Bear ProofApplicationsUsing Continuous Security to

Mitigate ThreatsWendy Istvanick -

wendyi@thoughtworks.com

What I Will Cover

Attack VolumesRecent AttacksTaking an Agile ApproachProject OverviewTool SurveyWrap Up

Attack Volumes

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

High Profile Attacks

Target (Nov-Dec 2013)

Unnecessarily Exposed Vendor ListPhishing AttackInadequate Network

SegmentationOut of Date SoftwareIn Memory DataMissed Internal AlertsDefault Username/Password

40 million cards

70 million

Customers

2000

Stores

Stolen Vendors CredentialsImproper ConfigurationsImportant Anti-Virus Feature Turned OffPOS Systems Running on Windows XPUnencrypted Data In Transit

Improper Segmentation between Corporate and POS NetworksInadequate Monitoring

Home Depot (Apr-Sep 2014)

56 million cards

53 million

EMail

addresses

2200 Stores

Sally Beauty (Mar 2014)

Credentials Taped to LaptopNetwork Admin Credentials

in VB ScriptsInstalled Malware on Cash

Registers

2600

Stores

260,000 cards

An Agile Approach

Testing

Unit Tests

Service Tests

UI Tests

Continuous Delivery

Code

Code

Code

Config

Build Test

Package

Integration

Staging

Production

Env1

Env2

Env3

Testing Environments

Build Test & Release

How Can We Apply This to Security?

Project Overview

Tool Survey

If checking for vulnerable components

is good,

we will do so every time we commit code.

Objenesis

Vulnerable Components

GuavaMyBatis JUnit Hamcrest

Hamcrest Hamcrest

Mockito

#9

Vulnerable Components

http://www.aspectsecurity.com/research-presentations/the-unfortunate-reality-of-insecure-libraries

We studied the 31 most popular Java frameworks and security libraries downloaded from the [maven central]

and discovered that 26% of these have known vulnerabilities.

More than half of the Global 500 use software built using components

with vulnerable code.

Spring Remote

Code Execution

RubyGemsHostnameValidation

Allowed a request without an identity token to

gain full permissions to any

web service.

Vulnerable Components - Examples

https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities

Apache CXF Authentication Bypass

(Not Apache App Server)

Checkmarx CxSAST

(Formerly CxSuite)

Allowed execution of arbitrary code via expression

language.

Could be used to take over a server.

Allowed remote unauthenticated users to bypass

sandbox protection

mechanism.

Could be used to execute arbitrary

C# code.

Hostname not validated when fetching gems.

Could be used to execute a “DNS hijack attack”.

Vulnerable Components - The Tools

CSharpSafeNuGet - MSBuild TaskOWASP Dependency Check

JavaOWASP Dependency Check

RubyBundler AuditDawnscanner

CSharpSafeNuGet - MSBuild TaskOWASP Dependency Check

JavaOWASP Dependency Check

CSharpSafeNuGet - MSBuild TaskOWASP Dependency Check

Vulnerable Components - Tool Integration

If updating our dependencies

is desired,

we will run canary builds

regularly to tell us when we can

update.

Objenesis

Upgrading Dependencies

GuavaMyBatis JUnit Hamcrest

Hamcrest Hamcrest

MockitoMockito

Hamcrest

Objenesis

Upgrading Dependencies - The Tools



Code

Code

Code

Config

Build Test

Package

Integration

Staging

Production

Env1

Env2

Env3

Testing Environments

If not exposing secrets is important,

we will ensure they are never committed

to our version control system.

Exposing Secrets

A talisman is an object which is believed to contain

certain magical or sacramental properties which would provide good luck for the possessor or possibly offer protection

from evil or harm.

Exposing Secrets - The Tools

https://en.wikipedia.org/wiki/Talisman

Exposing Secrets - Tool Integration

Exposing Secrets - Tool Integration

19:54:42.329 :findSecrets FAILED19:54:42.336 19:54:42.336 BUILD FAILED19:54:42.336 19:54:42.336 Total time: 3.085 secs19:54:42.339 19:54:42.339 FAILURE: Build failed with an exception.19:54:42.339 19:54:42.339 * What went wrong:19:54:42.339 Execution failed for task ':findSecrets'.

java/build.gradlejava/gradle/wrapper/gradle-wrapper.jarjava/gradle/wrapper/gradle-wrapper.propertiesjava/gradlewjava/gradlew.batjava/notReallyAn._rsa…java/src/vulnerableCheckSuppression.xmlThe following errors were detected in java/notReallyAn._rsa

The file name "java/notReallyAn._rsa" failed checks against the pattern ^.+_rsa$

If searching forpossible attack vectors

for our web sitesis good,

we willautomate this search.to our version control

system.

Finding Vulnerabilities

Finding Vulnerabilities - The Tools

HTML

Ajax

ExtensionsPort ScanningFuzzingLDAP InjectionSession Fixation

OWASP ZAP

OWASP ZAP

OWASP ZAP

OWASP ZAP

Finding Vulnerabilities - Tool Integration

PluginsJenkins (https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin)

Maven (https://github.com/pdsoftplan/zap-maven-plugin)

Grails (https://grails.org/plugin/zap-security-tests)

Command Line Interface

Wrap Up

Java Source

Ruby Source

Current Pipelines

C# Source

Java Secrets

C# Build

C# Test

Java Build

Java Test

Ruby Build

Ruby Test

Java Comps

C# Comps

Ruby Comps

JS Source

C-Sharp Pipeline

Ruby Pipeline

Java Pipeline

All Pipelines

JS Deploy

Java Deploy

C# Deploy

Ruby Deploy

Java Source

Ruby Source

JS Source

Targeted Pipelines

C# Source

JS Secrets

C# Secrets

Java Secrets

Ruby Secrets

C# Build

C# Test

Java Build

Java Test

Ruby Build

Ruby Test

JS Comps

Java Comps

C# Comps

Ruby Comps

OWASPZAP

Potential Downsides

False PositivesLonger Running BuildsWon’t Catch EverythingNew Things Everyday

Attack Tie Backs - Target

ZAP testing might have highlighted vulnerability in vendor portalUp to date credit card

system could have eliminated in memory credit card data

Attack Tie Backs - Home Depot

Up to date POS OS may have eliminated vulnerabilities

Attack Tie Backs - Sally Beauty

Secrets may not have been discovered$

Application Code: https://github.com/wendyi/continuousSecurity*

* = Csharp | Java | Ruby | Web

Pipelines: https://github.com/wendyi/continuousSecurityCi

Slides:http://www.slideshare.net/WendyIstvanick

Links

Next Steps

Finish Wiring Up Existing ChecksContribute Talisman ChangesFinish End to End CodeWire Up ZAPSet Up Canary BuildsFind Other Tools to Include

Thank You Questions?