¡ ¡ W14 ¡ Security ¡Testing ¡ Wednesday, ¡October ¡23rd, ¡2019 ¡3:00 ¡PM ¡ ¡ ¡ ¡ ¡ Continuous ¡Application ¡Security ¡Testing ¡ ¡ Presented ¡by: ¡ ¡ ¡ ¡ Josh ¡Gibbs ¡ ¡ Contrast ¡Security ¡ ¡ Brought ¡to ¡you ¡by: ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ 888 -‑-‑-‑ 268 -‑-‑-‑ 8770 ¡ ·√·√ ¡904 -‑-‑-‑ 278 -‑-‑-‑ 0524 ¡-‑ ¡info@techwell.com ¡-‑ ¡http://www.starcanada.techwell.com/ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡
Josh ¡Gibbs ¡ ¡ Josh ¡Gibbs ¡is ¡a ¡senior ¡customer ¡success ¡manager ¡at ¡Contrast ¡Security, ¡where ¡he ¡ helps ¡companies ¡build ¡security ¡into ¡their ¡applications. ¡Prior ¡to ¡his ¡current ¡role, ¡Josh ¡ led ¡the ¡security ¡testing ¡team ¡at ¡a ¡major ¡cloud ¡hosting ¡provider. ¡He ¡has ¡previously ¡ worked ¡in ¡development ¡and ¡security ¡roles ¡within ¡the ¡marketing ¡technology ¡and ¡ finance ¡industries. ¡In ¡his ¡spare ¡time, ¡Josh ¡enjoys ¡gardening, ¡barbecuing, ¡and ¡ spending ¡time ¡with ¡his ¡family. ¡ ¡
Continuous Application Security Testing Presented by Josh Gibbs @appsecjosh Security Impacts of CI/CD Automated tests and reliable deployments simplify fixing vulnerabilities. • Shifting left can move decisions from managers to engineers. • More data is not always better data. Beware of analysis paralysis. • Vulnerability scans and penetration tests may appear less effective when vulnerabilities are fixed earlier. • Business Logic Vulnerabilities Typically found by matching patterns, analyzing data flows, and injecting values • Remediation via code changes • Mitigate with application layer controls (WAF/RASP) • Platform Vulnerabilities Typically found by reviewing configuration, checking lists of vulnerable versions, and replaying common attacks • Remediation via patching • Mitigate with network layer and operating system controls (firewall, user permissions, etc.) • Tools at a Glance Static Analysis Dynamic Analysis Interactive Analysis Approach White Box Black Box Gray Box Artifact Assessed Code Running App Code & Running App Notable Limitations Language support, Lack of Application state, API’s, Language support, attack visibility to entire system Client-rendered pages types detected Time to Run Minutes to Days Hours to Weeks Seconds to Days Precision Specific line of code File or Page/Route Specific line of code Favors Coverage, Speed Exploitable flaws Exploitable flaws, Speed At the expense of False positives Speed, Coverage False negatives Note: This table is a broad generalization of tools to help plan where to use tools in pipelines. Continuous Security Activities Design Code Review Package Validate Deploy Development Compile + Story Programming Health Checks Activities Code Review Integration System Tests Definition + Unit Tests + Smoke Test Tests Security Secure Threat Library Interactive Security Activities Coding + Unit Static Analysis Modeling Checks Analysis Smoke Test Tests
Suggestions for Improving Security Testing 1. Start with threat modeling to focus effort on risks relevant to your system. Store the threat model with your engineering documentation. ◦ Review the threat model periodically, and update it as the attack surface changes. ◦ If a security incident occurs, highlight the attacker’s actions in the threat model. ◦ 2. Choose feedback methods that emphasize the action you want. Archival: PDF reports & e-mails ◦ Manager’s attention: Dashboards, e-mailed spreadsheet ◦ Fix before deploying: build failure, chat notification, pull request status/comment ◦ 3. Create an internal “how-to” guide for what to do when fixing a security bug. OWASP is a great reference. ◦ 4. Plan to triage existing, but previously unknown, vulnerabilities when introducing new tools. Consider first results to be “security backlog.” ◦ Establish policy of “No new security issues.” ◦ 5. Define success measures that relate to business objectives. Cost (time and fees) of unplanned security events ◦ Time to perform security assessment ◦ Time to fix vulnerabilities (total age by severity) ◦ Number of vulnerabilities detected and released knowingly. ◦ 6. Create post-deployment security health checks. TLS configuration (ciphers, certificate validity) ◦ HTTP security headers ◦ 7. Tag security tests in unit, integration, system test suites. Authentication, authorization, session management ◦ User registration, password recovery ◦ Financial transactions - checkout, coupon redemption ◦ 8. Include abuse cases in user stories. “As an administrator, I should not be able to view a user’s payment card data.” ◦ 9. Automatically collect and archive evidence of compliance. Git logs ◦ Test results ◦ Pull request discussions ◦ Deployment history ◦ 10. Be specific with penetration testers. “This is everything we know to be running. Verify that we have no other exposures.” ◦ “We just started running our apps in containers. Can you try to compromise the host OS from a container?” ◦ Additional Resources OWASP Application Security Verification Standard (ASVS) • https://github.com/OWASP/ASVS DevOps Audit Defense Toolkit • http://images.itrevolution.com/documents/DevOps_Audit_Defense_Toolkit_v1.0.pdf Verizon Data Breach Investigations Report • https://enterprise.verizon.com/resources/reports/dbir/ OWASP Cheat Sheet Series • https://cheatsheetseries.owasp.org/
Recommend
More recommend