New Farming Methods in the Epistemological Wasteland of Application Security


The Presentation inside:

Slide 0

Methods arming New F ogical istemol n the Ep i land of Waste ecurity ication S Ap p l - @wickett


Slide 1

Slides -farming it.ly/rdo b @wickett #ruggeddevops


Slide 2

James Wickett SR. ENGINEER, SIGNAL SCIENCES AUSTIN, TX HANDS-ON GAUNTLT BOOK DEVOPS DAYS GLOBAL ORGANIZER LASCON ORGANIZER @wickett #ruggeddevops


Slide 3

Application Security Telemetry and Monitoring Plus Defense! Application Security for the rest of us An approach that integrates with devops organizations doesn't inhibit going fast


Slide 4

5


Slide 5

@wickett #ruggeddevops


Slide 6

mmary Su Software development is a constant experiment in knowing Application Security abdicated runtime responsibility and development responsibility through incoherent philosophical approaches and fostering silo-thinking Security now is where Ops was 7 years ago. Ops found a path to change through devops, security can too There are three ways we can add value: at development, at deploy, at runtime @wickett #ruggeddevops


Slide 7

actices Pr Bad-Behavior Driven Development Weaponizing your CD Pipeline Application Security Telemetry and Monitoring Continuous Hardening and Audit Have a S-BOM! (Software Bill of Materials) @wickett #ruggeddevops


Slide 8

e do w e Wher me from co @wickett #ruggeddevops


Slide 9

how we tudy in As thing in now any k Security ication Ap p l @wickett #ruggeddevops


Slide 10

Alert: Spoiler don’t ! We @wickett #ruggeddevops


Slide 11

t im e … e upon a onc @wickett #ruggeddevops


Slide 12

al l m e an ? hat does it W rney to the A Jou mological Episte f Software Problem o lopment Deve @wickett #ruggeddevops


Slide 13

umanness ur Innate H In o ze for the We optimi probable @wickett #ruggeddevops


Slide 14

Testing Unit @wickett #ruggeddevops


Slide 15

Testing gration Inte @wickett #ruggeddevops


Slide 16

ppy Path Ha eering Engin @wickett #ruggeddevops


Slide 17

ptimize e also o W ossible or the p f @wickett #ruggeddevops


Slide 18

ineering ver Eng O @wickett #ruggeddevops


Slide 19

g algo e scalin Th ot used… never g that @wickett #ruggeddevops


Slide 20

here is T choose realm @wickett much to too m in the fro possible of #ruggeddevops


Slide 21

mize for y, we opti Actuall probable perceived the @wickett #ruggeddevops


Slide 22

e know ow do w H create? what to @wickett #ruggeddevops


Slide 23

roblem i s t he p This @wickett #ruggeddevops


Slide 24

ogical pistemol E oftware lem of S Prob opment Devel @wickett #ruggeddevops


Slide 25

data and gather We upport oric to s rhet theories our @wickett #ruggeddevops


Slide 26

major re are 3 The ently in rcs curr a opment re Devel Softwa @wickett #ruggeddevops


Slide 27

s Civil tarted a We s gineers En @wickett #ruggeddevops


Slide 28

rst Arc: Fi Agile @wickett #ruggeddevops


Slide 29

ids the gile avo A roblem p @wickett #ruggeddevops


Slide 30

nds that i l e re m i Ag what nt know w e do uilding w e a re b @wickett #ruggeddevops


Slide 31

@wickett #ruggeddevops


Slide 32

Driven ehavior B opment Devel @wickett #ruggeddevops


Slide 33

Agile + BDD = edback fe @wickett #ruggeddevops


Slide 34

Behavior Driven Development is a second-generation, outside–in, pullbased, multiple-stakeholder, multiplescale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009 @wickett #ruggeddevops


Slide 35

Amplify Feedback Loop @wickett #ruggeddevops


Slide 36

phasizes Agile em evelopers dback to d fe e ords and heir overl from t ustomers es even c sometim @wickett #ruggeddevops


