Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Chris Rutter: Avoiding The Security Brick

334 views

Published on

DevSecOps - London Gathering (March 2019)
This is a continuation of Chris Rutter's security talks (typically focused around Threat Modelling). In this talk Chris will explore real techniques, both technical and organisational, to introduce security into DevOps without hitting people with bricks [Not literally].

Published in: Technology
  • After many failed attempts, I almost packed in my GCSE maths altogether. But fortunately I didn't, thanks to Jeevan's guide! When I read it, I found out exactly where I was going wrong all this time! I followed his approach and achieved 90% in my next sitting. I was shocked and I thought it was a total fluke so I put his strategy to the test again. This time, I got 100%! Fantastic! If only I came across Jeevan's strategy sooner. Learn more.. ◆◆◆ http://t.cn/AirrSv7D
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Chris Rutter: Avoiding The Security Brick

  1. 1. Avoiding The Security Brick Chris Rutter
  2. 2. Practical Patterns And Techniques for Applying Security in Agile / Devops SDLCs Avoiding Throwing Security Bricks Workshop Format - Discussions every 10-15 mins Talk Aims
  3. 3. Java Developer > Security Champion > Security Architect > DevSecOps Consultant Payments, Banking & Government Transformations Currently Consulting with Equal Experts https://www.linkedin.com/in/chris-rutter-1b74a8b0/ Chris Rutter
  4. 4. My Path to DevSecOps
  5. 5. Agile / Devops / Value Stream / Product Delivery
  6. 6. “ Carry out a comprehensive security review / pen test 2 weeks before release date and allow 1 week for remediation” Brick #1
  7. 7. Common Issues ● Superficial review & pen test ● Little scope to influence design ● No time to deal with findings ● Pressurised risk acceptance ● Impossible to release quickly Release Management
  8. 8. Triage Every User Story Every Week
  9. 9. Pen Test New public-facing microservice Change to authentication mechanism Increase in level of data sensitivity New management tool or cloud service Review / Threat Model New non-public microservice Change to application architecture Code behind feature switch New APIs for existing data sensitivity Peer Review / Self-Sign Cosmetic changes Business logic changes Bug Fixes / Refactoring Agreed Review Criteria
  10. 10. Labels and Comments to Track and Evidence
  11. 11. JQL Reports or JIRA API to Enforce
  12. 12. Result ● Security has excellent domain knowledge ● Scrum masters enforce reviews as Definition Of Done ● Faster Release Cycles (up to hourly if required) ● Ability to influence designs early ● Everything reportable, automatable and shareable Release Management
  13. 13. Discussion
  14. 14. “ Before you go live you must ship your logs off to this SOC endpoint (which will take you weeks to onboard)” Brick #2
  15. 15. Common Issues ● Large gap between domain experts and SOC ● Provides a false (and often untested) sense of security ● Ineffective communication and incident response ● Centralised and difficult to onboard or improve Security Operations
  16. 16. Strategy ● Empower teams to implement and own alerting ● Constantly improve with each new threat model ● Focus on improving alert response process ● Use notification subscription model to allow flexibility Security Operations
  17. 17. Infra Alerts Cloudtrail for Threat Modelling GuardDuty for IDS
  18. 18. Templated Alerting Architecture
  19. 19. Slack For Alerts ● Dynamic, interactive workgroup receive notifications ● Link to cloud hosted runbook with incident response instructions ● Each investigation results in a JIRA ticket ● Security just poke people if required
  20. 20. Result ● All alerts continually evolving through threat modelling ● Teams take ownership of alerts ● Security only verify pattern and investigation results ● Quick to set up and script using terraform etc. ● Very cheap compared to commercial IDS / SIEM tools Embedded Operations
  21. 21. Discussion
  22. 22. “Before you can release, scan your application code for vulnerable dependencies and either fix, suppress or acknowledge” Brick #3
  23. 23. Common Issues ● Time-consuming CVE research duplicated (or skipped) ● Most findings are not used in a vulnerable way ● Difficult to manage vulnerabilities with most tools ● Sometimes difficult / impractical to upgrade Dependency Checking
  24. 24. Security Team Proactively Scan Common Libs [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ vault-policy-generator --- [INFO] security:vault-policy-generator:jar:1-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-starter:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot:jar:2.0.0.RELEASE:compile [INFO] | | - org.springframework:spring-context:jar:5.0.4.RELEASE:compile [INFO] | | +- org.springframework:spring-aop:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-expression:jar:5.0.4.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-logging:jar:2.0.0.RELEASE:compile [INFO] | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile [INFO] | | | - ch.qos.logback:logback-core:jar:1.2.3:compile [INFO] | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.10.0:compile [INFO] | | | - org.apache.logging.log4j:log4j-api:jar:2.10.0:compile [INFO] | | - org.slf4j:jul-to-slf4j:jar:1.7.25:compile [INFO] | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile [INFO] | +- org.springframework:spring-core:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-jcl:jar:5.0.4.RELEASE:compile [INFO] | - org.yaml:snakeyaml:jar:1.19:runtime [INFO] +- org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework:spring-web:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-beans:jar:5.0.4.RELEASE:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.4:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile [INFO] | | - com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile [INFO] | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile [INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.0.0.RELEASE:compile (optional) [INFO] +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile [INFO] | +- javax.validation:validation-api:jar:2.0.1.Final:compile [INFO] | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile [INFO] | - com.fasterxml:classmate:jar:1.3.4:compile [INFO] +- com.google.guava:guava:jar:24.0-jre:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile [INFO] | +- org.hamcrest:hamcrest-core:jar:1.3:test [INFO] | +- org.hamcrest:hamcrest-library:jar:1.3:test [INFO] | +- org.skyscreamer:jsonassert:jar:1.5.0:test [INFO] | | - com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test [INFO] | +- org.springframework:spring-test:jar:5.0.4.RELEASE:test [INFO] | - org.xmlunit:xmlunit-core:jar:2.5.1:test [INFO] +- com.github.tomakehurst:wiremock-standalone:jar:2.6.0:test [INFO] +- org.hamcrest:hamcrest-all:jar:1.3:test [INFO] +- commons-io:commons-io:jar:2.6:compile [INFO] - org.glassfish:javax.el:jar:3.0.1-b09:compile [INFO] | +- junit:junit:jar:4.12:test [INFO] | +- org.assertj:assertj-core:jar:3.9.1:test [INFO] | +- org.mockito:mockito-core:jar:2.15.0:test [INFO] uk.gov.hmrc.security:vault-policy-generator:jar:1-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-starter:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot:jar:2.0.0.RELEASE:compile [INFO] | | - org.springframework:spring-context:jar:5.0.4.RELEASE:compile [INFO] | | +- org.springframework:spring-aop:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-expression:jar:5.0.4.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-logging:jar:2.0.0.RELEASE:compile [INFO] | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile [INFO] | | | - ch.qos.logback:logback-core:jar:1.2.3:compile [INFO] | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.10.0:compile [INFO] | | | - org.apache.logging.log4j:log4j-api:jar:2.10.0:compile [INFO] | | - org.slf4j:jul-to-slf4j:jar:1.7.25:compile [INFO] | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile [INFO] | +- org.springframework:spring-core:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-jcl:jar:5.0.4.RELEASE:compile [INFO] | - org.yaml:snakeyaml:jar:1.19:runtime [INFO] +- org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework:spring-web:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-beans:jar:5.0.4.RELEASE:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.4:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile [INFO] | | - com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile [INFO] | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile [INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.0.0.RELEASE:compile (optional) [INFO] +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile [INFO] | +- javax.validation:validation-api:jar:2.0.1.Final:compile [INFO] | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile [INFO] | - com.fasterxml:classmate:jar:1.3.4:compile [INFO] +- com.google.guava:guava:jar:24.0-jre:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile [INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile [INFO] | - org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile [INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.0.0.RELEASE:test [INFO] | +- org.springframework.boot:spring-boot-test:jar:2.0.0.RELEASE:test [INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.0.0.RELEASE:test [INFO] | +- com.jayway.jsonpath:json-path:jar:2.4.0:test [INFO] | | +- net.minidev:json-smart:jar:2.3:test [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ vault-policy-generator --- [INFO] | | | - net.minidev:accessors-smart:jar:1.2:test [INFO] | | | - org.ow2.asm:asm:jar:5.0.4:test [INFO] | | - org.slf4j:slf4j-api:jar:1.7.25:compile [INFO] | | +- net.bytebuddy:byte-buddy:jar:1.7.10:test [INFO] | | +- net.bytebuddy:byte-buddy-agent:jar:1.7.10:test [INFO] | | - org.objenesis:objenesis:jar:2.6:test
  25. 25. Jackson Deserialization Vulnerability (CVE 2017-7525): Introduction: This vulnerability takes advantage of the ability of an attacker to force a server to deserialize a compromised class which is known to be on a large number of class paths and inject malicious input which can result in code execution. Am I Vulnerable?: You are vulnerable if you use polymorphic typing feature anywhere in your code. This can be configured in a few ways: @JsonTypeInfo, @JsonSubTypes or mapper.enableDefaultTyping() How can I remediate?: You must ensure that you globally configure ObjectMapper disableDefaultTyping() and have no instances of @JsonTypeInfo, @JsonSubTypes Share Pre-Investigated Issues
  26. 26. Basic Code Scanning Engine Vulnerability Search Terms XXE XMLInputFactory, TransformerFactory, SchemaFactory, SAXTransformerFactory, XMLReader Jackson Deserialization @JsonTypeInfo, @JsonSubTypes, mapper.enableDefaultTyping() Logback ServerSocketReceiver
  27. 27. Discussion
  28. 28. “A hugely critical vulnerability from 6 weeks ago has landed in a VIP’s inbox. It even has a logo so RED ALERT!, stop everything.” Brick #4
  29. 29. Common Issues ● Vulnerabilities come from high up to add pressure ● Usually have lots of FUD and little Facts ● Security have a point to prove ● Disrupts lots of teams and value stream Knee Jerking to Vulnerabilities
  30. 30. Active Security News Groups
  31. 31. Create Work Tracker and Link to Team Tickets
  32. 32. Create Work Group Which Self Manages
  33. 33. Lightweight Documentation to Pass up Chain Docker Escape Investigation (CVE 2019-5736): Introduction: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Investigation Scope: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore. Risk Assessment:Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et Remediation Steps: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Residual Risk: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
  34. 34. Put The Brick Down ● Security reviews and collaboration small but often ● Effective communication through modern tools ● Shift security ownership up the pipeline ● Focus on technical and process improvement rather than managing and firefighting
  35. 35. W.W.A.T ?
  36. 36. Questions?

×