Security teams provide concise summaries of dependency scans to development teams. The summaries include the vulnerability found, whether the team is affected, and how to remediate. This avoids lengthy CVE research and allows teams to focus on actual vulnerabilities. Any common libraries and frameworks are pre-scanned by security to share findings.

1. Avoiding The
Security Brick
Chris Rutter

2. Practical Patterns And Techniques for Applying Security in
Agile / Devops SDLCs
Avoiding Throwing Security Bricks
Workshop Format - Discussions every 10-15 mins
Talk Aims

3. Java Developer > Security Champion >
Security Architect > DevSecOps Consultant
Payments, Banking & Government Transformations
Currently Consulting with Equal Experts
https://www.linkedin.com/in/chris-rutter-1b74a8b0/
Chris Rutter

5. My Path to DevSecOps

7. Agile / Devops / Value Stream / Product Delivery

8. “ Carry out a comprehensive security review / pen test 2 weeks
before release date and allow 1 week for remediation”
Brick #1

10. Common Issues
● Superficial review & pen test
● Little scope to influence design
● No time to deal with findings
● Pressurised risk acceptance
● Impossible to release quickly
Release Management

11. Triage Every User Story Every Week

12. Pen Test
New public-facing microservice
Change to authentication mechanism
Increase in level of data sensitivity
New management tool or cloud service
Review / Threat Model
New non-public microservice
Change to application architecture
Code behind feature switch
New APIs for existing data sensitivity
Peer Review / Self-Sign
Cosmetic changes
Business logic changes
Bug Fixes / Refactoring
Agreed Review Criteria

13. Labels and Comments to Track and Evidence

14. JQL Reports or JIRA API to Enforce

15. Result
● Security has excellent domain knowledge
● Scrum masters enforce reviews as Definition Of Done
● Faster Release Cycles (up to hourly if required)
● Ability to influence designs early
● Everything reportable, automatable and shareable
Release Management

16. Discussion

17. “ Before you go live you must ship your logs off to this SOC
endpoint (which will take you weeks to onboard)”
Brick #2

19. Common Issues
● Large gap between domain experts and SOC
● Provides a false (and often untested) sense of security
● Ineffective communication and incident response
● Centralised and difficult to onboard or improve
Security Operations

20. Strategy
● Empower teams to implement and own alerting
● Constantly improve with each new threat model
● Focus on improving alert response process
● Use notification subscription model to allow flexibility
Security Operations

21. Infra Alerts
Cloudtrail for Threat Modelling GuardDuty for IDS

22. Templated Alerting Architecture

23. Slack For Alerts
● Dynamic, interactive workgroup receive notifications
● Link to cloud hosted runbook with incident response instructions
● Each investigation results in a JIRA ticket
● Security just poke people if required

24. Result
● All alerts continually evolving through threat modelling
● Teams take ownership of alerts
● Security only verify pattern and investigation results
● Quick to set up and script using terraform etc.
● Very cheap compared to commercial IDS / SIEM tools
Embedded Operations

25. Discussion

26. “Before you can release, scan your application code for
vulnerable dependencies and either fix, suppress or
acknowledge”
Brick #3

28. Common Issues
● Time-consuming CVE research duplicated (or skipped)
● Most findings are not used in a vulnerable way
● Difficult to manage vulnerabilities with most tools
● Sometimes difficult / impractical to upgrade
Dependency Checking

