OG
Uploaded byOleg Gryb
PPTX, PDF1,464 views

Making Security Agile

The document discusses integrating security into development processes, emphasizing the need for agility in security practices due to rapid competition. It highlights the importance of automation and collaboration between security, development, and QA teams, while also outlining challenges with traditional security testing methods. The conclusion stresses that security must evolve with development methodologies to remain effective.

Embed presentation

Downloaded 26 times
Getting security up to speed (with CI/CD) Oleg Gryb, Sanjay Tambe – Samsung SSIC
Retrospective – Waterfall 2 http://brentmailphotography.com Making Security Agile
3 DREAD • Damage potential: How great is the damage if the vulnerability is exploited? • Reproducibility: How easy it is to reproduce the attack? • Exploitability: How easy it is to successfully exploit this condition? • Affected users: As a rough percentage, how many users are affected? • Discoverability: How easy it is to find the vulnerability? Making Security Agile
4 STRIDE • Spoofing • Tampering • Repudiation • Information disclosure • Denial of service • Elevation of privileges Making Security Agile
Old AppSec Summary  We’ve generated huge *doc and *xls with Threat Models and pen test results.  We wrote nice exec summaries and we presented details to Dev/OPS/DB teams  We had a cool heat map to visualize the risk allocation for execs.  Then we worked on remediation with developers – informal name “nagging”  We supported a security dashboard and reported/escalated to CTO weekly 5Making Security Agile
DevOps + Agile = Big Bang for Security 6Making Security Agile
What is SAMI  Our core product is an API based service running in a cloud that supports IoT devices in real time  They also include web applications built on top of that.  All of that runs in an agile mode, because competition is too high and losing is not an option  More details: www.samsungsami.io 7Making Security Agile
We had no choice 8 http://www.octopus.euhttp://brentmailphotography.com Making Security Agile
New Agile Reality aka Reqs  No 2-4 weeks for security purposes  Nobody cares about (or understand) formalities such as STRIDE, DREAD or heat maps  Forget about 2 full days of interviews, not possible  Nobody gives Environment for 2-3 weeks solely for pen testing. Need to share.  Need to do security as Dev process goes and in parallel  Need to be integrated better with the DevOps and QA teams 9Making Security Agile
Other Challenges for API products  You *can* pass an API URL to a scanner and tell “do automatic scanning” , but it’s not going to crawl. No Spidering is available.  You can manually call each and every API while on a scan proxy and then do scanning, but if you have too many ever changing API’s, you’ll die doing that  Sanjay will talk about our approach in details 10Making Security Agile
Aggravating factor – security testing is not exactly QA  QA test are deterministic, AppSec tests are anything but  You can’t dump all app scanner’s “findings” to a bug tracking system  You usually need to triage each finding and verify a severity before submitting it to a bug tracking system  In many cases you still need to explain your finding and remediation to developers 11Making Security Agile
Coming to a Solution  Since Security does require a manual review, our hypothesis was that we need a dashboard with a broad import/export capabilities  Import from scanners, export to bug tracking systems  All scanners should be automated to run regression  Should also allow manual testing and import for new features and products 12Making Security Agile
Making Security Agile 13 Scheduled Job Scheduled Job Manual testing Custom Tools Security Artists DevOps Team Notifications
Step-by-step instructions to configure security automation  Demo of Security Automation  Install open source software  Configure scans for Web applications  Configure security testing using QA regression 14Making Security Agile
15Making Security Agile
A. Install ThreadFix (in AWS or VM)  Download ThreadFix from http://www.threadfix.org/download/  Follow instructions to start ThreadFix https://github.com/denimgroup/threadfix/wi ki/Getting-Started  Enable port 8080 for external access.  Once ThreadFix is up and running, go to http://xxx.xxx.xxx.xxx:8080/threadfix in a web browser and accept warning from browser.  Username: user  Password: password 16Making Security Agile
B. Add users in Security team into ThreadFix 17Making Security Agile
C: Add Team in ThreadFix 18Making Security Agile
D. Add application Payments under Accounts team in Threadfix 19Making Security Agile
E. Application Payments under team Accounts 20Making Security Agile
F. Configure Defect tracker in Threadfix 21Making Security Agile
G. Visit application in ThreadFix and note application # Note: Application Id is shown as 31 for Payments app in URL in snapshot below. We will use this later when we upload findings in XML format from command line. 22Making Security Agile
H. Set Defect tracker for application in ThreadFix 23Making Security Agile
I. Enter login for Defect tracker 24Making Security Agile
