DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases

•

0 likes•458 views

This document summarizes two real world cases where companies implemented security automation to help address challenges of securing applications in agile development environments. The first case involved an insurance company transitioning to DevOps and agility, where integrated automated testing helped provide security visibility and training. The second case involved a retailer with an established agile shop where a process-driven security workflow was created to integrate testing into their DevOps pipeline on a weekly basis. Both cases aimed to balance rapid development needs with continuous security.

Presentations & Public Speaking

Join the conversation #devseccon
AppSec DevOps Automation
Real World Cases
Ofer Maor
Director of Security Strategy
@OferMaor
linkedin.com/in/ofermaor
ofer.maor @ gmail.com

Speaker
• Security Strategy at Synopsys
• Over 20 Years in Cybersecurity
• Hacker at Heart
• Longtime OWASPer
• Pioneer of IAST
• Avid Photographer
Sunset over Hamnøy, Lofoten Islands, Norway

Too Much
Data Security by
Developers
Short Cycles Rapid Delivery
Prioritizing
Risk
Understanding
the Pain
The Agile Security Challenge

Automation
Automated, Continuous, Practical Testing

People Getting People Involved (DevOps, Sec, R&D)
Process
Technology
Adapting to Existing Process (CI, Issue, etc.)
The Right Technology (IAST)

Case I
Insurance Company Starting Out DevOps

Case I
The Challenge
Insurance Company
Agile Maturity: In Transition
DevOps Maturity: Starting
AppSec Maturity: Medium
• Insurance Company. Home grown apps
• ~15 different systems (Customer/Agent/Internal)
• Varying level of DevOps maturity & Agile transformation
• Focus on “Agile Transformation” – new systems
• Limited security background for developers
• Limited security resources
• Insufficient test automation (coverage)

Case I
The Solution
Insurance Company
Agile Maturity: In Transition
DevOps Maturity: Starting
AppSec Maturity: Medium
• R&D/DevOps/Sec cooperation & committee
• Security visibility into R&D bugs
• R&D Training (Basic!)
• Fully integrated into CI (Jenkins)
• Fully integrated with manual/automated testing
• Risk Policy (adapting risks, only “High” blocks)
• Multiple output channels (tickets, reports, etc.)

Case II
Retailer, Established Agile Shop

Case II
The Challenge
Retailer
Agile Maturity: High
DevOps Maturity: High
AppSec Maturity: Low
• eCommerce Platform (with “flavors”)
• Response to an incident (minimal existing security)
• Very small security team
• No security background for developers
• No existing process between security and R&D
• “Run of the mill” Agile/DevOps shop (with very strict enforcement)
• Dynamic environments orchestration

Case II
The Solution
Retailer
Agile Maturity: High
DevOps Maturity: High
AppSec Maturity: Low
• Process driven by R&D & DevOps, with security supervision
• Automatic orchestration of dedicated security testing environment
• Integration with Jenkins, Selenium & JIRA
• Security “workflow” created, testing once a week over 3 weeks sprint
• Tests on weeks 1 & 2 for fixing, week 3 for verification
• Breaking (medium or higher) on verification - Feature Removed
• HTML & PDF reports for auditing and integration

Join the conversation #devseccon
Thank You!
Questions?
@OferMaor
linkedin.com/in/ofermaor
ofer.maor @ gmail.com

Security pros have written countless jokes and comics maligning developers' exultant disregard for security and lauding their own long-suffering devotion to repairing reckless dev teams' vulnerable code. Yet, this narrative -- which does nothing to improve application security -- has gone on long enough. This session will help you change the conversation and the trend. You'll learn how to speak developers' language, learn about the real pressures they face in a continuous delivery environment, and discover how to get Dev, Ops, and Security teams aligned and focused on a singular goal.

DevSecCon London 2017: How far left do you want to go with security? by Javie...

DevSecCon

DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government

DevSecCon

[DevSecOps Live] DevSecOps: Challenges and Opportunities

Mohammed A. Imran

In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities. Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey. He will cover DevSecOps challenges he has faced and how he converted them into opportunities. He will cover the following as part of the session. DevSecOps Challenges. DevSecOps Opportunities. Converting Challenges into Opportunities. Quick wins and lessons learned. … and more useful takeaways!

