This document discusses taking an agile approach to continuous security. It covers recent high profile attacks, surveying tools that can check for vulnerable components and exposed secrets. The goal is to automate security checks by integrating tools into the development pipeline to test for vulnerabilities during regular builds and prevent secrets from being committed to version control. This would help catch issues early and increase security through continuous and automated testing.

1. Continuous Security
Embracing Security Automation
1

2. What I Will Cover
Attack Volumes
Recent Attacks
Taking an Agile Approach
Project Overview
Tool Survey
Wrap Up
2

3. Attack Volumes
3

4. 4
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

5. High Profile Attacks
5

6. Target
Unnecessarily Exposed Data
Phishing Attack
Non-Segmented Network
Out of Date Software
Exposed Secrets
In Memory Data
7

7. Stolen Vendors Credentials
Improper Configurations
Important Anti-Virus Feature Turned Off
POS Systems Running on Windows XP
Unencrypted Data In Transit
Non-Segmented Network
Inadequate Monitoring
Home Depot
8

8. Sally Beauty
10
Credentials Taped to Laptop
Network Admin Credentials in VB
Scripts
Installed Malware on Cash
Registers

9. An Agile Approach
11

10. Testing
12
Unit Tests
Service Tests
UI Tests

11. Continuous Delivery
13
Code
Code
Code
Config
Build Test
Package
Integration
Staging
Production
Env1
Env2
Env3
Testing Environments
Build Test & Release

12. How Can We Apply This to Security?
14

13. Project Overview
15

14. 16

15. 17
Recipe
Ingredient
Ingredient
Type
Diet
Diet
Type
Ingredient
Ingredient
Type
Ingredient
Ingredient
Type
Diet
Diet
Type

16. 18

17. Tool Survey
19

18. If checking
for vulnerable components
is good,
we will do so every time
we commit code.
20

19. Objenesis
Vulnerable Components
21
GuavaMyBatis JUnit Hamcrest
Hamcrest Hamcrest
Mockito

20. Vulnerable Components
22
http://www.aspectsecurity.com/research-presentations/the-unfortunate-reality-of-insecure-libraries
We studied the 31 most popular
Java frameworks and security libraries
downloaded from the [maven central]
and discovered that 26% of these
have known vulnerabilities.
More than half of the Global 500
use software built using components
with vulnerable code.

21. Vulnerable Components - Examples
23
https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities
Apache CXF Authentication Bypass
Spring Remote Code Execution
Checkmarx CxSAST

22. CSharp
SafeNuGet - MSBuild Task
OWASP Dependency Check
Java
OWASP Dependency Check
Ruby
Bundler Audit
Dawnscanner
Vulnerable Components - The Tools
24

23. Vulnerable Components - Tool Integration
25

24. If updating
our dependencies
is desired,
we will
run canary builds regularly
to tell us when we can update.
26

25. Objenesis
Upgrading Dependencies
27
GuavaMyBatis JUnit Hamcrest
Hamcrest Hamcrest
MockitoMockito
Hamcrest
Objenesis

26. Upgrading Dependencies - The Tools
28
Code
Code
Code
Config
Build Test
Package
Integration
Staging
Production
Env1
Env2
Env3
Testing Environments

27. If not exposing secrets
is important,
we will ensure
they are never committed
to our version control system.
29

28. Exposing Secrets
30

29. A talisman is an object which is
believed to contain certain
magical or sacramental
properties which would provide
good luck for the possessor or
possibly offer protection from
evil or harm.
Exposing Secrets - The Tools
31
https://en.wikipedia.org/wiki/Talisman

30. Exposing Secrets - Tool Integration
32

31. Exposing Secrets - Tool Integration
33
19:54:42.329 :findSecrets FAILED
19:54:42.336
19:54:42.336 BUILD FAILED
19:54:42.336
19:54:42.336 Total time: 3.085 secs
19:54:42.339
19:54:42.339 FAILURE: Build failed with an exception.
19:54:42.339
19:54:42.339 * What went wrong:
19:54:42.339 Execution failed for task ':findSecrets'.
java/build.gradle
java/gradle/wrapper/gradle-wrapper.jar
java/gradle/wrapper/gradle-wrapper.properties
java/gradlew
java/gradlew.bat
java/notReallyAn._rsa
…
java/src/vulnerableCheckSuppression.xml
The following errors were detected in
java/notReallyAn._rsa
The file name "java/notReallyAn._rsa" failed checks
against the pattern ^.+_rsa$

32. If searching for
possible attack vectors
for our web sites
is good,
we will
automate this search.
to our version control system.
34

33. Finding Vulnerabilities
35

34. Finding Vulnerabilities - The Tools
36
HTML
Ajax
Extensions
Port Scanning
Fuzzing
LDAP Injection
Session Fixation

35. Finding Vulnerabilities - Tool Integration
Plugins
Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin)
Maven (https://github.com/pdsoftplan/zap-maven-plugin)
Grails (https://grails.org/plugin/zap-security-tests)
Command Line Interface
37

36. Wrap Up
38

37. Potential Downsides
False Positives
Longer Running Builds
Won’t Catch Everything
New Things Everyday
39

38. Attack Tie Backs - Target
Secrets may not have been
discovered
Up to date vendor system may
have eliminated vulnerabilities
ZAP testing might have
highlighted network navigability
40

39. Attack Tie Backs - Home Depot
41
Up to date POS OS may have
eliminated vulnerabilities
ZAP testing might have
highlighted network navigability

40. Attack Tie Backs - Sally Beauty
Secrets may not have been
discovered
42

41. Application Code:
https://github.com/wendyi/continuousSecurity
Pipelines:
https://github.com/wendyi/continuousSecurityCi
Slides:
http://www.slideshare.net/WendyIstvanick
Trello:
https://trello.com/b/SVoLynan/continuous-security
Links
43

42. Next Steps
Finish Wiring Up Existing Checks
Contribute Talisman Changes
Finish End to End Code
Wire Up ZAP
Set Up Canary Builds
Find Other Tools to Include
44

43. Thank You
Questions?
45