Lean Security - OWASP Austin March 2016

#LEANSECURITY

@ERNESTMUELLER // THEAGILEADMIN.COM // OWASP AUSTIN MARCH 2016

@ERNESTMUELLER // THEAGILEADMIN.COM // #LEANSECURITY

THEAGILEADMIN.COM

ERNEST MUELLER

JAMES WICKETT@wickett

@ernestmueller

THE PRESENTATION THAT JUST MIGHT

CHANGE YOUR LIFE…

COMPANIES ARE SPENDING A GREAT DEAL ON SECURITY, BUT WE READ OF MASSIVE COMPUTER-RELATED ATTACKS. CLEARLY SOMETHING IS

WRONG.

THE ROOT OF THE PROBLEM IS TWOFOLD: WE’RE PROTECTING

(AND SPENDING MONEY ON PROTECTING) THE WRONG THINGS, AND WE’RE HURTING PRODUCTIVITY

IN THE PROCESS.Source: Thinking Security (2005), Steven M. Bellovin

WHAT IS AGILE?• INDIVIDUALS AND INTERACTIONS OVER PROCESSES AND TOOLS

• WORKING SOFTWARE OVER COMPREHENSIVE DOCUMENTATION

• CUSTOMER COLLABORATION OVER CONTRACT NEGOTIATION

• RESPONDING TO CHANGE OVER FOLLOWING A PLAN

SOURCE: THE AGILE MANIFESTO (HTTP://WWW.AGILEMANIFESTO.ORG/)

WHY AGILE?• 45% OF ORGANIZATIONS ARE USING AGILE ON A MAJORITY OF

THEIR TEAMSONLY 5% ARE NOT USING IT AT ALL

• AGILE RESULTS:• ACCELERATE PRODUCT DELIVERY - 59% • ENHANCE ABILITY TO MANAGE CHANGING PRIORITIES - 56% • INCREASE PRODUCTIVITY - 53% • ENHANCE SOFTWARE QUALITY - 46% • ENHANCE DELIVERY PREDICTABILITY - 44%

SOURCE: VERSIONONE NINTH ANNUAL STATE OF AGILE SURVEY (HTTPS://WWW.VERSIONONE.COM/PDF/STATE-OF-AGILE-DEVELOPMENT-SURVEY-NINTH.PDF)

WHAT IS DEVOPS?DEVOPS IS THE PRACTICE OF OPERATIONS AND DEVELOPMENT ENGINEERS PARTICIPATING TOGETHER IN THE ENTIRE SERVICE LIFECYCLE, FROM DESIGN THROUGH THE DEVELOPMENT PROCESS TO PRODUCTION SUPPORT.

DEVOPS IS ALSO CHARACTERIZED BY OPERATIONS STAFF MAKING USE MANY OF THE SAME TECHNIQUES AS DEVELOPERS FOR THEIR SYSTEMS WORK.

SOURCE: THE AGILE ADMIN: WHAT IS DEVOPS? HTTP://THEAGILEADMIN.COM/WHAT-IS-DEVOPS/

WHY DEVOPS?• BY 2016 “DEVOPS WILL EVOLVE FROM A NICHE TO A MAINSTREAM STRATEGY EMPLOYED BY 25% OF GLOBAL 2000 ORGANIZATIONS” - GARTNER, MARCH 2015

• BENEFITS OF DEVOPS:• NEW SOFTWARE/SERVICES THAT WOULD OTHERWISE NOT BE

POSSIBLE - 21%• A REDUCTION IN TIME SPENT FIXING AND MAINTAINING

APPLICATIONS - 21%• INCREASED COLLABORATION BETWEEN DEPARTMENTS - 21%• AN INCREASE IN REVENUE - 19%• IMPROVED QUALITY AND PERFORMANCE OF OUR DEPLOYED

APPLICATIONS - 19%SOURCE: CA RESEARCH REPORT—DEVOPS: THE WORST-KEPT SECRET TO WINNING IN THE

APPLICATION ECONOMY (HTTP://REWRITE.CA.COM/US/ARTICLES/DEVOPS/RESEARCH-REPORT--DEVOPS-THE-WORST-KEPT-SECRET-TO-WINNING-IN-THE-APPLICATION-ECONOMY.HTML)

HIGH-PERFORMING IT ORGANIZATIONS EXPERIENCE 60X FEWER FAILURES AND RECOVER FROM FAILURE 168X FASTER THAN THEIR LOWER-PERFORMING PEERS. THEY ALSO DEPLOY 30X MORE FREQUENTLY WITH 200X SHORTER LEAD TIMES.