DevSecOps - The big picture

DevSecOpsSg

DevSecCon London 2017: Shift happens ... by Colin Domoney

DevSecCon

Dev seccon london 2016 intelliment security

DevSecCon

Ast in CI/CD by Ofer Maor

DevSecCon

Practical DevSecOps Course - Part 1

Mohammed A. Imran

Integrating DevOps and Security

Stijn Muylle

Lessons learned from Detroit to Deming by Derek Weeks

DevSecCon

The Rise of DevSecOps - Fabian Lim - DevSecOpsSg

DevSecOpsSg

DevOps is a cultural shift for more and more organisations, bringing speed and innovation benefits that surpass other SDLC methods. But some of the principles of DevOps aren’t quite aligned with how companies of all sizes will need to incorporate and embed security into this shift. DevSecOps provides a path forward for the transformation and helps companies to shift security to the left so that everyone can take responsibility for it. While automating security testing is an obvious answer to secure applications in the code pipeline, that does not provide 100% coverage until security risks are fully mitigated. Fabian will talk about his journey in making DevSecOps a reality in an organisation. This talk will focus some of the lessons learnt - which includes implementing open source tools to help security team do their jobs better, hacking the culture, whitelisting services, reporting security defects. and also doing Red Team activities.

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

Nick Galbreath

The Journey to DevSecOps

SeniorStoryteller

Elizabeth Lawler - Devops, security, and compliance working in unison

DevSecCon

DevSecOps: Minimizing Risk, Improving Security

Franklin Mosley

Thanks to the cloud and open source tools, DevOps teams have access to unprecedented infrastructure and scale. But that also means they can be approached by some of the most nefarious actors on the Internet, as they risk the security of their business with every application deployment. Perimeter-class security is no longer viable in such a distributed environment, so now companies need to adapt to more micro-level security. This merging of DevOps and security operations – a concept called DevSecOps – is one of the most important new developments in security and IT deployment. In this session, our expert will discuss how teams are now collaborating as peers to achieve optimal security.

Proactive Security AppSec Case Study

Andy Hoernecke

Stephen Sadowski - Securely automating infrastructure in the cloud

DevSecCon

Matt carroll - "Security patching system packages is fun" said no-one ever

DevSecCon

DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...

DevSecCon

DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...

DevSecCon

What's hot

DevSecCon London 2017: when good containers go bad by Tim Mackey

DevSecCon

The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...

Franklin Mosley

DevSecCon London 2017: How far left do you want to go with security? by Javie...

DevSecCon

DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government

DevSecCon

[DevSecOps Live] DevSecOps: Challenges and Opportunities

Mohammed A. Imran

DevSecOps - The big picture

DevSecOpsSg

DevSecCon London 2017: Shift happens ... by Colin Domoney

DevSecCon

Dev seccon london 2016 intelliment security

DevSecCon

Ast in CI/CD by Ofer Maor

DevSecCon

Practical DevSecOps Course - Part 1

Mohammed A. Imran

Integrating DevOps and Security

Stijn Muylle

Lessons learned from Detroit to Deming by Derek Weeks

DevSecCon

The Rise of DevSecOps - Fabian Lim - DevSecOpsSg

DevSecOpsSg

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

Nick Galbreath

The Journey to DevSecOps

SeniorStoryteller

Elizabeth Lawler - Devops, security, and compliance working in unison

DevSecCon

DevSecOps: Minimizing Risk, Improving Security

Franklin Mosley

Proactive Security AppSec Case Study

Andy Hoernecke

Stephen Sadowski - Securely automating infrastructure in the cloud

DevSecCon

Matt carroll - "Security patching system packages is fun" said no-one ever

DevSecCon

What's hot (20)

DevSecCon London 2017: when good containers go bad by Tim Mackey

The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...

DevSecCon London 2017: How far left do you want to go with security? by Javie...

DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government

[DevSecOps Live] DevSecOps: Challenges and Opportunities

DevSecOps - The big picture

DevSecCon London 2017: Shift happens ... by Colin Domoney

Dev seccon london 2016 intelliment security

Ast in CI/CD by Ofer Maor

Practical DevSecOps Course - Part 1

Integrating DevOps and Security

Lessons learned from Detroit to Deming by Derek Weeks

The Rise of DevSecOps - Fabian Lim - DevSecOpsSg

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

The Journey to DevSecOps

Elizabeth Lawler - Devops, security, and compliance working in unison

DevSecOps: Minimizing Risk, Improving Security

Proactive Security AppSec Case Study

Stephen Sadowski - Securely automating infrastructure in the cloud

Matt carroll - "Security patching system packages is fun" said no-one ever

Viewers also liked

DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...

DevSecCon

DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...

DevSecCon

DevSecCon Asia 2017 Arun N: Securing chatops

DevSecCon

DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragile

DevSecCon

Segregation of Duties and Continuous Delivery

Sriram Narayanan

DevSecCon KeyNote London 2015

Shannon Lietz

Devops security-An Insight into Secure-SDLC

Suman Sourav

DEVSECOPS: Coding DevSecOps journey

Jason Suttie

Colin Domoney -

DevSecCon

DevSecOps - Building Rugged Software

SeniorStoryteller

Implementing an Application Security Pipeline in Jenkins

Suman Sourav

Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely? This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.

Nick Drage & Fraser Scott - Epic battle devops vs security

DevSecCon

DevOps and Continuous Delivery Reference Architectures - Volume 2

Sonatype

CONTINUOUS DELIVERY REFERENCE ARCHITECTURES Including Sonatype Nexus and other popular DevOps tools Derek E. Weeks (@weekstweets) VP and DevOps Advocate Sonatype. Continuous Delivery and DevOps Reference Architectures include many common tool choices. The most common tool choices we find in these reference architectures are: Eclipse, git, Cloudbees Jenkins / Atlassian Bamboo, Sonatype Nexus, Atlassian JIRA, SonarQube, Puppet, Chef, Rundeck, Maven / Ant / Gradle, Subversion (svn), Junit, LiveRebel, ServiceNow

How to adapt the SDLC to the era of DevSecOps

Zane Lackey

Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

dev2ops

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest

Matt Tesauro

Lisa Conference 2014: DevOps and AppSec - Who is Responsible

SeniorStoryteller

Case Study - DevOps QA Helps Leading Event Management Company Reduce Post-pro...

Cigniti Technologies Ltd

Node JS reverse shell

Madhu Akula

Viewers also liked (19)

DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...

DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...

DevSecCon Asia 2017 Arun N: Securing chatops

DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragile

Segregation of Duties and Continuous Delivery

DevSecCon KeyNote London 2015

Devops security-An Insight into Secure-SDLC

DEVSECOPS: Coding DevSecOps journey

Colin Domoney -

DevSecOps - Building Rugged Software

Implementing an Application Security Pipeline in Jenkins

Nick Drage & Fraser Scott - Epic battle devops vs security

DevOps and Continuous Delivery Reference Architectures - Volume 2

How to adapt the SDLC to the era of DevSecOps

Leveraging Your Company's DevOps Transformation (AppSec USA 2014)

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest

Lisa Conference 2014: DevOps and AppSec - Who is Responsible

Case Study - DevOps QA Helps Leading Event Management Company Reduce Post-pro...

Node JS reverse shell

Similar to DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases

Ofer Maor - Security Automation in the SDLC - Real World Cases

centralohioissa

How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments. The talk will focus on three different organizations at different maturity levels and how security automation processes were applied and adapted to fit their development lifecycle.

ISACA Ireland Keynote 2015

Shannon Lietz

Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam

DevSecCon Keynote

Shannon Lietz

Digital Product Security

SoftServe

Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products. During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.

AppSec in an Agile World

David Lindner

In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.