Slide 37

TLDR; ons Win Iterati R ap i d @wickett #ruggeddevops


Slide 38

Agile is guiding our Light @wickett #ruggeddevops


Slide 39

orld has The w e Agile ed sinc chang @wickett #ruggeddevops


Slide 40

’t sell e don W ymore CD’s an @wickett #ruggeddevops


Slide 41

are as a Softw Service @wickett #ruggeddevops


Slide 42

years have last fifteen The change in a complete brought y cadence, our deliver anisms and bution mech distri nue models reve @wickett #ruggeddevops


Slide 43

: DevOps ond Arc Sec @wickett #ruggeddevops


Slide 44

DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK @wickett #ruggeddevops


Slide 45

DEVOPS @wickett #ruggeddevops


Slide 46

Agile ucture nfrastr I @wickett #ruggeddevops


Slide 47

http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr @wickett #ruggeddevops


Slide 48

ss WIP Le l debt technica Less @wickett #ruggeddevops


Slide 49

ally using mers actu Custo while the e feature th ing on it r is work develope @wickett #ruggeddevops


Slide 50

e effect: Great sid evelopers e s H ap p y D Produc @wickett #ruggeddevops


Slide 51

@wickett #ruggeddevops


Slide 52

@wickett #ruggeddevops


Slide 53

that ops realized Devops hat devs t know w doesn’ vice versa now and k @wickett #ruggeddevops


Slide 54

ev : Ops D 10 : 1 @wickett #ruggeddevops


Slide 55

ological an Epistem DevOps is ing people hrough join breakt on problem nd a comm arou @wickett #ruggeddevops


Slide 56

the most ulture is C to devops tant aspect impor nterprise g in the e succeedin ck DeBois - Patri @wickett #ruggeddevops


Slide 57

ture is Cul part by @wickett ap e d i n sh values #ruggeddevops


Slide 58

@wickett #ruggeddevops


Slide 59

rstanding ual Unde Mut anguage Shared L ed Views Shar Tooling borative Colla @wickett #ruggeddevops


Slide 60

DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED COMPUTING AND CLOUD] ENVIRONMENT. - TOM LIMONCELLI @wickett #ruggeddevops


Slide 61

https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf @wickett #ruggeddevops


Slide 62

TLDR; forming IT High-per erience 60X izations exp organ ecover from ilures and r fewer fa r than their e 168X faste failur peers. They performing lowerfrequently y 30X more also deplo lead times. 0X shorter wi t h 2 0 @wickett #ruggeddevops


Slide 63

ulture C mation Auto rement Measu haring S otchagalupe nedwards, @b - @ dam o @wickett #ruggeddevops


Slide 64

e wrong vops gon De @wickett #ruggeddevops


Slide 65

“THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW BADLY WE NEED A CULTURAL SHIFT” - @PATRICKDEBOIS http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops @wickett #ruggeddevops


Slide 66

ird Arc: Th ntinuous Co Delivery @wickett #ruggeddevops


Slide 67

ivery is not inuous Del Cont often you erely how m ow little liver but h de r at a time can delive you @wickett #ruggeddevops


Slide 68

Delivery ipelines P are rad! @wickett #ruggeddevops


Slide 69

ize of 1 Batch S @wickett #ruggeddevops


Slide 70

f Duties ration o Sepa armful idered H Cons @wickett #ruggeddevops


Slide 71

r to the ve powe Gi deploy opers to Devel @wickett #ruggeddevops


Slide 72

Latency ce Code Redu Velocity se Code Increa @wickett #ruggeddevops


Slide 73

3 Arcs: Agile DevOps Delivery ontinuous C @wickett #ruggeddevops


Slide 74

xt Arc: The ne Security Rugged @wickett #ruggeddevops


Slide 75

elopers” stupid dev “…Those ity person - Secur @wickett #ruggeddevops


Slide 76

s a system rity prefer “Secu plugged” off and un powered eveloper -D @wickett #ruggeddevops


Slide 77

Unrest ultural C urity in ith sec w zations organi most @wickett #ruggeddevops


Slide 78

e Driven m p l i an c Co ulture C @wickett #ruggeddevops


Slide 79

“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” @wickett #ruggeddevops


Slide 80

ere ops i t y i s wh Secur rs ago… as 7 yea w @wickett #ruggeddevops


Slide 81

ps : Sec Dev : O : 10 : 1 100 @wickett #ruggeddevops


Slide 82

g m e an s erstaffin Un d ecurity thinks s no one iness win the bus helps @wickett #ruggeddevops


