1
2
Bear Proof
Applications
Using Continuous Security to Mitigate Threats
Wendy Istvanick - wendyi@thoughtworks.com
3
What I Will Cover
Attack Volumes
Recent Attacks
Taking an Agile Approach
Project Overview
Tool Survey
Wrap Up
4
Attack Volumes
5
6
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
High Profile Attacks
7
Target (Nov-Dec 2013)
Unnecessarily Exposed Vendor List
Phishing Attack
Inadequate Network Segmentation
Out of Date Softwa...
Stolen Vendors Credentials
Improper Configurations
Important Anti-Virus Feature Turned Off
POS Systems Running on Windows ...
Sally Beauty (Mar 2014)
12
Credentials Taped to Laptop
Network Admin Credentials in VB
Scripts
Installed Malware on Cash
R...
An Agile Approach
13
Testing
14
Unit Tests
Service Tests
UI Tests
Continuous Delivery
15
Code
Code
Code
Config
Build Test
Package
Integration
Staging
Production
Env1
Env2
Env3
Testing Envi...
How Can We Apply This to Security?
16
Project Overview
17
20
Tool Survey
21
If checking
for vulnerable components
is good,
we will do so every time
we commit code.
22
Objenesis
Vulnerable Components
23
GuavaMyBatis JUnit Hamcrest
Hamcrest Hamcrest
Mockito
Vulnerable Components
24
http://www.aspectsecurity.com/research-presentations/the-unfortunate-reality-of-insecure-librarie...
Spring
Remote
Code
Execution
RubyGems
Hostname
Validation
Allowed a
request without an
identity token to gain
full permiss...
Vulnerable Components - The Tools
CSharp
SafeNuGet - MSBuild Task
OWASP Dependency Check
Java
OWASP Dependency Check
Ruby
...
Vulnerable Components - Tool Integration
27
If updating
our dependencies
is desired,
we will
run canary builds regularly
to tell us when we can update.
28
Objenesis
Upgrading Dependencies
29
GuavaMyBatis JUnit Hamcrest
Hamcrest Hamcrest
MockitoMockito
Hamcrest
Objenesis
Upgrading Dependencies - The Tools
30
Code
Code
Code
Config
Build Test
Package
Integration
Staging
Production
Env1
Env2
En...
If not exposing secrets
is important,
we will ensure
they are never committed
to our version control system.
31
Exposing Secrets
32
A talisman is an object which is
believed to contain certain
magical or sacramental
properties which would provide
good lu...
Exposing Secrets - Tool Integration
34
Exposing Secrets - Tool Integration
35
19:54:42.329 :findSecrets FAILED
19:54:42.336
19:54:42.336 BUILD FAILED
19:54:42.33...
If searching for
possible attack vectors
for our web sites
is good,
we will
automate this search.
to our version control s...
Finding Vulnerabilities
37
Finding Vulnerabilities - The Tools
38
HTML
Ajax
Extensions
Port Scanning
Fuzzing
LDAP Injection
Session Fixation
OWASP ZAP
OWASP ZAP
39
OWASP ZAP
40
OWASP ZAP
41
Finding Vulnerabilities - Tool Integration
Plugins
Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin)
Ma...
Wrap Up
43
Java
Source
Ruby
Source
Current Pipelines
44
C#
Source
Java
Secrets
C#
Build
C#
Test
Java
Build
Java
Test
Ruby
Build
Ruby
...
C-Sharp Pipeline
45
Ruby Pipeline
46
Java Pipeline
47
All Pipelines
48
JS
Deploy
Java
Deploy
C#
Deploy
Ruby
Deploy
Java
Source
Ruby
Source
JS
Source
Targeted Pipelines
49
C#
Source
JS
Secrets
C...
Potential Downsides
False Positives
Longer Running Builds
Won’t Catch Everything
New Things Everyday
50
Attack Tie Backs - Target
ZAP testing might have
highlighted vulnerability in vendor
portal
Up to date credit card system
...
Attack Tie Backs - Home Depot
52
Up to date POS OS may have
eliminated vulnerabilities
Attack Tie Backs - Sally Beauty
Secrets may not have been
discovered
53
Application Code:
https://github.com/wendyi/continuousSecurity*
* = Csharp | Java | Ruby | Web
Pipelines:
https://github.c...
Next Steps
Finish Wiring Up Existing Checks
Contribute Talisman Changes
Finish End to End Code
Wire Up ZAP
Set Up Canary B...
Thank You
Questions?
56
57
Upcoming SlideShare
Loading in …5
×

Continous Security - That Conference

146 views

Published on

Deck presented at That Conference 2016.