J. Install ZAP  Download and Install open source ZAP (Zed Attack Proxy) on AWS/VM using following https://github.com/zaproxy/zaproxy/wiki/ Downloads?tm=2  We will be using ZAP on the AWS or VM in an headless mode (without UI).  Install ZAP on your laptop or Mac using above link. We will be using the UI to create sessions for web applications. 25Making Security Agile
K. ZAP UI 26Making Security Agile
L. Install web based job scheduler e.g. Juicebox  Install any Open source Cron job scheduler on AWS/VM. Configure scan Start scan 27Making Security Agile
BScan – burp automation and more Making Security Agile 28 • Automates burp using Ruby extensions • Allows adding custom tests to the same scan • Can be run as simple as: jruby –S bscan –c config • Will generate report automatically when completed • Can work in auto proxy mode • Configurable – can overwrite any Burp and custom settings • Version 3.0 is coming, stay tuned !
29Making Security Agile
Configure ThreadFix jar Use following commands in terminal mode on AWS/VM where ThreadFix is installed (obtain your API key from Threadfix) java -jar /home/user/tfcli.jar --set key 5fPO07kc8xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxy java -jar /home/user/tfcli.jar --set url https://127.0.0.1/threadfix/rest 30Making Security Agile
Create Shell scripts to scan each application Note: Following is Payment.sh script to scan Payment web app. We use app id # 31 found earlier. 31Making Security Agile
Configure JuiceBox to schedule daily scan for Payment web app 32Making Security Agile
33Making Security Agile
Why use QA regression  Over the years, QA team has built hundreds or even thousands of functional test scripts. They continue to add new scripts everyday.  Security team can reuse the work done by QA team to do security testing.  They can use a proxy such as BURP or ZAP to analyze requests & responses to find any security vulnerabilities. 34Making Security Agile
Create separate application for QA regression 35Making Security Agile
Start ZAP Proxy  Use command such as following to start ZAP in headless mode on port 8085: java -Xmx2048m -jar /home/user/zap/ZAP_2.4.2/zap-2.4.2.jar -cmd -daemon -installdir /home/user/zap/ZAP_2.4.2 -config api.key=12345 -port 8085 Making Security Agile 36
Configure and start QA regression  Configure QA regression properties to use proxy running on port 8085.  Use command such as following to start QA regression (will vary depending on scripts used for your QA regression) mvn clean test -Dcategory=api - Dtarget.environment=qa -DexcludedGroups=in- progress,sdr,email,logs,cleanup - DuseProxy=true -DlocalProxy=true 37Making Security Agile
Save security findings from regression in XML form  At the end of regression, save findings in XML form: curl "http://localhost:8085/OTHER/core/other/xmlre port/?apikey=12345" > /home/user/temp/newpaymentregression.xml  Upload the findings to Threadfix using (app id for regression # 32 found earlier) java -jar /home/user/tfcli.jar --upload 32 /home/user/temp/newpaymentregression.xml Note: Above commands are part of automated script. 38Making Security Agile
39Making Security Agile
Review results in ThreadFix 40Making Security Agile
Review Findings 41Making Security Agile
Create defect 42Making Security Agile
Create defect in Issue Repository 43Making Security Agile
ThreadFix supports these scanners Making Security Agile 44
Security Transformation Cheat Sheet 45 From TO Two full days TM meetings with many people involved Participating in arch/design discussions through Confluence or other collab tools Very formal, “scientific” TM with DREAD, STRIDE residual risks, etc. Recommendations in JIRA coming from arch/design discussions DREAD, residual risks, etc. HML (High, Medium, Low) STRIDE CVE (usually automatically assigned by a tool) Manual pen testing for everything Selective pen testing for new features and products Expensive commercial scanners To OWASP ZAP, Burp, custom tools Docs and PDF reports, manual export to Dev bug tracking systems Exporting tickets directly to JIRA from Threadfix Running/uploading scans manually Automated batch jobs w auto-upload to Threadfix Making Security Agile
Conclusion  You cannot do security as you did it 5-10 years ago. Security must work in parallel w Dev.  Automate security testing by using scheduled jobs, auto-uploading “findings” to a dashboard  Use Security professionals to review findings  Make sure that findings are triaged before they are submitted to a bug tracking system  Don’t feed false positives to Dev or you’ll completely lose your credibility 46Making Security Agile
All of that can be formulated even shorter:  STOP wiring buttons that nobody will ever push © Lean Startup Conference - 2013  STOP creating new buzz words: security as code, security as service, DevSecOps, etc.  START DOING REAL JOB CALLED SECURITY AUTOMATION  Don’t forget about Security Artists, because security is just as politics – an art of possibilities and tools are very much useless without us 47Making Security Agile
THANKS FOR COMING! Sanjay Tambe – Security Architect @ SSIC Oleg Gryb – Sr. Manager, Security Engineering @ SSIC Twitter: @oleggryb 48Making Security Agile

