Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Shifting Security Left Varrun Ramani Staff Software Engineer - Security Okta, Inc. Engineer
Patch in a fast and fabulous fashion while mitigating risk of regression Vuln Patching Software Development that is inhere...
SaaS Security 1
Requirements Design Implementation QA SDLC 1 - 3 months Release Bug Fix Threat Modeling Static Code Analysis Dynamic Scans...
Pull Request CI Master Staging Pre-Prod Prod 1 week sprint 1 week 1 week SDLC (agile)
0 22.5 45 67.5 90 Before PR Before Merge Before Code Freeze After Staging After Pre-Prod After Prod Re-Architect Diminishi...
Use Big Images To Show Ideas Do Security teams scale?
Security : Developer 120:1 60:1 25:1 VMware Google Okta Org Size Security Budget
What to Automate? How to Automate? Automate
Baking security into CI/CD
Runtime security Checks 1. External Reports 2. Pentests 3. Bug Bounty 4. Threat Modeling Identify patterns in vulnerabilit...
1 2 3 4 AUTOMATION PROCESS Identify gaps Risk Prioritization Build Test Suites Triaging Failures
Higher false positive rate Slow test suite Automated issue filing for manual triage Nightly Runs Low to Zero false positiv...
Bad Code Patterns Avoid use of deprecated or insecure algorithms in the code-base like MD5 and SHA1 Problem
Bad Code Patterns Static analysis of code using PMD XPATH = XML (DOM) representation of an AST Supports JAVA rules Solution
Bad Code Patterns
Bad Code Patterns Can extend this to other bad usages like SHA1 Insecure TLS algorithms like SSLv3, TLSv1 Insecure cipher ...
Dependency Checking 1. Detect dependencies with vulnerabilities before merge Check in old library version with CVEs 2. Det...
Dependency Checking Automate dependency scanning in CI OWASP dependency check New Dependencies Test Suite in CI Add existi...
Dependency Checking Demo
Secure by default 2
Why secure by default? Crypto is Hard
StackOverflow is a security engineer’s worst nightmare Why secure by default?
Why secure by default?
Libraries need tuning for secure configuration Why secure by default?
Secure Design Principles 1 2 3 Transparent Easy to Use Secure by default
Tools of the Trade • JAVA/Spring • Annotations • Aspects • Interceptors/Filters
What to wrap? • Encryption • Random Number Generators • HTTPS/TLS • Authorization • Serialization (XML / JSON) • …..
Fostering a Security culture 3
Security Training….. One time wonders No engagement Full day training Theory oriented NOT FUN!
Attack and Defense CTFsJeopardy Style CTFs
CTFs Fun Engaging Gamified Always on-line
Community Send Developers (or ask to go) to security conferences BSides DEFCON AppSecUSA Host events at work Brown Bags In...
Security Champions De-centralize security Find and report vulnerabilities Champion/Advocate security in their product area...
Patching Vulnerabilities 4
Route a % of traffic to patched infrastructure. e.g. library upgrades Canaries Log the result of enforcement for new behav...
Summary Share your passion for security Automate Security Write secure code Go fast but stay safe
Thank you
Questions? @varrunr varrunr-ecorp/security-automation varrunr-ecorp/common-crypto
Upcoming SlideShare
Loading in …5
×

Shifting security left

39 views

Published on

https://www.meetup.com/OWASP-Toronto/events/269168248/

Software as a Service(SaaS) delivery is agile, undergoes fast iterations and needs to ship early to provide value to customers. Security can be more often than not an after-thought and vulnerabilities found after release can be expensive to fix or re-architect. Security teams don't scale with the size of the development organization and there is an increasing need to include security as early in the development lifecycle as possible. This talk will cover:

1. Strategies and tools to embed security early within the CI/CD pipeline with examples.
2. The need to build secure-by-default libraries and software design to abstract security away from the developer with focus on a JAVA stack
3. Fostering a culture of security within a development organization
4. Data driven approaches to reduce time to patch vulnerabilities while mitigating risk of regression