Slide 83

ed that ps chang DevO rity can ps, secu for O nge too cha @wickett #ruggeddevops


Slide 84

Netflix nstrated demo at people th care about esiliency r @wickett #ruggeddevops


Slide 85

ll care ly, we a Innate @wickett #ruggeddevops


Slide 86

Movement d Software Rugge @wickett #ruggeddevops


Slide 87

ddevops #rugge @wickett #ruggeddevops


Slide 88

https://vimeo.com/54250716 @wickett #ruggeddevops


Slide 89

http://www.youtube.com/watch?v=jQblKuMuS0Y @wickett #ruggeddevops


Slide 90

rward is to ity’s way fo Secur s and help developer help operations @wickett #ruggeddevops


Slide 91

t there Star @wickett #ruggeddevops


Slide 92

curity’s e v i e w Se Let’s r thus far pproach a @wickett #ruggeddevops


Slide 93

dIdea #1 Ba s can’t be pplication A Web App defended— ls Suck! Firewal t ra i n i n g developer l e t s do @wickett #ruggeddevops


Slide 94

@wickett #ruggeddevops


Slide 95

@wickett #ruggeddevops


Slide 96

mpaign eness ca Awar op Ten WASP T O @wickett #ruggeddevops


Slide 97

knowing bandoned We a ul about hing usef an y t Runtime the @wickett #ruggeddevops


Slide 98

efense ad Add D Inste aviors d on beh base @wickett #ruggeddevops


Slide 99

adIdea #2 B e it out. an’t figur elopers c Dev abilities r vulner ts scan fo le instead @wickett #ruggeddevops


Slide 100

e PDF of a 400 pag “here is prove your indings to our f 't get it!” lopers don deve n tester - The Pe @wickett #ruggeddevops


Slide 101

mphasis ith the e Even w ai n i n g , i n appsec tr on made it a ctice we pra ark art d @wickett #ruggeddevops


Slide 102

rugged egrated Int uld sit sting sho te p i p e li n e side the in @wickett #ruggeddevops


Slide 103

dIdea #3 Ba ign m e n t he n e w a l Wi t h t canning, rability s to vulne ncy to Fix is a tende there ng Fruit ow-Hangi the L @wickett #ruggeddevops


Slide 104

@wickett #ruggeddevops


Slide 105

t know ill don' we st king us is attac who @wickett #ruggeddevops


Slide 106

ll don't We sti w what lly kno actua ttacking hey are a t @wickett #ruggeddevops


Slide 107

o Unknown Threats g R e al what the lopers fix so Deve detected ed tooling automat int in time certain po at a @wickett #ruggeddevops


Slide 108

ication dd Appl A emetry ri t y T e l Secu @wickett #ruggeddevops


Slide 109

didea #4 ba that no tooling Put in security tside of one ou erstand can und @wickett #ruggeddevops


Slide 110

e n am e ly in th usual pliance of com @wickett #ruggeddevops


Slide 111

Firewall We b Ap p “ Ge t a dude!” DSS Req 6.6 - PCI- @wickett #ruggeddevops


Slide 112

@wickett #ruggeddevops


Slide 113

ur own oose yo Ch enture… adv @wickett #ruggeddevops


Slide 114

ossible allest p sm you can olution s a WAF… onsider c @wickett #ruggeddevops


Slide 115

N added Our CD Ruleset ecurity ModS Huzzah! @wickett #ruggeddevops


Slide 116

ce that ap p l i an An e things s al l t h block @wickett #ruggeddevops


Slide 117

wonder ow you An d n s lunch one eat why no anymore ith you w @wickett #ruggeddevops


Slide 118

“every aspect of managing WAFs is an ongoing process. This is the antithesis of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required to get and keep the WAF running productively.” - a whitepaper from a WAF vendor @wickett #ruggeddevops


Slide 119

@wickett #ruggeddevops


Slide 120

change… ty has to k, Securi O d value do w e ad How already? @wickett #ruggeddevops