A journey into Application Security

Christian Martorella

The What, Why, and How of DevSecOps

Cprime

DevSecOps is a recent offshoot of the DevOps movement, which doubles down on the importance of security. As security continues to be downplayed or ignored even as the threat landscape explodes, DevSecOps promotes a set of well-developed design principles and engineering patterns which involve security owners and product designers much earlier. DevSecOps lays out a robust and practical blueprint for building security features into the design process, leveraging new engineering tools and patterns and creating a secure, defensible software right from the start. Join Chris Knotts, Innovation Product Director at Cprime, to: - Learn how the concept of "shifting left" applies to application security and how to prioritize security requirements earlier in the design process - Get an introduction to a few of the most effective engineering tools for implementing DevSecOps, including popular code scanners, dependency checkers, and free open-source products - Understand how progress with DevSecOps depends on roles and stakeholders outside of just security staff

BSides Vienna 2015Daniel Liber

Protecting Agile Transformation through Secure DevOps (DevSecOps)

Eryk Budi Pratama

Respresenting Cyber Defense Community (cdef.id) to present and share my view on Secure DevOps / DevSecOps. Through this presentation, I shared several insights about: 1. How to balance the risk and controls in the "great shift left" paradigm (agile) 2. DevOps activities 3. How to seamlessly integrate security into DevOps 4. How to "shift left" the security" 5. Get started with Secure DevOps / DevSecOps 6. Case Study about DevSecOps implementation For further discussion, especially how to secure digital and agile transformation in your organization, don't hesitate to contact me :)

Security at Greenhouse

Michael O'Neil

Bringing Security Testing to Development: How to Enable Developers to Act as ...

Achim D. Brucker

Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle. We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.

HouSecCon 2019: Offensive Security - Starting from Scratch

Spencer Koch

HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.

Security and DevOps Overview

Adrian Sanabria

What Every Developer And Tester Should Know About Software Security

Anne Oikarinen

Software security is best built in. This presentation introduces three essential things to help you design more secure software. In order to have a secure foundation, you can create and select security requirements for your applications using evil user stories and utilizing existing material for example from OWASP. Another useful skill is threat modeling which helps you to assess security already in the design phase. Threat modeling helps you deliver better software, prioritize your preventive security measures, and focus penetration testing to the most risky parts of the system. The presentation covers various methods, such as the STRIDE model, for finding security and privacy threats. You will also learn what kind of security related testing you can do without having any infosec background.

DevSecOps - It can change your life (cycle)

Qualitest

Automating Security in Cloud Workloads with DevSecOps

Amazon Web Services

This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.

How to Get Started with DevSecOps

CYBRIC

"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io

Shift Left Security – Guidance on embedding security for a Digital Transforma...

Yazad Khandhadia

AWS live hack: Atlassian + Snyk OSS on AWS

Eric Smalling

Similar to DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases (20)

Ofer Maor - Security Automation in the SDLC - Real World Cases

ISACA Ireland Keynote 2015

Succeeding-Marriage-Cybersecurity-DevOps final

DevSecCon Keynote

Digital Product Security

AppSec in an Agile World

A journey into Application Security

The What, Why, and How of DevSecOps

BSides Vienna 2015

Protecting Agile Transformation through Secure DevOps (DevSecOps)

Security at Greenhouse

Bringing Security Testing to Development: How to Enable Developers to Act as ...

HouSecCon 2019: Offensive Security - Starting from Scratch

Security and DevOps Overview

What Every Developer And Tester Should Know About Software Security

DevSecOps - It can change your life (cycle)

Automating Security in Cloud Workloads with DevSecOps

How to Get Started with DevSecOps

Shift Left Security – Guidance on embedding security for a Digital Transforma...

AWS live hack: Atlassian + Snyk OSS on AWS

More from DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...

DevSecCon

Xavier Garceau-Aranda Senior Security Consultant at NCC Group With the steady rise of cloud adoption, a number of organizations find themselves splitting their resources between multiple cloud providers. While the readiness to deal with security in cloud native environments has been improving, the multi-cloud paradigm poses new challenges. The workshop will aim to familiarize attendees with Scout Suite (https://github.com/nccgroup/ScoutSuite), a key component of NCC Group’s cloud agnostic approach to security assurance. Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than pouring through dozens of pages on the web consoles, Scout Suite provides a clear view of the attack surface automatically. The following cloud providers are currently supported: - Amazon Web Services - Microsoft Azure - Google Cloud Platform - Oracle Cloud Infrastructure - Alibaba Cloud During the workshop, attendees will leverage Scout Suite to assess a number of cloud environments designed to simulate typical flaws. We will display how the tool can be leveraged to quickly identify and help with remediation of security misconfigurations.

DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?

DevSecCon

Mitun Zavery Senior Engineer at Sonatype Bad actors have recognized the power of open source and are now beginning to create their own attack opportunities. This new form of assault, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. In this session, Mitun will explain how both security and developers must work together to stop this trend. Or, risk losing the entire open source ecosystem. Analyze, and detail, the events leading to today’s “all-out” attack on the OSS industry Define what the future of open source looks like in today’s new normal Outline how developers can step into the role of security, to protect themselves, and the millions of people depending on them

DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...

DevSecCon

Jan Harrie Security Analyst at ERNW GmbH OpenShift by Red Hat is one of the major Platform as a Service (PaaS) solutions on the market. It is used to automatically deploy Kubernetes clusters and provides useful extensions for cluster management mixed with some magic under the hood. Instantiating a Kubernetes cluster is often a crucial step in setting up a modern application stack. But be aware – a lot of configuration parameters are awaiting you. And here several misconfigurations may occur that can lead up to a compromise of the cluster. Privileged containers, tainting of masters and executing workloads on them, missing role-based access controls, and misconfigured Service Accounts are part of the problem. In this talk, I will explain which configuration parameters of an OpenShift environment are critical to ensure the overall security of the deployed Kubernetes clusters. Implications of misconfigurations will be demonstrated during live demos. Finally, recommendations for a secure configuration are provided.

DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...

DevSecCon

Matt Carroll Infrastructure Security Engineer at Yelp "Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems! Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet. So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell... At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems. This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP! As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.

DevSecCon Seattle 2019: Containerizing IT Security Knowledge

DevSecCon

Kristóf Tóth Software Engineer at Avatao The world is getting eaten alive by software. At this point, almost nothing can be done without interacting with some sort of software system. Not even buying your groceries. As we keep dumping out huge piles of code like there is no tomorrow, our far from perfect systems keep getting worse and worse from a security standpoint. What could possibly go wrong? We believe that education is the missing link. As appsec is still a curiosity topic on top universities, freshly graduated engineers simply have no clue. And how could they? The number of programmers keeps on doubling every few years and generations of software professionals are stuck without a proper background in ITSec. As this trend continues, our responsibility to do something about this is on the rise. In hopes of fighting this trend, we, at Avatao, have decided to share some of our dreams with the community. Our Tutorial Framework allows you to easily create interactive learning environments running inside Docker containers. These environments are capable of automatically guiding users through a set of topics by allowing them to interact with real software through a simple web browser. Users can attack webservices, write code to fix them or use a terminal to deploy websites by creating and pushing git tags. Nothing here is a mock-up: Every software component is real. In this talk, I am going to demonstrate the capabilities of the framework, talk about the technology behind it and explore some use cases for it. During the session we will open source the framework with the hope of creating a better, secure future together.

DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...

DevSecCon

Sitaraman Lakshminarayanan Sr Security Architect at Pure Storage Authorization has two components – Policy Definition and Policy Enforcement. Traditionally both used to be centralized and we spent all the time Integrating products- Built or Bought with Centralized Access Management. This typically led to increased cycle time to change any access policy or change software/deployment to fit into one particular authorization model. When that doesn’t fit, we would end up with multiple authorization enforcements written in different languages with or without any adherence to any standards such as XACML or others. Imagine building few different or hundreds of products or services or micro services and you have to centrally manage all possible access policies. It’s definitely not a scalable solution in fast moving CI/CD world. Now imagine a way where every developers or products can externalize its authorization and we can modify authorization enforcement in a consistent manner? Imagine where developers can write their own implementation of how authorization should be enforced for their environment? Remember there is no one size fits all authorization policy. A policy that works for your environment does not work for my environment – for any number of reasons from Risk management to type of business applications. Open Policy Agent provides a consistent way to write authorization logic and expose it as REST API. Applications can easily integrate with OPA and can also write their own authroziation logics. Whether you are shipping products to customers or integrating a Product or Service into your environment, how awesome it would be to enforce your own authorization rules instead of changing your business process of who can gain access to what features. In this talk we will explore the benefits of Decentralized Authorization and how to use Open Policy Agent to achieve decentralized authorization. A closer look at few applications /integrations whether it is REST API /Micro Services, or Kubernetes to control various authorization policies as to who can deploy/what can you deploy. We will also look at how to build Integration tests to check our authorization policies.

DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...

DevSecCon

DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...

DevSecCon

Matt Lavin Software Architect at LifeOmic It's possible to have rapid feature delivery and happy developers without sacrificing high security and compliance. At LifeOmic, we've built an automated change management system that allows production deployments without slow human approval. We maintain HIPAA and HITRUST compliance while still allowing continuous delivery. I'll show how to collect data from BitBucket, Jenkins, and security scan tools to ensure that the approved processes have been followed. You'll hear how fast production approval incentivizes developers to follow good practices, and become advocates for following the process instead of pushing against it. Automating process checks as a gate to deployments is a great framework for promoting the behavior you want in your organization. Don't give up on rapid feature delivery just because you work in a regulated industry.

DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...

DevSecCon

Julian Berton Preventing a company from becoming the newest data breach statistic can be a daunting prospect. Especially working within a company that employs hundreds of engineers pushing code to production daily, it often feels like everything is on fire and the holy grail of producing a security inspired product is but a dim light growing further and further away. The same feeling is true for security aware engineers being pushed to develop products quickly but also expected to consider quality assurance, operations, security and the reliability of their application or service. To help reduce the bleeding and build more security aware applications at scale, a balance of firefighting, preventative initiatives, automation and "JIT" education is required. So strap yourself in while we take you on a journey through 4 years of security successes and epic failures: * Automation - Implementing a secure-by-default build system (Buildkite) that makes detecting vulnerable dependencies (Snyk), storing secrets (AWS Secrets Manager) and scanning Docker containers, an effortless process. * Prevention - Eradicate several classes of bugs by selecting secure architectural patterns and using automated scripts to detect operational misconfigurations like dangling DNS entries, open S3 buckets, secrets checked into source code and repositories that have been made accidentally public. * "JIT” Education - Changing a companies security culture with RFC's for security standards, security integrated PIR via bug bounty program reports, visibility through security maturity frameworks (BSIMM).

DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...

DevSecCon

Rahul Kumar & Rupali Dash In the current era of blockchain technology, mining crypto currency is one of the biggest hit. The talk covers how the attackers use the insecure containers to mine crypto currency and earn million dollar profits. Cryptojacking activity surged to its peak in December 2017, when more than 8 million cryptojacking events were blocked by many intrusion detection companies. While there have seen a slight fall in activity in 2018, it is still at an elevated level, with total cryptojacking events blocked in July 2018 totalling just less than 5 million. The talk will cover how the mining activities has been done using browsers as well as cloud containers. We will also discuss how the cloud provides like amazon, azure and go are detecting such kind of activities and how minor misconfigurations leads to million dollar currency mining. The talk will also cover how 3rd party security providers like symantec and z-scalar and other intrusion detection system has configured signatures to block such kind of attacks. As well as from a sec-ops prospective what configuration checks should be done to prevent against such kind of attacks as well as detection of attacks. It will also cover some case studies and attack scenarios of mining Monero and the huge financial losses because of this attacks.

DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...