LEAN SOFTWARE DEVELOPMENTSEVEN PRINCIPLES:

• ELIMINATE WASTE

• AMPLIFY LEARNING

• DECIDE AS LATE AS POSSIBLE

• DELIVER AS FAST AS POSSIBLE

• EMPOWER THE TEAM

• BUILD INTEGRITY IN• SEE THE WHOLE

SOURCE: LEAN SOFTWARE DEVELOPMENT: AN AGILE TOOLKIT (2003), MARY AND TOM POPPENDIECK

LEAN PRODUCT DEVELOPMENT

• BUILD-MEASURE-LEARN• BUILD – MINIMUM VIABLE PRODUCT• MEASURE – THE OUTCOME AND INTERNAL

METRICS• LEARN – ABOUT YOUR PROBLEM AND YOUR

SOLUTION• REPEAT – GO DEEPER WHERE IT’S NEEDED

SOURCE: LEAN STARTUP (2011), ERIC RIES

WHY LEAN?• BOTH DEVOPS AND AGILE BORROW KEY

CONCEPTS FROM LEAN MANUFACTURING, SO IT'S ALL ABOUT COMMUNICATION AND OPENNESS." -INFORMATIONWEEK

WHAT ARE THE CHALLENGES THATAGILE / DEVOPS /

LEAN POSE TO INFOSEC?

WRONG QUESTION!

INSTEAD, EXAMINE HOW ADOPTING THESE

STRATEGIES CAN HELP YOU WIN

LEAN SECURITY IS FOR WINNERS

THE SIX-FOLD PATH OF LEAN SECURITY (AND HOW TO WIN)

#1 SECURITY IS JUST BEANCOUNTING

“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND

THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED

SECURITY WORK” SOURCE: THE TANGLED WEB (2011), MICHAEL ZALEWSI

WE TRADED ENGINEERING FOR ACTUARIAL DUTIES

A SECURITY MANAGEMENT SYSTEM PROVIDES OPTIMAL VALUE TO THE ORGANIZATION IF IT:

• ACTIVELY SUPPORTS ACHIEVING THE BUSINESS AND COMPLIANCE OBJECTIVES OF THE ORGANIZATION (THE VARIABLE PART)

• IS AN EFFICIENT, AGILE AND INTEGRATED PROCESS, CAPABLE OF DEALING WITH A DYNAMIC THREAT ENVIRONMENT

• CONSUMES MINIMAL TIME AND RESOURCES• RESULTS IN ADEQUATELY MANAGED SECURITY RISK,

IN LINE WITH THE RISK APPETITE OF THE ORGANIZATION

• PROVIDES ONLY THE NECESSARY, YET ADEQUATE, USER FRIENDLY, EFFICIENT AND MEASURABLE SECURITY CONTROLS

SOURCE: JOHAN BAKKER, LEAN SECURITY MANAGEMENT WHITE PAPER

UNDERSTAND THE VALUE YOUR

ORGANIZATION NEEDS FROM YOU

#2SECURITY IS A BOTTLENECK

THE AVERAGE TIME TO DELIVER CORPORATE IT

PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER

10 MONTHS IN THE LAST 5 YEARS

Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016

WHY ARE COMPANIES SO SLOW?

THE GROWTH OF CONTROL AND RISK MANAGEMENT FUNCTIONS WHICH IS TOO OFTEN POORLY

COORDINATED… RESULTING IN] A PROLIFERATION OF NEW TASKS IN

THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION.

Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016

THE THREE WASTES• MUDA - WORK WHICH ABSORBS RESOURCE

BUT ADDS NO VALUE• MURI - UNREASONABLE WORK THAT IS

IMPOSED ON WORKERS AND MACHINES• MURA - WORK COMING IN DRIBS AND

DRABS WITH SUDDEN PERIODS OF RUSH RATHER THAN A CONSTANT OR REGULAR FLOW, UNEVENNESS.

SECURITY WASTEMUDA COMES IN SEVEN FORMS:• EXCESS INVENTORY - DUMPING YOUR THOUSAND

PAGE PDF OF VULNERABILITIES ON A BUSY TEAM. PRIORITIZE AND LIMIT WORK IN PROGRESS (WIP)

• OVERPRODUCTION - SECURITY CONTROLS STEMMING FROM FUD OR MISALIGNMENT WITH BUSINESS NEEDS (NOT DEMANDED BY ACTUAL CUSTOMERS) - CF. PHOENIX PROJECT

• EXTRA PROCESSING - FOR EXAMPLE, RELYING ON COMPLIANCE TESTING RATHER THAN DESIGNING THE PROCESS TO ELIMINATE PROBLEMS - HELP IT GET BUILT RIGHT FIRST

SECURITY WASTE• HANDOFFS - LEVERAGE THE KNOWLEDGE OF THE TEAMS

DOING THE WORK AND COLLABORATE WITH THEM TO BUILD SECURITY IN, INSTEAD OF THAT BEING SOME OTHER TEAM’S JOB

• WAITING - LAG BETWEEN VALUE STEPS WAITING FOR APPROVALS OR ANALYSES OR TICKET HANDLING - USE SELF SERVICE AUTOMATION INSTEAD

• TASK SWITCHING - THE THOUSAND PAGE PDF AGAIN - WORK WITH THEIR WORK INTAKE PROCESS NOT AGAINST IT

• DEFECTS - FALSE POSITIVES AND FALSE NEGATIVES AND JUST PLAIN UNIMPORTANT FINDINGS YOU REPORT CAUSING ZERO-VALUE REWORK

UNDERSTAND THE WASTE THAT YOU

GENERATE

#3SECURITY IS

INVISIBLE

SECURITY PROFESSIONALS

ARE QUICK TO SAY SECURITY IS

EVERYONE’S JOB

SECURITY COULD LEARN FROM WEB PERFORMANCE

CIRCA 2008

PERFORMANCE• BROWSER EXTENSIONS FOR DEVS TO

UNDERSTAND PERFORMANCE PROBLEMS• RESEARCH SHOWING PERFORMANCE TO

REVENUE CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS• CONFERENCES COMBINING FRONT END DEVS

AND SYS ADMINS• COMMITMENT TO INSTRUMENT AND GRAPH ALL

THE THINGS

SECURITY• BROWSER EXTENSIONS FOR DEVS TO

UNDERSTAND SECURITY PROBLEMS• RESEARCH SHOWING SECURITY TO REVENUE

CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS• CONFERENCES COMBINING DEVS OPS AND

SECURITY• COMMITMENT TO INSTRUMENT AND GRAPH ALL

THE THINGS

SEE THE WHOLE• KEEP MEANINGFUL METRICS, MAKE THOSE

METRICS VISIBLE - IN CONTEXT OF WORKERS’ TOOLCHAIN

• “LEAST PRIVILEGE” NEEDS TO BE UNLEARNED SOMEWHAT IN MODERN ORGANIZATIONS TO ALLOW EFFECTIVE INFORMATION SHARING

• GET IN BUSINESS OF SHARING AND ADDING VISIBILITY TO DEV AND TO OPS.

VISUALIZE SECURITY SO

EVERYONE CAN SEE

#4SECURITY IS ALWAYS

TOO LATE

– W. EDWARDS DEMING

“CEASE DEPENDENCE ON MASS INSPECTION TO ACHIEVE QUALITY. IMPROVE THE PROCESS AND BUILD QUALITY INTO THE PRODUCT IN THE

FIRST PLACE."

SOURCE: THE THREE WAYS OF DEVOPS, GENE KIM

BE MEAN TO YOUR CODE

EARLIER IN THE DEVELOPMENT

PROCESSENTER GAUNTLT…

@slow @finalFeature: Look for cross site scripting (xss) using arachni against a URL

Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected."