Published in: Technology
no profile picture user

  • Be the first to comment

  • Be the first to like this

Shifting security left

  1. 1. Shifting Security Left Varrun Ramani Staff Software Engineer - Security Okta, Inc. Engineer
  2. 2. Patch in a fast and fabulous fashion while mitigating risk of regression Vuln Patching Software Development that is inherently secure by default. Secure-by-default Problems with security today and the trend towards “shifting left” Introduction How to foster a culture of security Security Culture How to bake security into your CI/CD pipelines CI/CD OVERVIEW
  3. 3. SaaS Security 1
  4. 4. Requirements Design Implementation QA SDLC 1 - 3 months Release Bug Fix Threat Modeling Static Code Analysis Dynamic Scans Penetration Testing Secure Code Reviews Bug Bounty
  5. 5. Pull Request CI Master Staging Pre-Prod Prod 1 week sprint 1 week 1 week SDLC (agile)
  6. 6. 0 22.5 45 67.5 90 Before PR Before Merge Before Code Freeze After Staging After Pre-Prod After Prod Re-Architect Diminishing Returns Time to patch SDLC
  7. 7. Use Big Images To Show Ideas Do Security teams scale?
  8. 8. Security : Developer 120:1 60:1 25:1 VMware Google Okta Org Size Security Budget
  9. 9. What to Automate? How to Automate? Automate
  10. 10. Baking security into CI/CD
  11. 11. Runtime security Checks 1. External Reports 2. Pentests 3. Bug Bounty 4. Threat Modeling Identify patterns in vulnerabilities What to Automate? Static code Analysis 1. Bad code patterns 2. Insecure defaults 1. Lack of authorization 2. Dynamic Scans 3. Input Sanitization / Injection
  12. 12. 1 2 3 4 AUTOMATION PROCESS Identify gaps Risk Prioritization Build Test Suites Triaging Failures
  13. 13. Higher false positive rate Slow test suite Automated issue filing for manual triage Nightly Runs Low to Zero false positive rate Requires approval from security engineer Blocking Merges Informational for developer Alert security team Building Test Suites Alerting Only
  14. 14. Bad Code Patterns Avoid use of deprecated or insecure algorithms in the code-base like MD5 and SHA1 Problem
  15. 15. Bad Code Patterns Static analysis of code using PMD XPATH = XML (DOM) representation of an AST Supports JAVA rules Solution
  16. 16. Bad Code Patterns
  17. 17. Bad Code Patterns Can extend this to other bad usages like SHA1 Insecure TLS algorithms like SSLv3, TLSv1 Insecure cipher suites for the client/server Random vs SecureRandom XML parser configuration for potential XXE For legitimate use-cases Contract with third party API Backwards compatibility
  18. 18. Dependency Checking 1. Detect dependencies with vulnerabilities before merge Check in old library version with CVEs 2. Detect vulnerabilities in existing dependencies in real-time 3. Library upgrades are time intensive Cheaper to detect pre-merge Problem
  19. 19. Dependency Checking Automate dependency scanning in CI OWASP dependency check New Dependencies Test Suite in CI Add existing vulnerable dependencies to the “suppression list” Action: Prevent Merge or Informational Failure Existing Dependencies Run nightly job Action: Create Issue OR Manual Triage Add false positives or known issues to “suppression list” Solution
  20. 20. Dependency Checking Demo
  21. 21. Secure by default 2
  22. 22. Why secure by default? Crypto is Hard
  23. 23. StackOverflow is a security engineer’s worst nightmare Why secure by default?
  24. 24. Why secure by default?
  25. 25. Libraries need tuning for secure configuration Why secure by default?
  26. 26. Secure Design Principles 1 2 3 Transparent Easy to Use Secure by default
  27. 27. Tools of the Trade • JAVA/Spring • Annotations • Aspects • Interceptors/Filters
  28. 28. What to wrap? • Encryption • Random Number Generators • HTTPS/TLS • Authorization • Serialization (XML / JSON) • …..
  29. 29. Fostering a Security culture 3
  30. 30. Security Training….. One time wonders No engagement Full day training Theory oriented NOT FUN!
  31. 31. Attack and Defense CTFsJeopardy Style CTFs
  32. 32. CTFs Fun Engaging Gamified Always on-line
  33. 33. Community Send Developers (or ask to go) to security conferences BSides DEFCON AppSecUSA Host events at work Brown Bags Interest Groups Content Recorded Conference Talks Research Papers Internal Speakers External Speakers
  34. 34. Security Champions De-centralize security Find and report vulnerabilities Champion/Advocate security in their product area / team Reward/Recognition creates secure habits
  35. 35. Patching Vulnerabilities 4
  36. 36. Route a % of traffic to patched infrastructure. e.g. library upgrades Canaries Log the result of enforcement for new behavior with metadata to debug. Soft-Checks Persistent (DB) flags that can be enabled per tenant at run-time. Reversible Feature Flags DATA DRIVEN MODELS
  37. 37. Summary Share your passion for security Automate Security Write secure code Go fast but stay safe
  38. 38. Thank you
  39. 39. Questions? @varrunr varrunr-ecorp/security-automation varrunr-ecorp/common-crypto

×