Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security from Inception

Matt Konda
May 14, 2015
Technology
0
100

Security from Inception

From Chicago Coder Conference 2015, a talk about building security controls into an Agile project.

Matt Konda

May 14, 2015
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
130
Automate All of the Things
mkonda
0
180
Building Rugged Software in a DevOps World
mkonda
0
100
What is Rugged all about?
mkonda
1
81
Real World Security Testing
mkonda
1
100
Security Automation Pipeline
mkonda
1
190
Security Automation Workshop
mkonda
0
53
Rationalizing Security
mkonda
0
60
Application Security Landscape
mkonda
0
89

Other Decks in Technology

See All in Technology
チームを主語にしてみる / Making "Team" the Subject
ar_tama
4
310
[JAWS-UG金沢支部×コンテナ支部合同企画]コンテナとは何か
furuton
3
260
2024-10-30-reInventStandby_StudyGroup_Intro
shinichirokawano
1
630
Java x Spring Boot Warm up
kazu_kichi_67
2
490
AWS CodePipelineでコンテナアプリをデプロイした際に、古いイメージを自動で削除する
smt7174
1
100
Fargateを使った研修の話
takesection
0
120
omakaseしないための.rubocop.yml のつくりかた / How to Build Your .rubocop.yml to Avoid Omakase #kaigionrails
linkers_tech
3
740
Vueで Webコンポーネントを作って Reactで使う / 20241030-cloudsign-vuefes_after_night
bengo4com
4
2.5k
Amazon FSx for NetApp ONTAPを利用するにあたっての要件整理と設計のポイント
non97
1
160
独自ツール開発でスタジオ撮影をDX!「VLS(Virtual LED Studio)」 / dx-studio-vls
cyberagentdevelopers
PRO
1
180
現地でMeet Upをやる場合の注意点 〜反省点を添えて〜
shotashiratori
0
530
Jr. Championsになって、強く連携しながらAWSをもっと使いたい!~AWSに対する期待と行動~
amixedcolor
0
190

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
664
120k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Side Projects
sachag
452
42k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
YesSQL, Process and Tooling at Scale
rocio
167
14k
BBQ
matthewcrist
85
9.3k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
504
140k
How to Ace a Technical Interview
jacobian
275
23k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
150
RailsConf 2023
tenderlove
29
880
Faster Mobile Websites
deanohume
304
30k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k

Transcript

  1. Security from inception Matt Konda @mkonda Jemurai.com

  2. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: Training Coaching Code Review Plugged in to SDLC Consulting Assessments

  3. BACKGROUND ON ME

  4. What is an inception?

  5. None
  6. None
  7. None
  8. None

  9. ARE STAKEHOLDERS ASKING FOR SECURITY?

  10. None
  11. None

  12. exercise 1

  13. exercise 2

  14. http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/ Credit: Josh Corman HDMoore’s Law

  15. Baseline security requirements

  16. story points

  17. estimates to include security considerations

  18. here’s why.

  19. Agile metrics Credit: rallydev.com

  20. security and agile

  21. Agile values Individuals and interactions over processes and tools

  22. Agile values Working software over comprehensive documentation

  23. Agile values Customer collaboration over contract negotiation

  24. Agile values Responding to change over following a plan

  25. Traditional Plan Original goal

  26. Traditional Plan Original goal Actual GOAL Agile Plan

  27. Example: 2FA

  28. placeholder for building picture

  29. Example: auditing

  30. story review

  31. CREDIT:
 RALLYDEV.COM

  32. incremental code review

  33. hipchat

  34. continuous integration

  35. gauntlt

  36. static analysis

  37. dynamic analysis

  38. app / network scanning

  39. Speaking of tools…

  40. there is no

  41. EVIL False Positives Are a Necessary

  42. checklists

  43. bug tracking

  44. testing

  45. How many  people here  Write tests?

  46. How many  people here  Use TDD?

  47. How many  people here  Use BDD?

  48. How many  people here  know of OWASP?

  49. How many  people here  currently write security tests?

  50. how many people have had a penetration test against their

    application?
  51. None
  52. None

  53. Feature: person is restricted from accessing A project they do

    not own Scenario: person accesses a project  that is not theirs  Given a new project created by a user When a different person attempts to access the project Then the system should prevent access

  54. demo cucumber --name "person is restricted from accessing project they

    do not own"
  55. None

  56. Given(/^a new project created by a user$/) do uuid =

    SecureRandom.uuid @user1 = "fb_user_1_#{uuid}@jemurai.com" register_as_user(@user1, "password") new_project("Insecure Direct Object Reference #{uuid}", "Forceful Browsing Desc") @url = current_url end When(/^a different person attempts to access the project$/) do logout(@user1) uuid = SecureRandom.uuid @user2 = "fb_user_2_#{uuid}@jemurai.com" register_as_user(@user2, "password") end Then(/^the system should prevent access$/) do visit @url expect(page).not_to have_content "Forceful Browsing Desc" end

  57. demo cucumber --name "user is prevented from putting XSS in

    project form fields"
  58. None
  59. None

  60. write tests that illustrate the security issues

  61. simplified Steps • injection: inject commands into fields and detect

    functions being called. • XSS: inject scripts into fields and detect that alerts are thrown • Mass assignment: set raw form data and send it to see how the server responds • csrf: alter csrf token and send otherwise valid request • headers: interact with system and verify that headers are being set • Sensitive Data: open session cookie and inspect

  62. OWASP Top 10 From: owasp.org

  63. spend time on scenarios for negative testing

  64. if you like all this stuff, maybe you should be

    a security champion

  65. standup

  66. None

  67. built in architecture review

  68. operationalize

  69. None

  70. Facilitate

  71. ask questions

  72. None

  73. What we delivered

  74. • • RELIABILITY MAINTAINABILITY • • • • • •

    • • SECURITY ruggeddev.org @ruggeddev rugged
  75. None

  76. never be afraid to ask for help

  77. unfortunately, we’ve all done it wrong

  78. make security friends

  79. make security friends

  80. Summary • Villain Person from Inception • baseline Security Requirements

    Up Front • Story Review for Security: acceptance criteria • Security Requirements included in stories PRE estimation • Incremental Code Review • Share Tools: planning, collaboration, build • Testing • Participate in Standup • operational and monitoring guide • Facilitate - ask questions - stay involved

  81. Resources • owasp top 10 • OWASP ZAP • OWASP

    Dependency Check • OWASP WebGoat

  82. Thank you

  83. Thank you

  84. Security from inception Matt Konda @mkonda Jemurai.com