More Related Content

PPTX
AppSec California 2016 - Making Security Agile
byOleg Gryb
 
PPTX
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
byKevin Fealey
 
PPTX
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
byKevin Fealey
 
PDF
Manual Code Review
byn|u - The Open Security Community
 
PDF
Shift Left Security
bygjdevos
 
PPTX
Integrating security into Continuous Delivery
byTom Stiehm
 
PDF
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
byAbhay Bhargav
 
PPTX
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
AppSec California 2016 - Making Security Agile
byOleg Gryb
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
byKevin Fealey
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
byKevin Fealey
 
Manual Code Review
byn|u - The Open Security Community
 
Shift Left Security
bygjdevos
 
Integrating security into Continuous Delivery
byTom Stiehm
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
byAbhay Bhargav
 
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 

What's hot

PDF
Threat modeling with architectural risk patterns
byStephen de Vries
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
PDF
Making DevSecOps a Reality in your Spring Applications
byHdiv Security
 
PPTX
Simplify Dev with Complicated Security Tools
byKevin Fealey
 
PDF
Dev seccon london 2016 intelliment security
byDevSecCon
 
PPTX
SecDevOps 2.0 - Managing Your Robot Army
byconjur_inc
 
PDF
Security champions v1.0
byDinis Cruz
 
PDF
Protection and Verification of Security Design Flaws
byHdiv Security
 
PDF
Legacy-SecDevOps (AppSec Management Debrief)
byDinis Cruz
 
PDF
Why should developers care about container security?
byEric Smalling
 
PDF
Using threat models to control project brief
byDinis Cruz
 
PPTX
Unit testing : what are you missing for security
bySuman Sourav
 
PPTX
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
Renato Rodrigues - Security in the wild
byDevSecCon
 
PDF
A Successful SAST Tool Implementation
byCheckmarx
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
Secure Coding for Java - An Introduction
bySebastien Gioria
 
PPTX
Application Security at DevOps Speed and Portfolio Scale
byJeff Williams
 
PPTX
The path of secure software by Katy Anton
byDevSecCon
 
Threat modeling with architectural risk patterns
byStephen de Vries
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
Making DevSecOps a Reality in your Spring Applications
byHdiv Security
 
Simplify Dev with Complicated Security Tools
byKevin Fealey
 
Dev seccon london 2016 intelliment security
byDevSecCon
 
SecDevOps 2.0 - Managing Your Robot Army
byconjur_inc
 
Security champions v1.0
byDinis Cruz
 
Protection and Verification of Security Design Flaws
byHdiv Security
 
Legacy-SecDevOps (AppSec Management Debrief)
byDinis Cruz
 
Why should developers care about container security?
byEric Smalling
 
Using threat models to control project brief
byDinis Cruz
 
Unit testing : what are you missing for security
bySuman Sourav
 
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 
Renato Rodrigues - Security in the wild
byDevSecCon
 
A Successful SAST Tool Implementation
byCheckmarx
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
Secure Coding for Java - An Introduction
bySebastien Gioria
 
Application Security at DevOps Speed and Portfolio Scale
byJeff Williams
 
The path of secure software by Katy Anton
byDevSecCon
 

Viewers also liked

PDF
Informe scsi 2012 sobre ciberseguridad
byPablo Heraklio
 
PPTX
Software
bymacarenariann
 
PPTX
Viii congreso isaca 2015 grc
bybalejandre
 
PDF
Cyberseguridad en entornos empresariales
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Implementing NIST Cybersecurity Framework Using COBIT 5
byFrancisco Javier Peris Montesinos
 
PDF
Industrial cyber security_tgs_barcelona_jun_2015_v1.pptx
byItconic
 
PDF
ICION 2016 - Cyber Security Governance
byCharles Lim
 
PDF
Ciber... nacion: afrontando los retos del siglo XXI
byCorporacion Colombia Digital
 