Slide 121

o ways! Tw @wickett #ruggeddevops


Slide 122

to Devs d value Ad to ops dd value A @wickett #ruggeddevops


Slide 123

someone ay that Pr otices n @wickett #ruggeddevops


Slide 124

@wickett #ruggeddevops


Slide 125

Pro-Tip #1 velopment ior Driven De Bad-Behav rity tools!) te those secu (automa @wickett #ruggeddevops


Slide 126

g just one with Addin Start ew pages XSS on a f test for in your app @wickett #ruggeddevops


Slide 127

@wickett #ruggeddevops


Slide 128

Behavior t is Badgauntl elopment riven Dev D @wickett #ruggeddevops


Slide 129

GAUNTLT Open source, MIT License Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr @wickett #ruggeddevops


Slide 130

@wickett #ruggeddevops


Slide 131

@wickett #ruggeddevops


Slide 132

@wickett #ruggeddevops


Slide 133

to Your e Mean B Code @wickett #ruggeddevops


Slide 134

ucumber lt Uses C Gaunt awesome and its @wickett #ruggeddevops


Slide 135

@wickett #ruggeddevops


Slide 136

@wickett #ruggeddevops


Slide 137

attack an XSS here’s xample E @wickett #ruggeddevops


Slide 138

@slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | url | http://localhost:8008 When I launch an "arachni" attack with: """ arachni --modules=xss --depth=1 --link-count=10 --autoredundant=2 <url> """ Then the output should contain "0 issues were detected." @wickett | | #ruggeddevops


Slide 139

http://theagileadmin.com/2015/06/09/pragmatic-security-andrugged-devops/ @wickett #ruggeddevops


Slide 140

github.com/gauntlt/gauntlt-demo @wickett #ruggeddevops


Slide 141

github.com/gauntlt/gauntlt-starter-kit @wickett #ruggeddevops


Slide 142

Gauntlt nds-on Ha Book leanpub.com/hands-on-gauntlt @wickett #ruggeddevops


Slide 143

ro-tip #2 P esting in security t Put ntinuous your co tion system integra @wickett #ruggeddevops


Slide 144

@wickett #ruggeddevops


Slide 145

@wickett #ruggeddevops


Slide 146

https://speakerdeck.com/garethr/battle-tested-code-without-the-battle @wickett #ruggeddevops


Slide 147

- T i p #3 Pro Security plication Add Ap s and ops try to dev teleme @wickett #ruggeddevops


Slide 148

Security nvert App Co ics in the into metr Logs d ops use ms dev an syste StatsD @wickett #ruggeddevops


Slide 149

rrelation n T im e Co Ru s, dev, sec en biz, op betwe @wickett #ruggeddevops


Slide 150

TP 500’s empts + HT SQLi Att or ransaction spikes + t login decrease @wickett #ruggeddevops


Slide 151

untime R ion for umentat Instr ecurity ication S Ap p l @wickett #ruggeddevops


Slide 152

ro-Tip #4 P from the Get hugs rs and add audito dit using ng and Au Hardeni agement config man @wickett #ruggeddevops


Slide 153

n Source Ope mework ning Fra Harde ansible f/puppet/ che http://hardening.io/ @wickett #ruggeddevops


Slide 154

udits of ightly A Run N ing using r Harden you gement fig Mana Con mode) hef audit (C https://www.chef.io/blog/2015/04/09/chef-audit-mode-cis-benchmarks/ @wickett #ruggeddevops


Slide 155

Config OS and ement Manag @wickett #ruggeddevops


Slide 156

the trend reverse e to Devs Add Valu e to Ops Add Valu @wickett #ruggeddevops


Slide 157

mmary Su Software development is a constant experiment in knowing Application Security abdicated runtime responsibility and development responsibility through incoherent philosophical approaches and fostering silo-thinking Security now is where Ops was 7 years ago. Ops found a path to change through devops, security can too There are three ways we can add value: at development, at deploy, at runtime @wickett #ruggeddevops


Slide 158

actices Pr Bad-Behavior Driven Development Weaponizing your CD Pipeline Application Security Telemetry and Monitoring Continuous Hardening and Audit Have a S-BOM! (Software Bill of Materials) @wickett #ruggeddevops


Slide 159


×

HTML:





Ссылка: