Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security from Inception

Matt Konda
May 14, 2015
Technology
0
100

Security from Inception

From Chicago Coder Conference 2015, a talk about building security controls into an Agile project.

Matt Konda

May 14, 2015
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
130
Automate All of the Things
mkonda
0
190
Building Rugged Software in a DevOps World
mkonda
0
100
What is Rugged all about?
mkonda
1
82
Real World Security Testing
mkonda
1
100
Security Automation Pipeline
mkonda
1
190
Security Automation Workshop
mkonda
0
55
Rationalizing Security
mkonda
0
60
Application Security Landscape
mkonda
0
89

Other Decks in Technology

See All in Technology
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
180
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
430
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.5k
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210
Platform Engineering for Software Developers and Architects
syntasso
1
520
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
250
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
160
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
0
170
Flutterによる 効率的なAndroid・iOS・Webアプリケーション開発の事例
recruitengineers
PRO
0
120
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
120

Featured

See All Featured
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
A Philosophy of Restraint
colly
203
16k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Side Projects
sachag
452
42k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Producing Creativity
orderedlist
PRO
341
39k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k

Transcript

  1. Security from inception Matt Konda @mkonda Jemurai.com

  2. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: Training Coaching Code Review Plugged in to SDLC Consulting Assessments

  3. BACKGROUND ON ME

  4. What is an inception?

  5. None
  6. None
  7. None
  8. None

  9. ARE STAKEHOLDERS ASKING FOR SECURITY?

  10. None
  11. None

  12. exercise 1

  13. exercise 2

  14. http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/ Credit: Josh Corman HDMoore’s Law

  15. Baseline security requirements

  16. story points

  17. estimates to include security considerations

  18. here’s why.

  19. Agile metrics Credit: rallydev.com

  20. security and agile

  21. Agile values Individuals and interactions over processes and tools

  22. Agile values Working software over comprehensive documentation

  23. Agile values Customer collaboration over contract negotiation

  24. Agile values Responding to change over following a plan

  25. Traditional Plan Original goal

  26. Traditional Plan Original goal Actual GOAL Agile Plan

  27. Example: 2FA

  28. placeholder for building picture

  29. Example: auditing

  30. story review

  31. CREDIT:
 RALLYDEV.COM

  32. incremental code review

  33. hipchat

  34. continuous integration

  35. gauntlt

  36. static analysis

  37. dynamic analysis

  38. app / network scanning

  39. Speaking of tools…

  40. there is no

  41. EVIL False Positives Are a Necessary

  42. checklists

  43. bug tracking

  44. testing

  45. How many  people here  Write tests?

  46. How many  people here  Use TDD?

  47. How many  people here  Use BDD?

  48. How many  people here  know of OWASP?

  49. How many  people here  currently write security tests?

  50. how many people have had a penetration test against their

    application?
  51. None
  52. None

  53. Feature: person is restricted from accessing A project they do

    not own Scenario: person accesses a project  that is not theirs  Given a new project created by a user When a different person attempts to access the project Then the system should prevent access

  54. demo cucumber --name "person is restricted from accessing project they

    do not own"
  55. None

  56. Given(/^a new project created by a user$/) do uuid =

    SecureRandom.uuid @user1 = "fb_user_1_#{uuid}@jemurai.com" register_as_user(@user1, "password") new_project("Insecure Direct Object Reference #{uuid}", "Forceful Browsing Desc") @url = current_url end When(/^a different person attempts to access the project$/) do logout(@user1) uuid = SecureRandom.uuid @user2 = "fb_user_2_#{uuid}@jemurai.com" register_as_user(@user2, "password") end Then(/^the system should prevent access$/) do visit @url expect(page).not_to have_content "Forceful Browsing Desc" end

  57. demo cucumber --name "user is prevented from putting XSS in

    project form fields"
  58. None
  59. None

  60. write tests that illustrate the security issues

  61. simplified Steps • injection: inject commands into fields and detect

    functions being called. • XSS: inject scripts into fields and detect that alerts are thrown • Mass assignment: set raw form data and send it to see how the server responds • csrf: alter csrf token and send otherwise valid request • headers: interact with system and verify that headers are being set • Sensitive Data: open session cookie and inspect

  62. OWASP Top 10 From: owasp.org

  63. spend time on scenarios for negative testing

  64. if you like all this stuff, maybe you should be

    a security champion

  65. standup

  66. None

  67. built in architecture review

  68. operationalize

  69. None

  70. Facilitate

  71. ask questions

  72. None

  73. What we delivered

  74. • • RELIABILITY MAINTAINABILITY • • • • • •

    • • SECURITY ruggeddev.org @ruggeddev rugged
  75. None

  76. never be afraid to ask for help

  77. unfortunately, we’ve all done it wrong

  78. make security friends

  79. make security friends

  80. Summary • Villain Person from Inception • baseline Security Requirements

    Up Front • Story Review for Security: acceptance criteria • Security Requirements included in stories PRE estimation • Incremental Code Review • Share Tools: planning, collaboration, build • Testing • Participate in Standup • operational and monitoring guide • Facilitate - ask questions - stay involved

  81. Resources • owasp top 10 • OWASP ZAP • OWASP

    Dependency Check • OWASP WebGoat

  82. Thank you

  83. Thank you

  84. Security from inception Matt Konda @mkonda Jemurai.com