Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building application security with 0 money down

19 views

Published on

Muhammad Mudassar Yamin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Building application security with 0 money down

  1. 1. @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 1 Building application security with 0 money down Mushegh Hakhinian| VP, Security Architecture| November 9, 2018
  2. 2. Why this talk? Share experience: • “Everything-as-code” means “most-of-the-things” can be fixed in code • A good program can be started without major investment in tooling • A good program cannot be established without smart investment in tooling © 2018 Intralinks, Inc. l All Rights Reserved l 2
  3. 3. Introduction 01 © 2018 Intralinks, Inc. l All Rights Reserved l 3
  4. 4. Microsoft SDL Steps © 2018 Intralinks, Inc. l All Rights Reserved l 4 1. Training 2. Requirements 3. Design 4. Implementation 1. Core Security Training 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
  5. 5. Microsoft SDL Steps (continued) © 2018 Intralinks, Inc. l All Rights Reserved l 5 5. Verification 6. Release 7. Response 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review 1. Incident Response Plan 2. Final Security Review 3. Release Certification 1. Execute Incident Response Plan
  6. 6. Application Security Stages - Coming of Age 02 © 2018 Intralinks, Inc. l All Rights Reserved l 6
  7. 7. Beginning State Sincere ignorance © 2018 Intralinks, Inc. l All Rights Reserved l 7
  8. 8. Next State Vicious Cycle First assessment Fix critical issues Second assessment Fix critical issues Third assessment Fix critical issues … … N-th assessment Fix critical issues © 2018 Intralinks, Inc. l All Rights Reserved l 8
  9. 9. Application Security Process Inception 03 © 2018 Intralinks, Inc. l All Rights Reserved l 9
  10. 10. Attainable Goal 1 - Find Glaring Issues Step 1 - Test Production Instances Free Tools: - OWASP Zed Attack Proxy - Openssl.com for quick check of TLS profiles © 2018 Intralinks, Inc. l All Rights Reserved l 10 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
  11. 11. Attainable Goal 2 – Fix Issues Under Own Control Step 2 - Check Own Code Free Tools: - Dependency Checker for 3-rd party components (weekly) - SonarQube for code analysis (nightly) - Clair for docker container analysis (weekly) © 2018 Intralinks, Inc. l All Rights Reserved l 11 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
  12. 12. Attainable Goal 3 – Catch Issues Before Coding Starts Step 3 – Define Required Security Controls When Designing and Perform Architectural Risk Analysis Free Tools: - Microsoft Threat Modeling Tool © 2018 Intralinks, Inc. l All Rights Reserved l 12 3. Design 1. Design Requirements 2. Attack Surface Reduction 3. Threat Modeling
  13. 13. Process Inception Checklist © 2018 Intralinks, Inc. l All Rights Reserved l 13 Use special tickets to track vulnerabilities – it takes some research to understand at which layer the fix needs to be applied Get stakeholder commitment to fix Critical issues immediately Get commitment to patch 3-rd party components
  14. 14. Steps to Maturity and Scaling 04 © 2018 Intralinks, Inc. l All Rights Reserved l 14
  15. 15. Maturity Goal 1 – Establish Continuous Assessment Budget for Commercial Tooling Evaluate and Implement 24/7 Dynamic Assessment Product Scan Test Environments Before Promoting to Production © 2018 Intralinks, Inc. l All Rights Reserved l 15 5. Verification 1. Dynamic Analysis 2. Fuzz Testing 3. Attack Surface Review
  16. 16. Maturity Goal 2 – Integrate With Commercial Code Analysis Tools Budget for Commercial Tooling Scan for Viral Licenses Scan for non-patched components Perform Static code analysis for each build © 2018 Intralinks, Inc. l All Rights Reserved l 16 4. Implementation 1. Use Approved Tools 2. Deprecate Unsafe Functions 3. Static Analysis
  17. 17. Maturity Goal 3 – Enforce Security Gates Define thresholds and fail builds for critical items © 2018 Intralinks, Inc. l All Rights Reserved l 17 2. Requirements 1. Security and Privacy Requirements 2. Quality Gates 3. Security And Privacy Risk Assessments
  18. 18. Maturity Goal 4 – Invest in Training Establish Formal Security Training for Engineers With Yearly Re-certification Train and Certify Security Champions to Scale The Security Program © 2018 Intralinks, Inc. l All Rights Reserved l 18 1. Training 1. Core Security Training
  19. 19. Process Maturity Checklist © 2018 Intralinks, Inc. l All Rights Reserved l 19 Establish Cross-team committee to review security issues Establish Timelines for fixing all security issues Low to Critical Automate 3-rd party component patching Establish metrics for executive level reporting (Risk Management Committee)
  20. 20. Conclusion 05 © 2018 Intralinks, Inc. l All Rights Reserved l 20
  21. 21. Customized SDL Steps With Little Initial Investment © 2018 Intralinks, Inc. l All Rights Reserved l 21 1. Production Scanning 6. Security Gates Enforcement 3. Threat Modeling 2. Code Analysis 4. Continuous Assessment 5. Automated Code Analysis 7. Secure Coding Training
  22. 22. Ultimately, People Make The Program Work © 2018 Intralinks, Inc. l All Rights Reserved l 22
  23. 23. Useful Links to Free Tools © 2018 Intralinks, Inc. l All Rights Reserved l 23 https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project https://www.owasp.org/index.php/OWASP_Dependency_Check https://www.sonarqube.org/ https://github.com/coreos/clair https://www.microsoft.com/en-us/download/details.aspx?id=49168
  24. 24. @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 24 SonarQube Demo Bogdan Petru-Ungureanu| Security Architect| November 9, 2018
  25. 25. Thank You! @intralinks @intralinks © 2018 Intralinks, Inc. l All Rights Reserved l 25 intralinks.com

×