Security teams provide concise summaries of dependency scans to development teams. The summaries include the vulnerability found, whether the team is affected, and how to remediate. This avoids lengthy CVE research and allows teams to focus on actual vulnerabilities. Any common libraries and frameworks are pre-scanned by security to share findings.
2. Practical Patterns And Techniques for Applying Security in
Agile / Devops SDLCs
Avoiding Throwing Security Bricks
Workshop Format - Discussions every 10-15 mins
Talk Aims
3. Java Developer > Security Champion >
Security Architect > DevSecOps Consultant
Payments, Banking & Government Transformations
Currently Consulting with Equal Experts
https://www.linkedin.com/in/chris-rutter-1b74a8b0/
Chris Rutter
8. “ Carry out a comprehensive security review / pen test 2 weeks
before release date and allow 1 week for remediation”
Brick #1
9.
10. Common Issues
● Superficial review & pen test
● Little scope to influence design
● No time to deal with findings
● Pressurised risk acceptance
● Impossible to release quickly
Release Management
12. Pen Test
New public-facing microservice
Change to authentication mechanism
Increase in level of data sensitivity
New management tool or cloud service
Review / Threat Model
New non-public microservice
Change to application architecture
Code behind feature switch
New APIs for existing data sensitivity
Peer Review / Self-Sign
Cosmetic changes
Business logic changes
Bug Fixes / Refactoring
Agreed Review Criteria
15. Result
● Security has excellent domain knowledge
● Scrum masters enforce reviews as Definition Of Done
● Faster Release Cycles (up to hourly if required)
● Ability to influence designs early
● Everything reportable, automatable and shareable
Release Management
17. “ Before you go live you must ship your logs off to this SOC
endpoint (which will take you weeks to onboard)”
Brick #2
18.
19. Common Issues
● Large gap between domain experts and SOC
● Provides a false (and often untested) sense of security
● Ineffective communication and incident response
● Centralised and difficult to onboard or improve
Security Operations
20. Strategy
● Empower teams to implement and own alerting
● Constantly improve with each new threat model
● Focus on improving alert response process
● Use notification subscription model to allow flexibility
Security Operations
23. Slack For Alerts
● Dynamic, interactive workgroup receive notifications
● Link to cloud hosted runbook with incident response instructions
● Each investigation results in a JIRA ticket
● Security just poke people if required
24. Result
● All alerts continually evolving through threat modelling
● Teams take ownership of alerts
● Security only verify pattern and investigation results
● Quick to set up and script using terraform etc.
● Very cheap compared to commercial IDS / SIEM tools
Embedded Operations
26. “Before you can release, scan your application code for
vulnerable dependencies and either fix, suppress or
acknowledge”
Brick #3
27.
28. Common Issues
● Time-consuming CVE research duplicated (or skipped)
● Most findings are not used in a vulnerable way
● Difficult to manage vulnerabilities with most tools
● Sometimes difficult / impractical to upgrade
Dependency Checking
30. Jackson Deserialization Vulnerability (CVE 2017-7525):
Introduction: This vulnerability takes advantage of the ability of an attacker to force a server
to deserialize a compromised class which is known to be on a large number of class paths
and inject malicious input which can result in code execution.
Am I Vulnerable?: You are vulnerable if you use polymorphic typing feature anywhere in
your code. This can be configured in a few ways: @JsonTypeInfo, @JsonSubTypes or
mapper.enableDefaultTyping()
How can I remediate?: You must ensure that you globally configure ObjectMapper
disableDefaultTyping() and have no instances of @JsonTypeInfo, @JsonSubTypes
Share Pre-Investigated Issues
33. “A hugely critical vulnerability from 6 weeks ago has landed in
a VIP’s inbox. It even has a logo so RED ALERT!, stop
everything.”
Brick #4
34.
35. Common Issues
● Vulnerabilities come from high up to add pressure
● Usually have lots of FUD and little Facts
● Security have a point to prove
● Disrupts lots of teams and value stream
Knee Jerking to Vulnerabilities
39. Lightweight Documentation to Pass up Chain
Docker Escape Investigation (CVE 2019-5736):
Introduction: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore
magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Investigation Scope: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore.
Risk Assessment:Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et
Remediation Steps: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et
dolore magna aliqua.
Residual Risk: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore
magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
40. Put The Brick Down
● Security reviews and collaboration small but often
● Effective communication through modern tools
● Shift security ownership up the pipeline
● Focus on technical and process improvement rather
than managing and firefighting