Published in: Software
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
146
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • exposed data
    phishing
    out of date software
    non-segmented network
    secrets
    in memory data

    2000 stores
    40 million credit cards
    private data for 70 million customers
  • switch to hidden slide with images
  • switch to slide with images
  • 260,000 credit cards
    2600 locations

    breached again in Mar 2015

    switch to hidden slide with images
  • Add Ruby/Rails Example
  • Canary Builds
  • Zed Attack Proxy

    ZAP passively scans all of the requests and responses that it discovers via the spiders or that are proxied through it from your browser. Passive scanning does not change the responses in any way and is therefore always safe to use. Scanned is performed in a background thread to ensure that it does not slow down the exploration of an application. Passive scanning is good for finding a limited number of potential vulnerabilities, such as missing security related HTTP headers. It can be an effective way to get a sense of the state of security in a given web application, and clues for where to focus more invasive manual testing.

    Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets. As active scanning is an attack on those targets it is completely under user control and should only be used against applications that you have permission to test. Active scanning can be started via the Active Scan tab or the right click ‘Attack’ menu.
  • Change to Symbols to Represent These
  • Continous Security - That Conference

    1. 1. 1
    2. 2. 2
    3. 3. Bear Proof Applications Using Continuous Security to Mitigate Threats Wendy Istvanick - wendyi@thoughtworks.com 3
    4. 4. What I Will Cover Attack Volumes Recent Attacks Taking an Agile Approach Project Overview Tool Survey Wrap Up 4
    5. 5. Attack Volumes 5
    6. 6. 6 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
    7. 7. High Profile Attacks 7
    8. 8. Target (Nov-Dec 2013) Unnecessarily Exposed Vendor List Phishing Attack Inadequate Network Segmentation Out of Date Software In Memory Data Missed Internal Alerts Default Username/Password 9
    9. 9. Stolen Vendors Credentials Improper Configurations Important Anti-Virus Feature Turned Off POS Systems Running on Windows XP Unencrypted Data In Transit Improper Segmentation between Corporate and POS Networks Inadequate Monitoring Home Depot (Apr-Sep 2014) 10
    10. 10. Sally Beauty (Mar 2014) 12 Credentials Taped to Laptop Network Admin Credentials in VB Scripts Installed Malware on Cash Registers
    11. 11. An Agile Approach 13
    12. 12. Testing 14 Unit Tests Service Tests UI Tests
    13. 13. Continuous Delivery 15 Code Code Code Config Build Test Package Integration Staging Production Env1 Env2 Env3 Testing Environments Build Test & Release
    14. 14. How Can We Apply This to Security? 16
    15. 15. Project Overview 17
    16. 16. 20
    17. 17. Tool Survey 21
    18. 18. If checking for vulnerable components is good, we will do so every time we commit code. 22
    19. 19. Objenesis Vulnerable Components 23 GuavaMyBatis JUnit Hamcrest Hamcrest Hamcrest Mockito
    20. 20. Vulnerable Components 24 http://www.aspectsecurity.com/research-presentations/the-unfortunate-reality-of-insecure-libraries We studied the 31 most popular Java frameworks and security libraries downloaded from the [maven central] and discovered that 26% of these have known vulnerabilities. More than half of the Global 500 use software built using components with vulnerable code.
    21. 21. Spring Remote Code Execution RubyGems Hostname Validation Allowed a request without an identity token to gain full permissions to any web service. Vulnerable Components - Examples 25 https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities Apache CXF Authentication Bypass (Not Apache App Server) Checkmarx CxSAST (Formerly CxSuite) Allowed execution of arbitrary code via expression language. Could be used to take over a server. Allowed remote unauthenticated users to bypass sandbox protection mechanism. Could be used to execute arbitrary C# code. Hostname not validated when fetching gems. Could be used to execute a “DNS hijack attack”.
