Continous Security - That Conference

download Continous Security - That Conference

If you can't read please download the document

  • date post

    09-Apr-2017
  • Category

    Software

  • view

    201
  • download

    7

Embed Size (px)

Transcript of Continous Security - That Conference

Bear ProofApplicationsUsing Continuous Security to Mitigate ThreatsWendy Istvanick - wendyi@thoughtworks.com

What I Will CoverAttack VolumesRecent AttacksTaking an Agile ApproachProject OverviewTool SurveyWrap Up

Attack Volumes

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

High Profile Attacks

Target

exposed dataphishingout of date softwarenon-segmented networksecretsin memory data

2000 stores40 million credit cardsprivate data for 70 million customers

Target (Nov-Dec 2013)Unnecessarily Exposed Vendor ListPhishing AttackInadequate Network SegmentationOut of Date SoftwareIn Memory DataMissed Internal AlertsDefault Username/Password

40 million cards70 million Customers2000 Stores

switch to hidden slide with images

Stolen Vendors CredentialsImproper ConfigurationsImportant Anti-Virus Feature Turned OffPOS Systems Running on Windows XPUnencrypted Data In TransitImproper Segmentation between Corporate and POS NetworksInadequate MonitoringHome Depot (Apr-Sep 2014)

56 million cards53 million EMail addresses2200 Stores

switch to slide with images

Sally Beauty

Sally Beauty (Mar 2014)

Credentials Taped to LaptopNetwork Admin Credentials in VB ScriptsInstalled Malware on Cash Registers

2600 Stores260,000 cards

260,000 credit cards2600 locations

breached again in Mar 2015

switch to hidden slide with images

An Agile Approach

Testing

Unit Tests

Service Tests

UI Tests

Continuous Delivery

CodeCodeCodeConfigBuildTestPackageIntegrationStagingProduction

Env1Env2Env3Testing EnvironmentsBuildTest & Release

How Can We Apply This to Security?

Project Overview

Recipe

Ingredient

IngredientType

Diet

DietType

Ingredient

IngredientType

Ingredient

IngredientType

Diet

DietType

Tool Survey

If checking for vulnerable components is good,

we will do so every time we commit code.

Objenesis

Vulnerable Components

Guava

MyBatis

JUnit

Hamcrest

Hamcrest

Hamcrest

Mockito#9

Vulnerable Components

http://www.aspectsecurity.com/research-presentations/the-unfortunate-reality-of-insecure-librariesWe studied the 31 most popular Java frameworks and security libraries downloaded from the [maven central] and discovered that 26% of these have known vulnerabilities. More than half of the Global 500 use software built using components with vulnerable code.

Spring Remote Code Execution

RubyGemsHostnameValidationAllowed a request without an identity token to gain full permissions to any web service.Vulnerable Components - Examples

https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities

Apache CXF Authentication Bypass(Not Apache App Server)

Checkmarx CxSAST(Formerly CxSuite)Allowed execution of arbitrary code via expression language. Could be used to take over a server.Allowed remote unauthenticated users to bypass sandbox protection mechanism. Could be used to execute arbitrary C# code.Hostname not validated when fetching gems. Could be used to execute a DNS hijack attack.

Add Ruby/Rails Example

Vulnerable Components - The ToolsCSharpSafeNuGet - MSBuild TaskOWASP Dependency CheckJavaOWASP Dependency CheckRubyBundler AuditDawnscanner

CSharpSafeNuGet - MSBuild TaskOWASP Dependency CheckJavaOWASP Dependency CheckCSharpSafeNuGet - MSBuild TaskOWASP Dependency Check

Vulnerable Components - Tool Integration

If updating our dependencies is desired,

we will run canary builds regularly to tell us when we can update.

Objenesis

Upgrading Dependencies

Guava

MyBatis

JUnit

Hamcrest

Hamcrest

Hamcrest

Mockito

Mockito

Hamcrest

Objenesis

Upgrading Dependencies - The Tools

CodeCodeCodeConfigBuildTestPackageIntegrationStagingProduction

Env1Env2Env3Testing Environments

Canary Builds

If not exposing secrets is important,

we will ensure they are never committedto our version control system.

Exposing Secrets

A talisman is an object which is believed to contain certain magical or sacramental properties which would provide good luck for the possessor or possibly offer protection from evil or harm.

Exposing Secrets - The Tools

https://en.wikipedia.org/wiki/Talisman

Exposing Secrets - Tool Integration

Exposing Secrets - Tool Integration

19:54:42.329 :findSecrets FAILED19:54:42.336 19:54:42.336 BUILD FAILED19:54:42.336 19:54:42.336 Total time: 3.085 secs19:54:42.339 19:54:42.339 FAILURE: Build failed with an exception.19:54:42.339 19:54:42.339 * What went wrong:19:54:42.339 Execution failed for task ':findSecrets'.java/build.gradlejava/gradle/wrapper/gradle-wrapper.jarjava/gradle/wrapper/gradle-wrapper.propertiesjava/gradlewjava/gradlew.batjava/notReallyAn._rsajava/src/vulnerableCheckSuppression.xmlThe following errors were detected in java/notReallyAn._rsa The file name "java/notReallyAn._rsa" failed checks against the pattern ^.+_rsa$

If searching forpossible attack vectorsfor our web sitesis good,

we willautomate this search.to our version control system.

Finding Vulnerabilities

Finding Vulnerabilities - The Tools

HTML

AjaxExtensionsPort ScanningFuzzingLDAP InjectionSession FixationOWASP ZAP

Zed Attack Proxy

ZAP passively scans all of the requests and responses that it discovers via the spiders or that are proxied through it from your browser. Passive scanning does not change the responses in any way and is therefore always safe to use. Scanned is performed in a background thread to ensure that it does not slow down the exploration of an application. Passive scanning is good for finding a limited number of potential vulnerabilities, such as missing security related HTTP headers. It can be an effective way to get a sense of the state of security in a given web application, and clues for where to focus more invasive manual testing.

Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets. As active scanning is an attack on those targets it is completely under user control and should only be used against applications that you have permission to test. Active scanning can be started via the Active Scan tab or the right click Attack menu.

OWASP ZAP

OWASP ZAP

OWASP ZAP

Finding Vulnerabilities - Tool IntegrationPluginsJenkins (https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin)Maven (https://github.com/pdsoftplan/zap-maven-plugin)Grails (https://grails.org/plugin/zap-security-tests)Command Line Interface

Wrap Up

Java Source

Ruby SourceCurrent Pipelines

C# Source

Java Secrets

C# BuildC# Test

Java BuildJava Test

Ruby BuildRuby Test

Java Comps

C# Comps

Ruby Comps

JS Source

C-Sharp Pipeline

Ruby Pipeline

Java Pipeline

All Pipelines

JS Deploy

Java Deploy

C# Deploy

Ruby Deploy

Java Source

Ruby Source

JS SourceTargeted Pipelines

C# Source

JS Secrets

C# Secrets

Java Secrets

Ruby Secrets

C# BuildC# Test

Java BuildJava Test

Ruby BuildRuby Test

JS Comps

Java Comps

C# Comps

Ruby Comps

OWASPZAP

Potential DownsidesFalse PositivesLonger Running BuildsWont Catch EverythingNew Things Everyday

Change to Symbols to Represent These

Attack Tie Backs - TargetZAP testing might have highlighted vulnerability in vendor portalUp to date credit card system could have eliminated in memory credit card data

Attack Tie Backs - Home Depot

Up to date POS OS may have eliminated vulnerabilities

Attack Tie Backs - Sally BeautySecrets may not have been discovered

$

Application Code: https://github.com/wendyi/continuousSecurity** = Csharp | Java | Ruby | WebPipelines: https://github.com/wendyi/continuousSecurityCiSlides:http://www.slideshare.net/WendyIstvanickLinks

Next StepsFinish Wiring Up Existing ChecksContribute Talisman ChangesFinish End to End CodeWire Up ZAPSet Up Canary BuildsFind Other Tools to Include

Thank You Questions?