DevSecCon

Trinh Tran & Dennis Stötzel Are you trying to stay secure while developing and running a bunch of services and applications every day? So are we and it’s a huge pain in the… pipeline. We have been juggling these aspects while working with one of the biggest insurance companies in the world. In this talk, we will share our experiences of the last three years: Trinh, as a software engineer in Vietnam and Dennis, as a security engineer in Germany. We will present our experiences of making "dev", "sec" and "ops" coexist – without sparing any dirty details. Our goal has always been fast delivery and secure applications using pipelines, containers, orchestration, and the cloud. Let us explain which of these goals we have met and which remain goals, where we messed up and where we found glory. We will cover the following topics in our talk: * Evolution of our project, from beginning with four engineers running in one office, to expanding to fifty engineers coming from three continents and different backgrounds, * Development, delivery and security as a requirement in an agile project, * The good, the bad and the ugly in technology, architecture and infrastructure.

DevSecCon Singapore 2019: Workshop - Burp extension writing workshop

DevSecCon

Sanoop Thomas & Samandeep Singh Burp suite is the de-facto proxy application for web security testers. This hands-on workshop will explore the different capabilities of burp proxy application, also dive into the extensions and tooling options to perform improved application security test cases. The workshop will start with a quick overview of burp usage, different settings, features, some commonly useful extensions and then explore deep into its extension APIs to build your own custom extensions. We will provide a suitable development environment in Java and Python platforms. This will be a hands-on workshop and participants will learn how to automate different application security test scenarios and build burp extensions with the help of templates.

DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape

DevSecCon

Cameron Townshend Today’s pace of innovation and need to out “innovate” competitors can often cause developers to bypass key portions of Gene Kim’s Three Ways of DevOps - specifically to never pass a known defect downstream and emphasize performance of the entire system. As we embrace movements like CI, CD and Devops to cut down on release cycles - and innovate faster, we as developers must also embrace the reality that the risk landscape is too complex to leave “security” to just those with security in their title. Traditional methods do not cut it anymore – it’s time for DevSecOps. Instinctively, we understand how critical this is. In Sonatype’s recent 2018 DevSecOps Community report, where 2,076 IT professionals were surveyed, 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it. Done properly, DevSecOps practices shouldn’t interrupt the DevOps pipeline - but instead aid it - preventing costly rebuilds and build breaks, down the road. By creating automated governance and compliance guardrails that are embedded early and throughout the software development lifecycle, developers have transparent access to digital guardrails integrated within our native tools — an approach that ensures security is being built in without slowing us down. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48%. Over time, this approach ensures developers procure the best components from the best suppliers, while continuously tracking components across the entire lifecycle. Attendees of this session will walk away with: Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks Key insights from 2,076 of their peers who participated in the 2018 DevSecOps community report - including where most mature DevOps practices are focusing their security efforts A walkthrough of how security principles have been embedded in a CICD pipeline and what standards for implementation are beginning to follow suite

DevSecCon Singapore 2019: Web Services aren’t as secure as we think

DevSecCon

Tilak T Web-Services are taking over the world. Rest-framework is accelerating this development, because of its ease and flexibility. Developers often use and develop REST-based applications because it's exciting to work with. But they forget about security which leads to compromised and exploited applications. For instance, in more recent security tests against Web Services that my team executed, we found that vulnerabilities like Insecure Deserialization, XML External Entities, Server-Side Template Injection and Authorization Flaws are quite prevalent. I have found some simple steps that engineering teams can take towards finding and fixing such vulnerabilities with Web Services. This talk is offering a holistic perspective on finding and fixing some uncommon flaws that will be replete with anecdotes and examples of secure and insecure code. I will also delve into automating SAST and DAST tools using Robot-Framework to identify such flaws in Web-Services.

DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...

DevSecCon

Sharath Kumar Ramadas Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a wide variety of attack possibilities, ranging from attacks against access control tech like JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud components. On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others. This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications. The author will release an intentionally vulnerable Serverless and GraphQL app at the end of the talk for the benefit of the audience and the security community at large.

DevSecCon Singapore 2019: The journey of digital transformation through DevSe...

DevSecCon

Nadira Bajrei IT Continuous Improvement and Knowledge Management at Bank Mandiri Tbk We all know that the Banking industry is highly regulated. But due to recent changing factors, we had to trigger something we call transformation. Two of the most important reasons why we need transformation are firstly digital disruption, a wave our industry is hard pushed to follow, and secondly the evolving customer expectation and competitive environment, which are impacting the way organisations are delivering value. We need a new way of working to help us stay relevant in the market. This session will focus on our journey as one of the biggest banks in Indonesia to do digital transformation into DevOps while maintaining security compliance requirements. I will elaborate on the main reason why we need transformation, our journey roadmap, the step by step adoption of CALMS Values in our organisation and how we faced challenges from internal and external site.

