what is rugged all about
play

What is Rugged all about? Matt Konda He would want me to tell you - PowerPoint PPT Presentation

What is Rugged all about? Matt Konda He would want me to tell you Software is eating the world. DevOps and Security is a rare opportunity. Makes security positive, cultural+ Show the Rugged Manifesto Honey Badger =


  1. What is ‘Rugged’ all about? Matt Konda

  2. He would want me to tell you • Software is eating the world. • DevOps and Security is a rare opportunity. • Makes security positive, cultural+ • Show the Rugged Manifesto • Honey Badger = Security + DevOps … • Empathy, Empathy, Empathy • Bridge communities!

  3. He would want me to emphasize • Instrumentation • Be Mean To Your Code • Complexity is the Enemy • Change Management (Automation through tooling) • Empathy (Did I say that yet?)

  4. He would want me to mention • By updating our software (and it’s dependencies) we can address a huge amount of attack surface. • DevOps should be good at this. • Empathy (Did I say that yet?)

  5. OWASP?

  6. Introduction Clojure Perl J2EE Agile Ruby Graph Database J2EE 
 Java Applet Spring Rails DevOps C++ Analytics MS in CS 1997 2006 2014 Software Consultant Director of Founder Growing Architect Engineer Engineering Consultant Trying to hack a Certificate Authority business model that Vulnerability Scanner succeeds while Penetration Test Manager helping developers. Domains: Pricing Rabble Rouser: Projects: Retail Banking Chicago BSides 2011, 2012 DevOps / Automation Manufacturing Defcon Skytalk Training Pharma OWASP Chicago, MSP 2013 Coaching Healthcare AppSec USA 2012, 2013 Code Review Research ChicagoRuby 2013 Plugged in to SDLC Secure 360 Consulting Lone Star Ruby 2013 Assessments WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 @mkonda Converge 2014 mkonda@jemurai.com Chicago Coder Conference 2015

  7. This was a setup. Chicago style.

  8. But in Chicago, we make the best of every situation.

  9. Positive Software Security Matt Konda

  10. Let’s learn what we can from Rugged (applied to DevOps)

  11. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

  12. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

  13. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.

  14. Reminiscent of the Agile Manifesto Perhaps?

  15. Let’s talk about adversaries…

  16. This year, organized crime became the most frequently seen threat actor for Web App Attacks. Source: Verizon 2015 Data Breach Investigations Report

  17. Threat model

  18. Security Examples

  19. SELECT "orders".* FROM "orders" WHERE (rewards_code = ' a') union select id, 'product', 1, 1, 'cc', 'cvv', 'expiration', email as first_name, encrypted_password as last_name, created_at, updated_at, id, 'reward' from users; -- ')

  20. Getting Rugged? Train. Search for string concatenation: +, append prefer parameterized queries! Do code review. Use static analysis. Use web app scanning.

  21. Output Encoding < &lt; > &gt;

  22. Getting Rugged? Train. Search for {{{, innerHTML, .raw, utext, etc. Do code review. Use static analysis. Use web app scanning.

  23. Insecure Direct Object Reference Hani Joanne ? Salary Record Salary Record Authorization fail!

  24. Some Specifics Around Process

  25. Security in the SDLC • Building software is a process. • The best way to make software secure is to make security part of the process. • There are many ways to do this - none is perfect. • Find a way to make the security fit your process.

  26. Classic Waterfall Delivery Requirements Design Code Test Maintenance

  27. Classic Waterfall Delivery Requirements Design Code Security Test Maintenance

  28. Continuous Delivery: The Unit of Work is a Story Requirements Design Story Test Code

  29. Continuous Delivery: The Unit of Work is a Story Requirements Design Security Requirements Threat model / attack surface Story Test Code Security Unit Tests Static Analysis on Commit Exploratory Testing Code Review Checklists Understand Dependencies

  30. continuous delivery

  31. Classic security sees this and wants to …

  32. continuous delivery

  33. Baseline Security Requirements

  34. ARE STAKEHOLDERS ASKING FOR SECURITY?

  35. Story Points

  36. Estimates to Include Security Considerations

  37. Here’s why.

  38. Agile metrics Credit: rallydev.com

  39. Story Review

  40. Incremental Code Review

  41. Continuous Integration

  42. Static Analysis

  43. Checklists

  44. Bug Tracking

  45. Testing

  46. Operationalize

  47. Understand lifecycle

  48. Think incremental

  49. Security Requirements Security Unit Tests continuous delivery Code Review

  50. Automate security tools

  51. continuous delivery Security Tool Automation: Code analysis Security unit tests Dynamic scanning etc.

  52. continuous delivery Security Tests Run Exploratory Testing Includes Security

  53. A detailed example: • Let’s say a feature is being developed • Then devs and testers are checking a new feature • Let them browse through an attack proxy (like Burp or ZAP) in passive mode • At night or when the system is quiet, use the browsing pattern as seeds for overnight attacks

  54. Continuous feedback

  55. continuous delivery Feedback!

  56. False Positives Are a Necessary EVIL

  57. Optimize for relevance

  58. Provisioning tools

  59. continuous delivery Since its easy to provision we can do security testing safely in a new env.

  60. Audit tools

  61. Deployment checks includes security audit checks. continuous delivery

  62. Self documenting for regulatory and compliance!

  63. Chaos tools

  64. Change is good

  65. Change is happening. It can be an opportunity instead of a hassle. continuous delivery

  66. Complexity is an enemy

  67. Decomposition to micro-services reduces dependencies and complexity. continuous delivery Small releases reduce complexity. Right now, security hurts.

  68. Shared responsibility

  69. Another principle of software delivery: build security in! Done means secure! continuous delivery Empowered to do security right!

  70. Measure results

Recommend


More recommend