PDF
¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...
byPaco Barranco
 
PDF
End-user computing - The Mobile Workforce Report
byDimension Data Asia Pacific
 
PPTX
Digital transformation: introduction to cyber risk
byMosoco Ltd
 
PDF
Threat Intelligence in Cyber Risk Programs
byRahul Neel Mani
 
PDF
Cybersecurity for the digital age
byDimension Data Asia Pacific
 
PDF
The future of banking
byBarbara Biro
 
PDF
Application Security in an Agile World - Agile Singapore 2016
byStefan Streichsbier
 
PPTX
Cyber resilience (building the cyber security governance) isaca id tech ses ...
bySarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
PPTX
Ancaman cyber terhadap keamanan nasional cybersecurityy risk and control - ...
bySarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
PDF
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
PDF
Affects of Media on the Mind
byJanvi Pattni
 
PDF
Cybersecurity
byBen Liu
 
Informe scsi 2012 sobre ciberseguridad
byPablo Heraklio
 
Software
bymacarenariann
 
Viii congreso isaca 2015 grc
bybalejandre
 
Cyberseguridad en entornos empresariales
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Implementing NIST Cybersecurity Framework Using COBIT 5
byFrancisco Javier Peris Montesinos
 
Industrial cyber security_tgs_barcelona_jun_2015_v1.pptx
byItconic
 
ICION 2016 - Cyber Security Governance
byCharles Lim
 
Ciber... nacion: afrontando los retos del siglo XXI
byCorporacion Colombia Digital
 
¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...
byPaco Barranco
 
End-user computing - The Mobile Workforce Report
byDimension Data Asia Pacific
 
Digital transformation: introduction to cyber risk
byMosoco Ltd
 
Threat Intelligence in Cyber Risk Programs
byRahul Neel Mani
 
Cybersecurity for the digital age
byDimension Data Asia Pacific
 
The future of banking
byBarbara Biro
 
Application Security in an Agile World - Agile Singapore 2016
byStefan Streichsbier
 
Cyber resilience (building the cyber security governance) isaca id tech ses ...
bySarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Ancaman cyber terhadap keamanan nasional cybersecurityy risk and control - ...
bySarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
byDevSecCon
 
Affects of Media on the Mind
byJanvi Pattni
 
Cybersecurity
byBen Liu
 

Similar to Making Security Agile

PPTX
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
ODP
Making security-agile matt-tesauro
byMatt Tesauro
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
PDF
OWASP San Antonio Meeting 10/2/20
byDenim Group
 
PDF
BSides Vienna 2015
byDaniel Liber
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
PDF
Shifting Security Left - The Innovation of DevSecOps - AgileDC
byTom Stiehm
 
PDF
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
PDF
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
byMatt Tesauro
 
PDF
Taking AppSec to 11 - BSides Austin 2016
byMatt Tesauro
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PDF
Including security in devops
byJérémy Matos
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PPTX
Application security testing in the age of Agile development - by Julio Cesar...
byBlaze Information Security
 
ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
byMatt Tesauro
 
PPTX
Agile security
byArthur Donkers
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
PPTX
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
byAgileNetwork
 
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
Making security-agile matt-tesauro
byMatt Tesauro
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
OWASP San Antonio Meeting 10/2/20
byDenim Group
 
BSides Vienna 2015
byDaniel Liber
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
byTom Stiehm
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
byMatt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
byMatt Tesauro
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
Including security in devops
byJérémy Matos
 
AppSec in an Agile World
byDavid Lindner
 
Application security testing in the age of Agile development - by Julio Cesar...
byBlaze Information Security
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
byMatt Tesauro
 
Agile security
byArthur Donkers
 
The What, Why, and How of DevSecOps
byCprime
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
byAgileNetwork
 

