Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

New Farming Methods in the Epistemological Wasteland of Application Security

14,861 views

Published on

Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.

We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.

http://lascon.org

http://lascon2015.sched.org/event/175e3c828095386b2fa0fc660b2502a3

Published in: Software
  • Sex in your area is here: www.bit.ly/sexinarea
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Unlock Her Legs is your passage way to a life full of loving and sex... read more ... ♥♥♥ http://t.cn/AijLRbnO
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: www.bit.ly/2AJerkH
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Imagine if you could tap into the power of the Universe, literally turn yourself into a money magnet. That would be incredible right? ●●● https://bit.ly/2mganVe
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • My special guest's 3-Step "No Product Funnel" can be duplicated to start earning a significant income online. ★★★ http://ishbv.com/j1r2c/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

New Farming Methods in the Epistemological Wasteland of Application Security

  1. New Farming Methods in the Epistemological Wasteland of Application Security - @wickett
  2. @wickett #ruggeddevops bit.ly/rdo-farming Slides
  3. @wickett #ruggeddevops James Wickett SR. ENGINEER, SIGNAL SCIENCES AUSTIN, TX HANDS-ON GAUNTLT BOOK DEVOPS DAYS GLOBAL ORGANIZER LASCON ORGANIZER
  4. Application Security Telemetry and Monitoring Plus Defense! Application Security for the rest of us An approach that integrates with devops organizations doesn't inhibit going fast
  5. 5
  6. @wickett #ruggeddevops
  7. @wickett #ruggeddevops Software development is a constant experiment in knowing Application Security abdicated runtime responsibility and development responsibility through incoherent philosophical approaches and fostering silo-thinking Security now is where Ops was 7 years ago. Ops found a path to change through devops, security can too There are three ways we can add value: at development, at deploy, at runtime Summary
  8. @wickett #ruggeddevops Bad-Behavior Driven Development Weaponizing your CD Pipeline Application Security Telemetry and Monitoring Continuous Hardening and Audit Have a S-BOM! (Software Bill of Materials) Practices
  9. @wickett #ruggeddevops Where do we come from
  10. @wickett #ruggeddevops A study in how we know anything in Application Security
  11. @wickett #ruggeddevops Spoiler Alert: We don’t !
  12. @wickett #ruggeddevops once upon a time…
  13. @wickett #ruggeddevops What does it all mean? A Journey to the Epistemological Problem of Software Development
  14. @wickett #ruggeddevops In our Innate Humanness We optimize for the probable
  15. @wickett #ruggeddevops Unit Testing
  16. @wickett #ruggeddevops Integration Testing
  17. @wickett #ruggeddevops Happy Path Engineering
  18. @wickett #ruggeddevops We also optimize for the possible
  19. @wickett #ruggeddevops Over Engineering
  20. @wickett #ruggeddevops The scaling algo that never got used…
  21. @wickett #ruggeddevops There is too much to choose from in the realm of possible
  22. @wickett #ruggeddevops Actually, we optimize for the perceived probable
  23. @wickett #ruggeddevops How do we know what to create?
  24. @wickett #ruggeddevops This is the problem
  25. @wickett #ruggeddevops Epistemological Problem of Software Development
  26. @wickett #ruggeddevops We gather data and rhetoric to support our theories
  27. @wickett #ruggeddevops There are 3 major arcs currently in Software Development
  28. @wickett #ruggeddevops We started as Civil Engineers
  29. @wickett #ruggeddevops First Arc: Agile
  30. @wickett #ruggeddevops Agile avoids the problem
  31. @wickett #ruggeddevops Agile reminds that we dont know what we are building
  32. @wickett #ruggeddevops
  33. @wickett #ruggeddevops Behavior Driven Development
  34. @wickett #ruggeddevops BDD = Agile + feedback
  35. @wickett #ruggeddevops Behavior Driven Development is a second-generation, outside–in, pull- based, multiple-stakeholder, multiple- scale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009
  36. @wickett #ruggeddevops Amplify Feedback Loop
  37. @wickett #ruggeddevops Agile emphasizes feedback to developers from their overlords and sometimes even customers
  38. @wickett #ruggeddevops TLDR; Rapid Iterations Win
  39. @wickett #ruggeddevops Agile is our guiding Light
  40. @wickett #ruggeddevops The world has changed since Agile
  41. @wickett #ruggeddevops We don’t sell CD’s anymore
  42. @wickett #ruggeddevops Software as a Service
  43. @wickett #ruggeddevops The last fifteen years have brought a complete change in our delivery cadence, distribution mechanisms and revenue models
