Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Automation Workshop

Matt Konda
January 05, 2016

Security Automation Workshop

At Codemash

Matt Konda

January 05, 2016
Tweet

More Decks by Matt Konda

Other Decks in Technology

Transcript

  1. Prereqs • Docker Toolbox • http://prereqs.codemash.org/ • pipeline • http://prereqs.codemash.org/

    • docker pull jemurai/pipeline:0.8 (or USB) • A project to analyze
  2. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] DevOps Growing
  3. What do I do? • Bug bounty • Breaking •

    Mostly SDLC • Training • Automation
  4. Overview • Hands on with Pipeline for labs • Quick

    overview of security tools • DevOps / Continuous Delivery & Rugged • Leveraging security automation where possible
  5. Lab 1: Running Pipeline from Docker 1. docker-machine create --driver

    virtualbox default 2. eval $(docker-machine env default) 3. docker pull jemurai/pipeline:0.8 (or: docker load < pipeline-0.8.tar.gz) 4. docker run —rm jemurai/pipeline:0.8 -h 6. docker run —rm jemurai/pipeline:0.8 \ https://github.com/Jemurai/triage.git
  6. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring
  7. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation
  8. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation
  9. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation Penetration Testing
  10. Static Analysis Live App Scanning Dynamic Analysis Dependency Checks Web

    Application Firewall Runtime Security Monitoring IP Reputation Anti-Automation Penetration Testing
  11. B+ C B+ F D D F B A- C

    The items on the left are the OWASP Top 10. The grades are mine and are arbitrary. https://www.owasp.org/index.php/Top_10_2013-Top_10
  12. Lab 2: Running Pipeline on Your Project docker run jemurai/pipeline:0.8

    \ -d \ -f csv \ -v ~/code/location:/tmp/directory/ \ /tmp/directory/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
  13. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.
  14. I recognize that software has become a foundation of our

    modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.
  15. Story Continuous Delivery: The Unit of Work is a Story

    Requirements Design Code Test Security Requirements Security Unit Tests Exploratory Testing Static Analysis on Commit Code Review Threat model / attack surface Checklists Understand Dependencies
  16. Lab 3: Getting into the Pipeline Docker Image 1. docker

    run -i -t —entrypoint=/bin/ bash jemurai/pipeline:0.8 2. cd lib 3. ../bin/pipeline -h Now you’re running from source. We can change anything …
  17. Overview • Pipeline is broken into different chunks to try

    to make it easy and straightforward to extend in expected ways. • These illustrate the challenges of security automation. Mounter Files Code Live Filter Reporter “Tasks”
  18. Recap of “Tasks” • File: AV, FIM • Code: •

    Ruby/Rails: brakeman, bundler-audit • JavaScript: NodeSecurityProject, eslint, retire.js • Java: owasp-dependency-check • Checkmarx • Live: ZAP
  19. Lab 4: Running JS Tools 1.docker run jemurai/pipeline:0.8 -t eslint

    https://github.com/OWASP/ NodeGoat.git Or interactively: 1.docker run -t -i —entrypoint=/bin/bash jemurai/pipeline:0.8 2.cd line/pipeline/lib 3.../bin/pipeline -t eslint https:// github.com/OWASP/NodeGoat.git Try: -t eslint,nodesecurityproject,retirejs
  20. Extension Points • Mounters: mount, supports? • Tasks: run, analyze,

    supported? • Filters: filter • Reporter: run_report Mounter Files Code Live Filter Reporter “Tasks”
  21. Other Internals • Within “Tasks”, each of the files, code

    and app phases of the pipeline can be run selectively as stages. Mounter Files Code Live Filter Reporter “Tasks”
  22. Lab 5: Adding a New Tool to Pipeline 1. docker

    run -i -t —entrypoint=/bin/ bash jemurai/pipeline:0.8 2. cd pipeline/lib/pipeline/tasks/ 3. cp bundler-audit.rb test.rb 4. Edit to always create a finding (or use the following example for grep) 5. cd /../../lib 6. …/bin/pipeline -t test /tmp/
  23. Lab 5: Running Pipeline on a Git Hook 1. Copy

    /hooks/pre-commit to your project in <project-root>/.git/hooks 2. chmod +x pre-commit 3. Edit pre-commit to reflect your path and tools 4. Regular process: 1. Change a <file> 2. git add <file> 3. git commit -m “Testing” <file>
  24. References • https://github.com/owasp/pipeline • https://www.owasp.org/index.php/OWASP_AppSec_Pipeline • https://speakerdeck.com/garethr/maintaining-control-by-letting-go-security-and-devops • http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security •

    https://www.rsaconference.com/writable/presentations/file_upload/asd-t07r-continuous- security-5-ways-devops-improves-security.pdf • http://gotocon.com/goto-london-2015/ • http://gauntlt.org/ • https://github.com/PearsonEducation/bag-of-holding • https://www.ruggedsoftware.org/