    22. 22. Vulnerable Components - The Tools CSharp SafeNuGet - MSBuild Task OWASP Dependency Check Java OWASP Dependency Check Ruby Bundler Audit Dawnscanner 26 CSharp SafeNuGet - MSBuild Task OWASP Dependency Check Java OWASP Dependency Check CSharp SafeNuGet - MSBuild Task OWASP Dependency Check
    23. 23. Vulnerable Components - Tool Integration 27
    24. 24. If updating our dependencies is desired, we will run canary builds regularly to tell us when we can update. 28
    25. 25. Objenesis Upgrading Dependencies 29 GuavaMyBatis JUnit Hamcrest Hamcrest Hamcrest MockitoMockito Hamcrest Objenesis
    26. 26. Upgrading Dependencies - The Tools 30 Code Code Code Config Build Test Package Integration Staging Production Env1 Env2 Env3 Testing Environments
    27. 27. If not exposing secrets is important, we will ensure they are never committed to our version control system. 31
    28. 28. Exposing Secrets 32
    29. 29. A talisman is an object which is believed to contain certain magical or sacramental properties which would provide good luck for the possessor or possibly offer protection from evil or harm. Exposing Secrets - The Tools 33 https://en.wikipedia.org/wiki/Talisman
    30. 30. Exposing Secrets - Tool Integration 34
    31. 31. Exposing Secrets - Tool Integration 35 19:54:42.329 :findSecrets FAILED 19:54:42.336 19:54:42.336 BUILD FAILED 19:54:42.336 19:54:42.336 Total time: 3.085 secs 19:54:42.339 19:54:42.339 FAILURE: Build failed with an exception. 19:54:42.339 19:54:42.339 * What went wrong: 19:54:42.339 Execution failed for task ':findSecrets'. java/build.gradle java/gradle/wrapper/gradle-wrapper.jar java/gradle/wrapper/gradle-wrapper.properties java/gradlew java/gradlew.bat java/notReallyAn._rsa … java/src/vulnerableCheckSuppression.xml The following errors were detected in java/notReallyAn._rsa The file name "java/notReallyAn._rsa" failed checks against the pattern ^.+_rsa$
    32. 32. If searching for possible attack vectors for our web sites is good, we will automate this search. to our version control system. 36
    33. 33. Finding Vulnerabilities 37
    34. 34. Finding Vulnerabilities - The Tools 38 HTML Ajax Extensions Port Scanning Fuzzing LDAP Injection Session Fixation OWASP ZAP
    35. 35. OWASP ZAP 39
    36. 36. OWASP ZAP 40
    37. 37. OWASP ZAP 41
    38. 38. Finding Vulnerabilities - Tool Integration Plugins Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin) Maven (https://github.com/pdsoftplan/zap-maven-plugin) Grails (https://grails.org/plugin/zap-security-tests) Command Line Interface 42
    39. 39. Wrap Up 43
    40. 40. Java Source Ruby Source Current Pipelines 44 C# Source Java Secrets C# Build C# Test Java Build Java Test Ruby Build Ruby Test Java Comps C# Comps Ruby Comps JS Source
    41. 41. C-Sharp Pipeline 45
    42. 42. Ruby Pipeline 46
    43. 43. Java Pipeline 47
    44. 44. All Pipelines 48
    45. 45. JS Deploy Java Deploy C# Deploy Ruby Deploy Java Source Ruby Source JS Source Targeted Pipelines 49 C# Source JS Secrets C# Secrets Java Secrets Ruby Secrets C# Build C# Test Java Build Java Test Ruby Build Ruby Test JS Comps Java Comps C# Comps Ruby Comps OWASP ZAP
    46. 46. Potential Downsides False Positives Longer Running Builds Won’t Catch Everything New Things Everyday 50
    47. 47. Attack Tie Backs - Target ZAP testing might have highlighted vulnerability in vendor portal Up to date credit card system could have eliminated in memory credit card data 51
    48. 48. Attack Tie Backs - Home Depot 52 Up to date POS OS may have eliminated vulnerabilities
    49. 49. Attack Tie Backs - Sally Beauty Secrets may not have been discovered 53
    50. 50. Application Code: https://github.com/wendyi/continuousSecurity* * = Csharp | Java | Ruby | Web Pipelines: https://github.com/wendyi/continuousSecurityCi Slides: http://www.slideshare.net/WendyIstvanick Links 54
    51. 51. Next Steps Finish Wiring Up Existing Checks Contribute Talisman Changes Finish End to End Code Wire Up ZAP Set Up Canary Builds Find Other Tools to Include 55
    52. 52. Thank You Questions? 56
    53. 53. 57

    ×