  44. @wickett #ruggeddevops Second Arc: DevOps
  45. @wickett #ruggeddevops DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK
  46. @wickett #ruggeddevops DEVOPS
  47. @wickett #ruggeddevops Agile Infrastructure
  48. @wickett #ruggeddevops http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  49. @wickett #ruggeddevops Less WIP Less technical debt
  50. @wickett #ruggeddevops Customers actually using the feature while the developer is working on it
  51. @wickett #ruggeddevops Great side effect: Produces Happy Developers
  52. @wickett #ruggeddevops
  53. @wickett #ruggeddevops
  54. @wickett #ruggeddevops Devops realized that ops doesn’t know what devs know and vice versa
  55. @wickett #ruggeddevops Dev : Ops 10 : 1
  56. @wickett #ruggeddevops DevOps is an Epistemological breakthrough joining people around a common problem
  57. @wickett #ruggeddevops Culture is the most important aspect to devops succeeding in the enterprise - Patrick DeBois
  58. @wickett #ruggeddevops Culture is shaped in part by values
  59. @wickett #ruggeddevops
  60. @wickett #ruggeddevops Mutual Understanding Shared Language Shared Views Collaborative Tooling
  61. @wickett #ruggeddevops DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED COMPUTING AND CLOUD] ENVIRONMENT. - TOM LIMONCELLI
  62. @wickett #ruggeddevops https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf
  63. @wickett #ruggeddevops TLDR; High-performing IT organizations experience 60X fewer failures and recover from failure 168X faster than their lower-performing peers. They also deploy 30X more frequently with 200X shorter lead times.
  64. @wickett #ruggeddevops Culture Automation Measurement Sharing - @damonedwards, @botchagalupe
  65. @wickett #ruggeddevops Devops gone wrong
  66. @wickett #ruggeddevops “THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW BADLY WE NEED A CULTURAL SHIFT” - @PATRICKDEBOIS http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops
  67. @wickett #ruggeddevops Third Arc: Continuous Delivery
  68. @wickett #ruggeddevops Continuous Delivery is not merely how often you deliver but how little you can deliver at a time
  69. @wickett #ruggeddevops Delivery Pipelines are rad!
  70. @wickett #ruggeddevops Batch Size of 1
  71. @wickett #ruggeddevops Separation of Duties Considered Harmful
  72. @wickett #ruggeddevops Give power to the Developers to deploy
  73. @wickett #ruggeddevops Reduce Code Latency Increase Code Velocity
  74. @wickett #ruggeddevops 3 Arcs: Agile DevOps Continuous Delivery
  75. @wickett #ruggeddevops The next Arc: Security Rugged
  76. @wickett #ruggeddevops “…Those stupid developers” - Security person
  77. @wickett #ruggeddevops “Security prefers a system powered off and unplugged” - Developer
  78. @wickett #ruggeddevops Cultural Unrest with security in most organizations
  79. @wickett #ruggeddevops Compliance Driven Culture
  80. @wickett #ruggeddevops “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
  81. @wickett #ruggeddevops Security is where ops was 7 years ago…
  82. @wickett #ruggeddevops Dev : Ops : Sec 100 : 10 : 1
  83. @wickett #ruggeddevops Understaffing means no one thinks security helps the business win
  84. @wickett #ruggeddevops DevOps changed that for Ops, security can change too
  85. @wickett #ruggeddevops Netflix demonstrated that people care about resiliency
  86. @wickett #ruggeddevops Innately, we all care
  87. @wickett #ruggeddevops Rugged Software Movement
  88. @wickett #ruggeddevops #ruggeddevops
  89. @wickett #ruggeddevops https://vimeo.com/54250716
  90. @wickett #ruggeddevops http://www.youtube.com/watch?v=jQblKuMuS0Y
  91. @wickett #ruggeddevops Security’s way forward is to help developers and help operations
  92. @wickett #ruggeddevops Start there
  93. @wickett #ruggeddevops Let’s review Security’s approach thus far
  94. @wickett #ruggeddevops BadIdea #1 Applications can’t be defended—Web App Firewalls Suck! lets do developer training
  95. @wickett #ruggeddevops
  96. @wickett #ruggeddevops
  97. @wickett #ruggeddevops Awareness campaign OWASP Top Ten
  98. @wickett #ruggeddevops We abandoned knowing anything useful about the Runtime
  99. @wickett #ruggeddevops Instead Add Defense based on behaviors
  100. @wickett #ruggeddevops BadIdea #2 Developers can’t figure it out. lets scan for vulnerabilities instead
  101. @wickett #ruggeddevops “here is a 400 page PDF of our findings to prove your developers don't get it!” - The Pen tester
  102. @wickett #ruggeddevops Even with the emphasis on appsec training, in practice we made it a dark art
  103. @wickett #ruggeddevops Integrated rugged testing should sit inside the pipeline
  104. @wickett #ruggeddevops BadIdea #3 With the new alignment to vulnerability scanning, there is a tendency to Fix the Low-Hanging Fruit
