    Ruby/Rails: brakeman, bundler-audit • JavaScript: NodeSecurityProject, eslint, retire.js • Java: owasp-dependency-check • Checkmarx • Live: ZAP

69. Lab 4: Running JS Tools 1.docker run jemurai/pipeline:0.8 -t eslint

    https://github.com/OWASP/ NodeGoat.git Or interactively: 1.docker run -t -i —entrypoint=/bin/bash jemurai/pipeline:0.8 2.cd line/pipeline/lib 3.../bin/pipeline -t eslint https:// github.com/OWASP/NodeGoat.git Try: -t eslint,nodesecurityproject,retirejs

70. Here’s a secret…

71. I can’t tell you what’s going to work for you.

72. Mounter Prevents false positives in JIRA. Files Code Live Filter

73. None

74. Mounter Reports to JIRA, csv, json, text. Files Code Live

    Filter Reporter
75. None
76. None

77. How would you do tsv?

78. How would you do github?

79. None

80. Extension Points • Mounters: mount, supports? • Tasks: run, analyze,

    supported? • Filters: filter • Reporter: run_report Mounter Files Code Live Filter Reporter “Tasks”

81. Other Internals • Within “Tasks”, each of the files, code

    and app phases of the pipeline can be run selectively as stages. Mounter Files Code Live Filter Reporter “Tasks”

82. ruby bin/pipeline -l code (Code analysis) -d (Turn on debug)

    -f text (Output format) /area53/app/

83. ruby bin/pipeline -t brakeman (Tool) -d (Turn on debug) -f

    csv (Output format) /area53/app/

84. Lab 5: Adding a New Tool to Pipeline 1. docker

    run -i -t —entrypoint=/bin/ bash jemurai/pipeline:0.8 2. cd pipeline/lib/pipeline/tasks/ 3. cp bundler-audit.rb test.rb 4. Edit to always create a finding (or use the following example for grep) 5. cd /../../lib 6. …/bin/pipeline -t test /tmp/
85. None

86. Checkpoint: 125?

87. Integrations

88. pre-commit

89. Lab 5: Running Pipeline on a Git Hook 1. Copy

    /hooks/pre-commit to your project in <project-root>/.git/hooks 2. chmod +x pre-commit 3. Edit pre-commit to reflect your path and tools 4. Regular process: 1. Change a <file> 2. git add <file> 3. git commit -m “Testing” <file>
90. None

91. chat ops

92. None
93. None

94. https://github.com/OWASP/Owbot

95. Jenkins

96. None
97. None
98. None
99. None
100. None
101. None
102. None
103. None
104. None
105. None

106. Issue Tracking

107. Jira

108. Github (future)

109. Process images

110. spider docker registry

111. grab ami

112. Process chef, puppet, ansible config …

113. Custom Application

114. None
115. None
116. None
117. None

118. Chat + UI + Queue + Pipeline + Jenkins +

     JIRA

119. Checkpoint: 160?

120. Thank you.

121. References • https://github.com/owasp/pipeline • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline • https://speakerdeck.com/garethr/maintaining-control-by-letting-go-security-and-devops • http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security •

     https://www.rsaconference.com/writable/presentations/file_upload/asd-t07r-continuous- security-5-ways-devops-improves-security.pdf • http://gotocon.com/goto-london-2015/ • http://gauntlt.org/ • https://github.com/PearsonEducation/bag-of-holding • https://www.ruggedsoftware.org/

122. Thank you. Bill Sempf Justin Collins Aaron Bedra Jim Manico

     Matt Tesauro Josh Corman CodeMash!