Recently uploaded

PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 

Making Security Agile

  • 1.
    Getting security upto speed (with CI/CD) Oleg Gryb, Sanjay Tambe – Samsung SSIC
  • 2.
  • 3.
    3 DREAD • Damage potential:How great is the damage if the vulnerability is exploited? • Reproducibility: How easy it is to reproduce the attack? • Exploitability: How easy it is to successfully exploit this condition? • Affected users: As a rough percentage, how many users are affected? • Discoverability: How easy it is to find the vulnerability? Making Security Agile
  • 4.
    4 STRIDE • Spoofing • Tampering •Repudiation • Information disclosure • Denial of service • Elevation of privileges Making Security Agile
  • 5.
    Old AppSec Summary We’ve generated huge *doc and *xls with Threat Models and pen test results.  We wrote nice exec summaries and we presented details to Dev/OPS/DB teams  We had a cool heat map to visualize the risk allocation for execs.  Then we worked on remediation with developers – informal name “nagging”  We supported a security dashboard and reported/escalated to CTO weekly 5Making Security Agile
  • 6.
    DevOps + Agile= Big Bang for Security 6Making Security Agile
  • 7.
    What is SAMI Our core product is an API based service running in a cloud that supports IoT devices in real time  They also include web applications built on top of that.  All of that runs in an agile mode, because competition is too high and losing is not an option  More details: www.samsungsami.io 7Making Security Agile
  • 8.
    We had nochoice 8 http://www.octopus.euhttp://brentmailphotography.com Making Security Agile
  • 9.
    New Agile Realityaka Reqs  No 2-4 weeks for security purposes  Nobody cares about (or understand) formalities such as STRIDE, DREAD or heat maps  Forget about 2 full days of interviews, not possible  Nobody gives Environment for 2-3 weeks solely for pen testing. Need to share.  Need to do security as Dev process goes and in parallel  Need to be integrated better with the DevOps and QA teams 9Making Security Agile
  • 10.
    Other Challenges forAPI products  You *can* pass an API URL to a scanner and tell “do automatic scanning” , but it’s not going to crawl. No Spidering is available.  You can manually call each and every API while on a scan proxy and then do scanning, but if you have too many ever changing API’s, you’ll die doing that  Sanjay will talk about our approach in details 10Making Security Agile
  • 11.
    Aggravating factor –security testing is not exactly QA  QA test are deterministic, AppSec tests are anything but  You can’t dump all app scanner’s “findings” to a bug tracking system  You usually need to triage each finding and verify a severity before submitting it to a bug tracking system  In many cases you still need to explain your finding and remediation to developers 11Making Security Agile
  • 12.
    Coming to aSolution  Since Security does require a manual review, our hypothesis was that we need a dashboard with a broad import/export capabilities  Import from scanners, export to bug tracking systems  All scanners should be automated to run regression  Should also allow manual testing and import for new features and products 12Making Security Agile
  • 13.
    Making Security Agile13 Scheduled Job Scheduled Job Manual testing Custom Tools Security Artists DevOps Team Notifications
  • 14.
    Step-by-step instructions to configuresecurity automation  Demo of Security Automation  Install open source software  Configure scans for Web applications  Configure security testing using QA regression 14Making Security Agile
  • 15.
  • 16.
    A. Install ThreadFix(in AWS or VM)  Download ThreadFix from http://www.threadfix.org/download/  Follow instructions to start ThreadFix https://github.com/denimgroup/threadfix/wi ki/Getting-Started  Enable port 8080 for external access.  Once ThreadFix is up and running, go to http://xxx.xxx.xxx.xxx:8080/threadfix in a web browser and accept warning from browser.  Username: user  Password: password 16Making Security Agile
  • 17.
    B. Add usersin Security team into ThreadFix 17Making Security Agile
  • 18.
    C: Add Teamin ThreadFix 18Making Security Agile
  • 19.
    D. Add applicationPayments under Accounts team in Threadfix 19Making Security Agile
  • 20.
    E. Application Paymentsunder team Accounts 20Making Security Agile
  • 21.
    F. Configure Defecttracker in Threadfix 21Making Security Agile
  • 22.
    G. Visit applicationin ThreadFix and note application # Note: Application Id is shown as 31 for Payments app in URL in snapshot below. We will use this later when we upload findings in XML format from command line. 22Making Security Agile
  • 23.
    H. Set Defecttracker for application in ThreadFix 23Making Security Agile
  • 24.
    I. Enter loginfor Defect tracker 24Making Security Agile
  • 25.