  105. @wickett #ruggeddevops
  106. @wickett #ruggeddevops we still don't know who is attacking us
  107. @wickett #ruggeddevops We still don't actually know what they are attacking
  108. @wickett #ruggeddevops Real Threats go Unknown so Developers fix what the automated tooling detected at a certain point in time
  109. @wickett #ruggeddevops Add Application Security Telemetry
  110. @wickett #ruggeddevops badidea #4 Put in tooling that no one outside of security can understand
  111. @wickett #ruggeddevops usually in the name of compliance
  112. @wickett #ruggeddevops “Get a Web App Firewall dude!” - PCI-DSS Req 6.6
  113. @wickett #ruggeddevops
  114. @wickett #ruggeddevops Choose your own adventure…
  115. @wickett #ruggeddevops smallest possible solution you can consider a WAF…
  116. @wickett #ruggeddevops Our CDN added ModSecurity Ruleset Huzzah!
  117. @wickett #ruggeddevops An appliance that blocks all the things
  118. @wickett #ruggeddevops And now you wonder why no one eats lunch with you anymore
  119. @wickett #ruggeddevops “every aspect of managing WAFs is an ongoing process. This is the antithesis of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required to get and keep the WAF running productively.” - a whitepaper from a WAF vendor
  120. @wickett #ruggeddevops
  121. @wickett #ruggeddevops Ok, Security has to change… How do we add value already?
  122. @wickett #ruggeddevops Two ways!
  123. @wickett #ruggeddevops Add value to Devs Add value to ops
  124. @wickett #ruggeddevops Pray that someone notices
  125. @wickett #ruggeddevops
  126. @wickett #ruggeddevops Pro-Tip #1 Bad-Behavior Driven Development (automate those security tools!)
  127. @wickett #ruggeddevops Start with Adding just one test for XSS on a few pages in your app
  128. @wickett #ruggeddevops
  129. @wickett #ruggeddevops gauntlt is Bad-Behavior Driven Development
  130. @wickett #ruggeddevops GAUNTLT Open source, MIT License Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr
  131. @wickett #ruggeddevops
  132. @wickett #ruggeddevops
  133. @wickett #ruggeddevops
  134. @wickett #ruggeddevops Be Mean to Your Code
  135. @wickett #ruggeddevops Gauntlt Uses Cucumber and its awesome
  136. @wickett #ruggeddevops
  137. @wickett #ruggeddevops
  138. @wickett #ruggeddevops here’s an XSS attack Example
  139. @wickett #ruggeddevops @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni --modules=xss --depth=1 --link-count=10 --auto- redundant=2 <url> """ Then the output should contain "0 issues were detected."
  140. @wickett #ruggeddevops http://theagileadmin.com/2015/06/09/pragmatic-security-and- rugged-devops/
  141. @wickett #ruggeddevops github.com/gauntlt/gauntlt-demo
  142. @wickett #ruggeddevops github.com/gauntlt/gauntlt-starter-kit
  143. @wickett #ruggeddevops leanpub.com/hands-on-gauntlt Hands-on Gauntlt Book
  144. @wickett #ruggeddevops Pro-tip #2 Put security testing in your continuous integration system
  145. @wickett #ruggeddevops
  146. @wickett #ruggeddevops
  147. @wickett #ruggeddevops https://speakerdeck.com/garethr/battle-tested-code-without-the-battle
  148. @wickett #ruggeddevops Pro-Tip #3 Add Application Security telemetry to devs and ops
  149. @wickett #ruggeddevops Convert App Security Logs into metrics in the systems dev and ops use StatsD
  150. @wickett #ruggeddevops RunTime Correlation between biz, ops, dev, sec
  151. @wickett #ruggeddevops SQLi Attempts + HTTP 500’s or login spikes + transaction decrease
  152. @wickett #ruggeddevops Runtime Instrumentation for Application Security
  153. @wickett #ruggeddevops Pro-Tip #4 Get hugs from the auditors and add Hardening and Audit using config management
  154. @wickett #ruggeddevops Open Source Hardening Framework chef/puppet/ansible http://hardening.io/
  155. @wickett #ruggeddevops Run Nightly Audits of your Hardening using Config Management (Chef audit mode) https://www.chef.io/blog/2015/04/09/chef-audit-mode-cis-benchmarks/
  156. @wickett #ruggeddevops OS and Config Management
  157. @wickett #ruggeddevops reverse the trend Add Value to Devs Add Value to Ops
  158. @wickett #ruggeddevops Software development is a constant experiment in knowing Application Security abdicated runtime responsibility and development responsibility through incoherent philosophical approaches and fostering silo-thinking Security now is where Ops was 7 years ago. Ops found a path to change through devops, security can too There are three ways we can add value: at development, at deploy, at runtime Summary
  159. @wickett #ruggeddevops Bad-Behavior Driven Development Weaponizing your CD Pipeline Application Security Telemetry and Monitoring Continuous Hardening and Audit Have a S-BOM! (Software Bill of Materials) Practices

×