SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOps by Thomas Konrad

Klassifikation: Öffentlich
Welcome
to the SBA Live Academy
#bleibdaheim #remotelearning
Today: Software Security – Towards a Mature Lifecycle and DevSecOps
by Thomas Konrad
This talk will be recorded as soon as the presentation starts!
Recording will end BEFORE the Q&A Session starts.
Please be sure to turn off your video in your control panel.

Classification: Customer 2SBA Research gGmbH, 2020
$ whoami
Thomas Konrad
$ id
uid=123(tom)
gid=0(SBA Research)
gid=1(Vienna, Austria)
gid=2(Software Security)
gid=3(Penetration Testing)
gid=4(Software Development)
gid=5(Security Training)
gid=6(sec4dev Conference & Bootcamp)

Classification: Public 3Photo by Quino Al on UnsplashSBA Research gGmbH, 2020

Classification: Public 4Photo by NASA on UnsplashSBA Research gGmbH, 2020

Classification: Public 5Photo by Braden Collum on UnsplashSBA Research gGmbH, 2020

Classification: Public 6
Security Costs Money, Right?
Perspectives on (software) security.
SBA Research gGmbH, 2020

Time Is Money

Risk vs. Security Controls
SQLi
XSS
CSRF
UserAccountSecurity
AccessControl
XXE
Deserial.
ComponentswithVulns
TLS
Logging
Crypto

So You Want More Money?
No. I want to use the
limited resources
more efficiently.
SBA Research gGmbH, 2020 Photo by Fabian Blank on Unsplash

Gartner Application Security Hype Cycle

Solution Approaches
Steps towards the future of software security.

Classification: Public 12SBA Research gGmbH, 2020
We need to shift security
left in the software
development lifecycle.
Photo by Suzanne D. Williams on Unsplash

Backwards Security Integration
How can I
recover?
How do I
react?
How do I
identify
problems?
How do I
protect?
What do I
have to
protect and
why?
Ad-hocSecurity integration
Security test
before go-live
Incident / CISO
intervention

14
Shifting Left
Image source: https://www.cigital.com/blog/what-is-the-secure-software-development-lifecycle/
SBA Research gGmbH, 2020 Classification: Public

15
Threat Model Example: Account Security
Threat modeling as part of the design process
Threat Severity1 C/I/A Countermeasures
Password guessing High C/I/- (Temporary) user lockout, password
policy, MFA, transparency (device lists
and notifications, with Device Tokens)
Account lockout Medium -/-/A Selective lockout (with Device Tokens)
Misuse of known
passwords (public
lists, other apps, ...)
Medium C/I/- MFA
Someone dumps the
DB on the Internet
Medium C/I/- Proper hashes (Argon2)
Enumerating valid
user names
Low C/-/- (Generic error messages, constant timing
on all requests containing the user name)
1 The severity really depends on the classification of your data. Don’t see them as absolute and unchangeable values.
SBA Research gGmbH, 2020 Classification: Public

We need to bridge the
gap between security
and agility.
Photo by Sonja Guina on Unsplash

What is DevSecOps?
DevSecOps is thinking about security
from the start.
https://www.redhat.com/en/topics/devops/what-is-devsecops, 2018 State of DevOps Report

What is DevSecOps?
DevSecOps is security
automation and measurement.

What is DevSecOps?
DevSecOps is sharing
between teams.

What is DevSecOps?
DevSecOps is evolving from
immediate pain to strategic focus.

“Are security
teams involved in
technology design
and deployment?”
Yes
39%No
61%
Team Respondents
Yes
64%
No
36%
C-Suite Respondents
2018 State of DevOps Report,
Puppet + Splunk

How To Make DevSecOps Work
#1: Start with simplification.
• Tool re-use is easier in a common tech stack.
• More flexibility for dev staff to work on different
projects.
• Fewer moving parts to maintain, upgrade, learn.
Partially taken from the 2018 State of DevOps Report by Puppet + Splunk

#2: Push existing pockets of success.
• Give a well-working team resources to build
security automation.
• Advertise to others how this buys them time to
do more fun stuff.
• Make source code available to other teams.

#3: Offer self-service security tools.
• A dedicated, cross-project, well-integrated team
for security automation.
• Pick people with good social skills.
• Get external help where necessary.

#4: Work with both empowerment and
accountability.
• Mutually enforcing DevSecOps pillars of
automation and measurement.
• Build dashboards with performance indicators.
• Play it open.

#5: Create and promote a culture of continuous
learning.
• Understanding security means understanding
technology in detail.
• Make teams work together in new ways.
• Stop the blaming culture.
• Offer security training.

Let’s face it: You are not going to
fix your company’s culture
overnight.
Take your time but be dedicated.
Photo by Les Anderson on Unsplash

Skill Levels of a Developer
1. Write messy, insecure code
2. Write clean code
3. Write testable code
1. High cohesion
2. loose coupling
4. Write actual tests
5. Hack the own code
6. Write secure code

Which Types Of Test?
• Write a simple integration test!
• For functional and unit tests, test the right parts

What Shall I Automate First?
1. Upon every push
1. Test for known vulnerabilities in external
libraries and frameworks.
2. Scan your containers for known vulnerabilities.
2. On a regular basis
1. Scan your infrastructure.
2. Do SAST / IAST / DAST.

Dynamic Tests: Known-Good Requests
GET /profile/profile-picture?thumbnail-width=200
Input Validation
Original or scaled?
Read from filesystem Ask scaling microservice
×
×SBA Research gGmbH, 2020

Results Are Just Symptoms
• Repeatedly fixing the same vulnerabilities?
o Consider changing the architecture and technology!
o Update common requirements!
o Update architecture recommendations!
o Add it to the threat model!
o Update secure coding guidelines!
o Implement a test in the common test suite!
o Talk about it!
• Selective fixes are just security painkillers!

What Performance Indicators Shall I Collect?
• Number of vulnerabilities/LoC over time
• Time to fix
• Number of security-related tickets/LoC
• ...
Make sure the numbers are contextually specific!

Classification: Public 35SBA Research gGmbH, 2020 Photo by Austin Distel on Unsplash
There will be vulnerabilities and
there will be attacks.
The question is how we deal with them.

Key Takeaways
Steps you can do to push yourself forward.

Key Takeaways, 1/2
• DevSecOps is a culture thing, and culture things
take time.
• It’s all about integrating security earlier.
• Security is hard. Consider that when assigning
roles.
• The difference between a good team and a bad
team is how they deal with difficult situations.

Key Takeaways, 2/2
• Steps towards DevSecOps
o #1: Start with simplification.
o #2: Push existing pockets of success.
o #3: Offer self-service security tools.
o #4: Work with both empowerment and accountability.
o #5: Create and promote a culture of continuous learning.

Thomas Konrad
SBA Research gGmbH
Floragasse 7, 1040 Wien
+43 664 889 272 17
tkonrad@sba-research.org
Twitter: @_thomaskonrad

Klassifikation: Öffentlich 41
#stayhome #remotelearning
Coming up @ SBA Live Academy
April 14, 5 pm CET, live:
„Passwords: Policy and Storage
with NIST SP800-63b“
by Jim Manico!
Join our MeetUp Group!
https://www.meetup.com/Security-Meetup-by-SBA-
Research/

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOps by Thomas Konrad

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOps by Thomas Konrad

Similar to SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOps by Thomas Konrad (20)

More from SBA Research

More from SBA Research (20)

Recently uploaded

Recently uploaded (20)

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOps by Thomas Konrad