    J. Install ZAP Download and Install open source ZAP (Zed Attack Proxy) on AWS/VM using following https://github.com/zaproxy/zaproxy/wiki/ Downloads?tm=2  We will be using ZAP on the AWS or VM in an headless mode (without UI).  Install ZAP on your laptop or Mac using above link. We will be using the UI to create sessions for web applications. 25Making Security Agile
  • 26.
    K. ZAP UI 26MakingSecurity Agile
  • 27.
    L. Install webbased job scheduler e.g. Juicebox  Install any Open source Cron job scheduler on AWS/VM. Configure scan Start scan 27Making Security Agile
  • 28.
    BScan – burpautomation and more Making Security Agile 28 • Automates burp using Ruby extensions • Allows adding custom tests to the same scan • Can be run as simple as: jruby –S bscan –c config • Will generate report automatically when completed • Can work in auto proxy mode • Configurable – can overwrite any Burp and custom settings • Version 3.0 is coming, stay tuned !
  • 29.
  • 30.
    Configure ThreadFix jar Usefollowing commands in terminal mode on AWS/VM where ThreadFix is installed (obtain your API key from Threadfix) java -jar /home/user/tfcli.jar --set key 5fPO07kc8xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxy java -jar /home/user/tfcli.jar --set url https://127.0.0.1/threadfix/rest 30Making Security Agile
  • 31.
    Create Shell scriptsto scan each application Note: Following is Payment.sh script to scan Payment web app. We use app id # 31 found earlier. 31Making Security Agile
  • 32.
    Configure JuiceBox toschedule daily scan for Payment web app 32Making Security Agile
  • 33.
  • 34.
    Why use QAregression  Over the years, QA team has built hundreds or even thousands of functional test scripts. They continue to add new scripts everyday.  Security team can reuse the work done by QA team to do security testing.  They can use a proxy such as BURP or ZAP to analyze requests & responses to find any security vulnerabilities. 34Making Security Agile
  • 35.
    Create separate applicationfor QA regression 35Making Security Agile
  • 36.
    Start ZAP Proxy Use command such as following to start ZAP in headless mode on port 8085: java -Xmx2048m -jar /home/user/zap/ZAP_2.4.2/zap-2.4.2.jar -cmd -daemon -installdir /home/user/zap/ZAP_2.4.2 -config api.key=12345 -port 8085 Making Security Agile 36
  • 37.
    Configure and startQA regression  Configure QA regression properties to use proxy running on port 8085.  Use command such as following to start QA regression (will vary depending on scripts used for your QA regression) mvn clean test -Dcategory=api - Dtarget.environment=qa -DexcludedGroups=in- progress,sdr,email,logs,cleanup - DuseProxy=true -DlocalProxy=true 37Making Security Agile
  • 38.
    Save security findingsfrom regression in XML form  At the end of regression, save findings in XML form: curl "http://localhost:8085/OTHER/core/other/xmlre port/?apikey=12345" > /home/user/temp/newpaymentregression.xml  Upload the findings to Threadfix using (app id for regression # 32 found earlier) java -jar /home/user/tfcli.jar --upload 32 /home/user/temp/newpaymentregression.xml Note: Above commands are part of automated script. 38Making Security Agile
  • 39.
  • 40.
    Review results inThreadFix 40Making Security Agile
  • 41.
  • 42.
  • 43.
    Create defect inIssue Repository 43Making Security Agile
  • 44.
  • 45.
    Security Transformation CheatSheet 45 From TO Two full days TM meetings with many people involved Participating in arch/design discussions through Confluence or other collab tools Very formal, “scientific” TM with DREAD, STRIDE residual risks, etc. Recommendations in JIRA coming from arch/design discussions DREAD, residual risks, etc. HML (High, Medium, Low) STRIDE CVE (usually automatically assigned by a tool) Manual pen testing for everything Selective pen testing for new features and products Expensive commercial scanners To OWASP ZAP, Burp, custom tools Docs and PDF reports, manual export to Dev bug tracking systems Exporting tickets directly to JIRA from Threadfix Running/uploading scans manually Automated batch jobs w auto-upload to Threadfix Making Security Agile
  • 46.
    Conclusion  You cannotdo security as you did it 5-10 years ago. Security must work in parallel w Dev.  Automate security testing by using scheduled jobs, auto-uploading “findings” to a dashboard  Use Security professionals to review findings  Make sure that findings are triaged before they are submitted to a bug tracking system  Don’t feed false positives to Dev or you’ll completely lose your credibility 46Making Security Agile
  • 47.
    All of thatcan be formulated even shorter:  STOP wiring buttons that nobody will ever push © Lean Startup Conference - 2013  STOP creating new buzz words: security as code, security as service, DevSecOps, etc.  START DOING REAL JOB CALLED SECURITY AUTOMATION  Don’t forget about Security Artists, because security is just as politics – an art of possibilities and tools are very much useless without us 47Making Security Agile
  • 48.
    THANKS FOR COMING! SanjayTambe – Security Architect @ SSIC Oleg Gryb – Sr. Manager, Security Engineering @ SSIC Twitter: @oleggryb 48Making Security Agile

