Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Continuous Security - TCCC

Slides from my session at TCCC on 4/16/2016.

  • Login to see the comments

  • Be the first to like this

Continuous Security - TCCC

  1. 1. Continuous Security Embracing Security Automation 1
  2. 2. What I Will Cover Attack Volumes Recent Attacks Taking an Agile Approach Project Overview Tool Survey Wrap Up 2
  3. 3. Attack Volumes 3
  4. 4. 4 http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  5. 5. High Profile Attacks 5
  6. 6. Target Unnecessarily Exposed Data Phishing Attack Non-Segmented Network Out of Date Software Exposed Secrets In Memory Data 7
  7. 7. Stolen Vendors Credentials Improper Configurations Important Anti-Virus Feature Turned Off POS Systems Running on Windows XP Unencrypted Data In Transit Non-Segmented Network Inadequate Monitoring Home Depot 8
  8. 8. Sally Beauty 10 Credentials Taped to Laptop Network Admin Credentials in VB Scripts Installed Malware on Cash Registers
  9. 9. An Agile Approach 11
  10. 10. Testing 12 Unit Tests Service Tests UI Tests
  11. 11. Continuous Delivery 13 Code Code Code Config Build Test Package Integration Staging Production Env1 Env2 Env3 Testing Environments Build Test & Release
  12. 12. How Can We Apply This to Security? 14
  13. 13. Project Overview 15
  14. 14. 16
  15. 15. 17 Recipe Ingredient Ingredient Type Diet Diet Type Ingredient Ingredient Type Ingredient Ingredient Type Diet Diet Type
  16. 16. 18
  17. 17. Tool Survey 19
  18. 18. If checking for vulnerable components is good, we will do so every time we commit code. 20
  19. 19. Objenesis Vulnerable Components 21 GuavaMyBatis JUnit Hamcrest Hamcrest Hamcrest Mockito
  20. 20. Vulnerable Components 22 http://www.aspectsecurity.com/research-presentations/the-unfortunate-reality-of-insecure-libraries We studied the 31 most popular Java frameworks and security libraries downloaded from the [maven central] and discovered that 26% of these have known vulnerabilities. More than half of the Global 500 use software built using components with vulnerable code.
  21. 21. Vulnerable Components - Examples 23 https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities Apache CXF Authentication Bypass Spring Remote Code Execution Checkmarx CxSAST
  22. 22. CSharp SafeNuGet - MSBuild Task OWASP Dependency Check Java OWASP Dependency Check Ruby Bundler Audit Dawnscanner Vulnerable Components - The Tools 24
  23. 23. Vulnerable Components - Tool Integration 25
  24. 24. If updating our dependencies is desired, we will run canary builds regularly to tell us when we can update. 26
  25. 25. Objenesis Upgrading Dependencies 27 GuavaMyBatis JUnit Hamcrest Hamcrest Hamcrest MockitoMockito Hamcrest Objenesis
  26. 26. Upgrading Dependencies - The Tools 28 Code Code Code Config Build Test Package Integration Staging Production Env1 Env2 Env3 Testing Environments
  27. 27. If not exposing secrets is important, we will ensure they are never committed to our version control system. 29
  28. 28. Exposing Secrets 30
  29. 29. A talisman is an object which is believed to contain certain magical or sacramental properties which would provide good luck for the possessor or possibly offer protection from evil or harm. Exposing Secrets - The Tools 31 https://en.wikipedia.org/wiki/Talisman
  30. 30. Exposing Secrets - Tool Integration 32
  31. 31. Exposing Secrets - Tool Integration 33 19:54:42.329 :findSecrets FAILED 19:54:42.336 19:54:42.336 BUILD FAILED 19:54:42.336 19:54:42.336 Total time: 3.085 secs 19:54:42.339 19:54:42.339 FAILURE: Build failed with an exception. 19:54:42.339 19:54:42.339 * What went wrong: 19:54:42.339 Execution failed for task ':findSecrets'. java/build.gradle java/gradle/wrapper/gradle-wrapper.jar java/gradle/wrapper/gradle-wrapper.properties java/gradlew java/gradlew.bat java/notReallyAn._rsa … java/src/vulnerableCheckSuppression.xml The following errors were detected in java/notReallyAn._rsa The file name "java/notReallyAn._rsa" failed checks against the pattern ^.+_rsa$
  32. 32. If searching for possible attack vectors for our web sites is good, we will automate this search. to our version control system. 34
  33. 33. Finding Vulnerabilities 35
  34. 34. Finding Vulnerabilities - The Tools 36 HTML Ajax Extensions Port Scanning Fuzzing LDAP Injection Session Fixation
  35. 35. Finding Vulnerabilities - Tool Integration Plugins Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin) Maven (https://github.com/pdsoftplan/zap-maven-plugin) Grails (https://grails.org/plugin/zap-security-tests) Command Line Interface 37
  36. 36. Wrap Up 38
  37. 37. Potential Downsides False Positives Longer Running Builds Won’t Catch Everything New Things Everyday 39
  38. 38. Attack Tie Backs - Target Secrets may not have been discovered Up to date vendor system may have eliminated vulnerabilities ZAP testing might have highlighted network navigability 40
  39. 39. Attack Tie Backs - Home Depot 41 Up to date POS OS may have eliminated vulnerabilities ZAP testing might have highlighted network navigability
  40. 40. Attack Tie Backs - Sally Beauty Secrets may not have been discovered 42
  41. 41. Application Code: https://github.com/wendyi/continuousSecurity Pipelines: https://github.com/wendyi/continuousSecurityCi Slides: http://www.slideshare.net/WendyIstvanick Trello: https://trello.com/b/SVoLynan/continuous-security Links 43
  42. 42. Next Steps Finish Wiring Up Existing Checks Contribute Talisman Changes Finish End to End Code Wire Up ZAP Set Up Canary Builds Find Other Tools to Include 44
  43. 43. Thank You Questions? 45

×