DevSecCon Singapore 2019: Preventative Security for Kubernetes

DevSecCon

Liz Rice The latest Kubernetes version provides many security-related enhancements and controls, but it is far from being secure by default. Kubernetes is a complex orchestration platform with many different implementations, across multi-cloud/hybrid environments. Configuring it to comply with security best practices and specific security requires time and expertise that most organizations don’t possess. Aqua’s open source tools arm Kubernetes administrators and developers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers. During this presentation, we’ll review how these open source tools offer preventive security for Kubernetes: Kube-Bench: checks a Kubernetes cluster against 100+ checks documented in the CIS Kubernetes Benchmark. Kube-Hunter: conducts penetration tests against Kubernetes clusters that hunt for exploitable vulnerabilities and misconfiguration - both from outside the cluster as well as inside it (running as a pod)

DevSecCon London 2018: Is your supply chain your achille's heel

DevSecCon

COLIN DOMONEY The advent of DevOps and large scale automation of software construction and delivery has elevated the software supply chain – and its underpinning delivery pipeline – to mission critical status in any modern enterprise. The increased velocity of modern pipelines and the removal of manual checks and balances has meant that modern pipelines are potential single points of failure in the delivery of secure software. Automotive and consumer electronics industries have long understood the need for both provenance (understanding the origin of materials) and veracity (ensuring the integrity of their manufacturing processes) in their supply chains; this presentation will address threats to software supply chains and practical approaches to reducing the fragility of your supply chain. Several examples of software supply chain failures will be presented and deconstructed to understand the typical failure modes. At the most elementary level many pipelines are poorly constructed with low levels of repeatability and poor test coverage, in other organisations there is a lack of governance over the supply chain allowing careless or willingly negligent actors to subvert or bypass controls or testing within the pipeline. There is also no standard mechanism to ensure a ‘chain of custody’ within a pipeline due to a lack common interchange format between tools, or a standard manner to represent the steps within a pipeline build process. This presentation will cover approaches (using ‘people and process’) in enforcing governance within a supply chain by describing best practices used in large-scale AppSec programmes. Several emerging technology initiatives will be presented: Google’s Grafeas is a means to ensure vulnerability information is represented in a uniform manner across all steps of a pipeline process, while In-Toto is a project to formally enforce the integrity of a pipeline process. A reference secure pipeline will be presented demonstrating both tools working in symphony, along with standard open source and commercial AppSec tools. Finally the pipeline itself may become the Achille’s Heel in an organisation – many pipelines are not sufficiently hardened and are themselves open to attack by use of vulnerable components and their extensible nature, often along with very wide open permissions. Guidance will be given on hardening of typical pipelines, and a fully secured ephemeral Jenkins pipeline will be demonstrated. Benefits of this Session: The attendee will gain an increased awareness of the pivotal importance of the software supply chain, and gain an understanding of some common failure modes and weaknesses. Most importantly the attendee will come away with practical guidance on enforcing higher levels of governance on their supply chain without reducing delivery velocity, as well as how to harden the pipeline infrastructure itself.

DevSecCon London 2018: Get rid of these TLS certificates

DevSecCon

Paweł Krawczyk Most network services and daemons now offer TLS transport protection and their managing certificates and TLS configuration for server farms may use more resources than actual configuration of these services. What if you could get rid of all this complexity and replace it by single transport protection protocol, securing all of the traffic between your servers trasparently and with single centralized key and configuration management? This will be a story of a successful implementation of IPSec protocols, largely and undeservedly forgotten in that purpose, for securing a farm of production cloud servers, with configuration centrally managed with Ansible.

DevSecCon London 2018: Open DevSecOps

DevSecCon

PETKO D. PETKOV Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.

More from DevSecCon (20)