Editor's Notes

  • #3 We’ve just returned from an AppSecUSA conference where quite a few folks were talking about security automation tools, which is cool of course. We love tools, but it’s not about tools only, it’s about how well your security process is integrated to SDLC. Going back 5 to 7 years our SDLC model was still very much Waterfall and our security process was adjusted well to it: We had 2 full days for onsite interviews Business owners, s/w and DB architects, Dev, OPS, QA were available to sit with us for those two days and talk about security and threats We were buttoned up and very formal We’ve created our own scoring system based on DREAD We created Threat Models based on interviews, We categorized findings based on STRIDE, After TM was completed we would start our pen testing. We had 2-4 weeks to complete it! We used heavy commercial tools to do static and dynamic analysis
  • #4 I won’t talk much about DREAD, it’s very much dead and it’s dead because of a good reason. You were required to score each dread category, and it was a pure guestimate anyway. It looks scientific because it has categories, but is essence it’s worth than just assigning a score in simple HML terms, because HML is very intuitive and can be easily understood by everyone.
  • #5 STRIDE – again, looks scientific and cool, but that categorization is very abstract and it’s difficult to practically apply it, because some vulnerabilities will fall into several categories, while for others will be difficult to find a match for. When you use CVE, it’s actually something that has a match in real world, easy to understand and most importantly it will be automatically created by many scanners and understood by dashboard such as Threadfix.
  • #6 It was very much like a waterfall model, where we had a “security gateway” clearly defined. There was no way to by-pass It was clearly “us” and “them” model, meaning that our involvement to Dev matters or Dev involvement to our matters was limited. It required a significant time and money to support all that There was an essential lag between a sec assessment and a release date, which could result in big differences between production and what we’ve tested and reviewed. Fixing was not easy, “nagging” didn’t always work
  • #7 And then Big Bang has happened. It happened because everybody has moved to Agile SDLC and new projects started flying over our head with a huge velocity. We’ve realized at this point that we could not do all those cool things that we did in the waterfall model.
  • #8 It’s not only about agility and speed. There were other issues that were coming form the products that we need to support. It’s all about API’s today. Web applications become just a thin wrapper built on the top of API’s. Let us take a quick look at the product that we support.
  • #9 We had no choice. We needed to move from a waterfall to agile quickly. We’ve looked around at what is available. We’ve realized quickly that some new buzz words such as “security as code” or “security as service”, do not mean much and do not allow creating a comprehensive E2E security process alone. It usually goes like this: We write code and build services and they will solve ALL our security problems. No we won’t and I don’t even want to go to this discussion until I see a comprehensive security scanner that doesn’t produce “false positives” and gets all severities right. Or after someone figures out how to design apps with all necessary sec controls in place from day one.
  • #10 “Us” and “them” model didn’t work anymore. We need to move with the team at their pace.
  • #13 This is how we’d come to our solution. This is our reasoning.
  • #14 Explain diagram. Our security team is not big, it’s two permanent people. Security artists as we modestly call ourselves, 1-2 consultants and people in other teams who support our projects. Our QA team is probably 4 times bigger and Sanjay will talk today about automating the process and utilizing QA unit tests, thousand of them to implement security.
  • #46 What remained unchanged here is a necessity to review the results and start working with developers on remediation. What we try to avoid are tools that generate a lot of false positives, because it creates road block for automation
  • #48 I took it from a Lean Startup conference and I think it’s very appropriate for our sec transformation process. Sec as code is overstatement. You can’t solve all your security problems just by writing code. You need to do more than that. That sec automation job does include writing code, creating sec services and an agile security process, but don’t forget about “security artists” who can make sense of tons of data generated by scanners and other tools, because security is still very much like politics, which is an art of possibilities I’m still missing the old process a bit and ask myself often: did we through out any babies with bath waters during this transformation? The answer is probably “yes”, but this is the nature of any agile approach, it usually bears bigger risks, not only in security domain and we’ll have to live with it. Security artists are people who can make sense of ravings generated by security tools.