AN ATTACK LANGUAGE FOR DEVOPS

http://theagileadmin.com/2015/06/09/pragmatic-security-and-rugged-devops/

GENERATE SECURITY FEEDBACK IN EACH STEP IN THE VALUE

STREAM

#5 SECURITY IS ALWAYS IN

THE WAY

ARE YOU “THAT GUY?”• YOU ALREADY KNOW

YOU CAN’T MAKE THINGS SECURE BY YOURSELF

• YOU NEED EVERYONE ELSE TO COOPERATE WITH YOU

• BUT DOES IT SEEM LIKE THE THINGS YOU DO JUST ANGER THEM?

EMPOWER THE TEAM• UNDERSTAND HUMAN

MOTIVATION• NETFLIX AUTOMATION

CREATED SAFE PATHS AS THE DEFAULT

• AUTOMATING PROCESS REMOVES EMOTIONAL CHARGE

SELF SERVICE AUTOMATION

#6SECURITY IS PERFECTIONIST

AND IS THEREFORE UNREALISTIC

SECURITY IS YOUR PRODUCT

BUILD-MEASURE-LEARN• DELIVER MINIMAL VIABLE SECURITY ACROSS

EVERYTHING • FOCUS ON DETECTION/METRIC GATHERING• ITERATE FROM THERE• REMEMBER THE WEAKEST LINK WINS• OVERLAP SMALLER SOLUTIONS - SEE JOSH

MORE’S OWASP 2012 “LEAN SECURITY 101” PRESENTATION

MANAGE YOUR PRODUCT

WE’VE BEEN THERE

QUESTIONS?

THEAGILEADMIN.COM

ERNEST MUELLER

JAMES WICKETT@wickett

@ernestmueller

Lean Security - OWASP Austin March 2016

Technology

Transcript of Lean Security - OWASP Austin March 2016

What is OWASP OWASP Live CD Live Demo

The OWASP Foundation OWASP Belgium Chapter OWASP Update Sebastien Deleersnyder Foundation Board, Zenitel Belgium seba@owasp.org.

Factory Building Symposium on Lean Production January 29, 2007 Austin, Texas.

The OWASP Foundation OWASP AppSec Aguascalientes 2010 ¿Qué es OWASP? Miguel Pérez-Milicua Softtek Miembro de OWASP capítulo Aguacalientes.

Application Security Awareness - OWASP Foundation · 2020-01-17 · Short Description Promote OWASP projects, events, education material and OWASP mission. Related Projects OWASP

The OWASP Foundation OWASP Summit 2011 ¿A donde vamos…?

OWASP OWTF - Summer Storm - OWASP AppSec EU 2013

OWASP Day - OWASP Day - Lets secure!

OWASP Broken Web Applications (OWASP BWA): Beyond 1.0.

OWASP Cornucopia Ecommerce Website Edition · Web viewAuthentication Cheat Sheet OWASP SCP 47, 52 OWASP ASVS 2.12, 8.4, 8.10 OWASP AppSensor UT1 CAPEC-SAFECode 28 OWASP Cornucopia

OWASP Testing Guide - OWASP Summit 2011

CLASS: An ideation technique for lean UX in the enterprise--Presentation for UXPA Austin

OWASP BeLux 2008-03-04 OWASP Update · 2020-05-18 · OWASP 5 Program for this evening:

Lean Frontiers Lean Leadership Week, Austin, 9/12/2019 TX · Lean Frontiers Lean Leadership Week, Austin, TX 9/12/2019 (C) 2019 Hal Macomber 13 25 26. ... Lean Your Way KAIZEN ATTEMPTS

OWASP (Membership) and new OWASP Projects · OWASP 7 OWASP

Owasp Mosc2010 - Tour of Owasp Projects

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

The OWASP Foundation OWASP Chennai 2007 Phishing.

OWASP OTG-configuration (OWASP Thailand chapter november 2015)

Proactive Web Application Defenses. Jim Manico @manicode – OWASP Volunteer Global OWASP Board Member Global OWASP Board Member OWASP Cheat-Sheet Series.