29. Security Team Proactively Scan Common Libs
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ vault-policy-generator ---
[INFO] security:vault-policy-generator:jar:1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter:jar:2.0.0.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot:jar:2.0.0.RELEASE:compile
[INFO] | | - org.springframework:spring-context:jar:5.0.4.RELEASE:compile
[INFO] | | +- org.springframework:spring-aop:jar:5.0.4.RELEASE:compile
[INFO] | | - org.springframework:spring-expression:jar:5.0.4.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.0.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-logging:jar:2.0.0.RELEASE:compile
[INFO] | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] | | | - ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.10.0:compile
[INFO] | | | - org.apache.logging.log4j:log4j-api:jar:2.10.0:compile
[INFO] | | - org.slf4j:jul-to-slf4j:jar:1.7.25:compile
[INFO] | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] | +- org.springframework:spring-core:jar:5.0.4.RELEASE:compile
[INFO] | | - org.springframework:spring-jcl:jar:5.0.4.RELEASE:compile
[INFO] | - org.yaml:snakeyaml:jar:1.19:runtime
[INFO] +- org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile
[INFO] | +- org.springframework:spring-web:jar:5.0.4.RELEASE:compile
[INFO] | | - org.springframework:spring-beans:jar:5.0.4.RELEASE:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.4:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] | | - com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile
[INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile
[INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile
[INFO] | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.0.0.RELEASE:compile (optional)
[INFO] +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile
[INFO] | +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile
[INFO] | - com.fasterxml:classmate:jar:1.3.4:compile
[INFO] +- com.google.guava:guava:jar:24.0-jre:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile
[INFO] | +- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] | +- org.hamcrest:hamcrest-library:jar:1.3:test
[INFO] | +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] | | - com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] | +- org.springframework:spring-test:jar:5.0.4.RELEASE:test
[INFO] | - org.xmlunit:xmlunit-core:jar:2.5.1:test
[INFO] +- com.github.tomakehurst:wiremock-standalone:jar:2.6.0:test
[INFO] +- org.hamcrest:hamcrest-all:jar:1.3:test
[INFO] +- commons-io:commons-io:jar:2.6:compile
[INFO] - org.glassfish:javax.el:jar:3.0.1-b09:compile
[INFO] | +- junit:junit:jar:4.12:test
[INFO] | +- org.assertj:assertj-core:jar:3.9.1:test
[INFO] | +- org.mockito:mockito-core:jar:2.15.0:test
[INFO] uk.gov.hmrc.security:vault-policy-generator:jar:1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter:jar:2.0.0.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot:jar:2.0.0.RELEASE:compile
[INFO] | | - org.springframework:spring-context:jar:5.0.4.RELEASE:compile
[INFO] | | +- org.springframework:spring-aop:jar:5.0.4.RELEASE:compile
[INFO] | | - org.springframework:spring-expression:jar:5.0.4.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.0.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-logging:jar:2.0.0.RELEASE:compile
[INFO] | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] | | | - ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.10.0:compile
[INFO] | | | - org.apache.logging.log4j:log4j-api:jar:2.10.0:compile
[INFO] | | - org.slf4j:jul-to-slf4j:jar:1.7.25:compile
[INFO] | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] | +- org.springframework:spring-core:jar:5.0.4.RELEASE:compile
[INFO] | | - org.springframework:spring-jcl:jar:5.0.4.RELEASE:compile
[INFO] | - org.yaml:snakeyaml:jar:1.19:runtime
[INFO] +- org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile
[INFO] | +- org.springframework:spring-web:jar:5.0.4.RELEASE:compile
[INFO] | | - org.springframework:spring-beans:jar:5.0.4.RELEASE:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.4:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] | | - com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile
[INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile
[INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile
[INFO] | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.0.0.RELEASE:compile (optional)
[INFO] +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile
[INFO] | +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile
[INFO] | - com.fasterxml:classmate:jar:1.3.4:compile
[INFO] +- com.google.guava:guava:jar:24.0-jre:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile
[INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | - org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.0.0.RELEASE:test
[INFO] | +- org.springframework.boot:spring-boot-test:jar:2.0.0.RELEASE:test
[INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.0.0.RELEASE:test
[INFO] | +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] | | +- net.minidev:json-smart:jar:2.3:test
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ vault-policy-generator ---
[INFO] | | | - net.minidev:accessors-smart:jar:1.2:test
[INFO] | | | - org.ow2.asm:asm:jar:5.0.4:test
[INFO] | | - org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] | | +- net.bytebuddy:byte-buddy:jar:1.7.10:test
[INFO] | | +- net.bytebuddy:byte-buddy-agent:jar:1.7.10:test
[INFO] | | - org.objenesis:objenesis:jar:2.6:test

30. Jackson Deserialization Vulnerability (CVE 2017-7525):
Introduction: This vulnerability takes advantage of the ability of an attacker to force a server
to deserialize a compromised class which is known to be on a large number of class paths
and inject malicious input which can result in code execution.
Am I Vulnerable?: You are vulnerable if you use polymorphic typing feature anywhere in
your code. This can be configured in a few ways: @JsonTypeInfo, @JsonSubTypes or
mapper.enableDefaultTyping()
How can I remediate?: You must ensure that you globally configure ObjectMapper
disableDefaultTyping() and have no instances of @JsonTypeInfo, @JsonSubTypes
Share Pre-Investigated Issues

31. Basic Code Scanning Engine
Vulnerability Search Terms
XXE
XMLInputFactory, TransformerFactory,
SchemaFactory, SAXTransformerFactory,
XMLReader
Jackson Deserialization @JsonTypeInfo, @JsonSubTypes,
mapper.enableDefaultTyping()
Logback ServerSocketReceiver

32. Discussion

33. “A hugely critical vulnerability from 6 weeks ago has landed in
a VIP’s inbox. It even has a logo so RED ALERT!, stop
everything.”
Brick #4

35. Common Issues
● Vulnerabilities come from high up to add pressure
● Usually have lots of FUD and little Facts
● Security have a point to prove
● Disrupts lots of teams and value stream
Knee Jerking to Vulnerabilities

36. Active Security News Groups

37. Create Work Tracker and Link to Team Tickets

38. Create Work Group Which Self Manages

39. Lightweight Documentation to Pass up Chain
Docker Escape Investigation (CVE 2019-5736):
Introduction: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore
magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Investigation Scope: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore.
Risk Assessment:Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et
Remediation Steps: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et
dolore magna aliqua.
Residual Risk: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore
magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

40. Put The Brick Down
● Security reviews and collaboration small but often
● Effective communication through modern tools
● Shift security ownership up the pipeline
● Focus on technical and process improvement rather
than managing and firefighting

41. W.W.A.T ?

42. Questions?