SlideShare ist ein Scribd-Unternehmen logo

Zane lackey. security at scale. web application security in a continuous deployment environment

Yury Chemerkin
Yury Chemerkin
Technologie
1 von 86
Downloaden Sie, um offline zu lesen
Security at Scale: Effective approaches to web application security zane@etsy.com @zanelackey
Who am I? • Engineering Manager @ Etsy – Lead appsec/netsec/seceng teams • Formerly @ iSEC Partners • Books/presentations primarily focused on application and mobile security
What is Etsy? Online marketplace for creative independent businesses
Scale at Etsy 1.5B pageviews/mo 40M uniques/mo #51 by US traffic * * April 2012, Alexa site ranking
About this talk Real world approaches to web application security challenges
About this talk Specifically, techniques that are simple and effective
Continuous deployment?
Continuous deployment <- What it (hopefully) isn’t
Continuous deployment Three words: iterate, iterate, iterate
Continuous deployment
Continuous deployment Etsy pushes to production 30 times a day on average
Continuous deployment (dogs push too)
But… Doesn’t the rapid rate of change mean things are less secure?
Actually, the opposite Being able to deploy quick is our #1 security feature
Compared to We’ll rush that security fix. It will go out in the next release in about 6 weeks. - Former vender at Etsy
What it boils down to (spoiler alert) • Make things safe by default • Detect risky functionality / Focus your efforts • Automate the easy stuff • Know when the house is burning down
Safe by default
Safe by default • Traditional defenses for XSS – Input validation – Output encoding • How have they worked out?
Safe by default
Safe by default • Problems? – Often done on a per-input basis • Easy to miss an input or output – May use defenses in wrong context • Input validation pattern may blocks full HTML injection, but not injecting inside JS – May put defenses on the client side in JS – Etc … These problems miss the point
Safe by default • The real problem is that it’s hard to find where protections have been missed • How can we change our approach to make it simpler?
Safe by default Input validation Output encoding
Safe by default Input validation Output encoding
Safe by default Encode dangerous HTML characters to HTML entities at the very start of your framework To repeat… Before input reaches main application code
Safe by default On the surface this doesn’t seem like much of a change
Safe by default Except, we’ve just made lots of XSS problems grep-able
Safe by default
Safe by default Now we look for a small number of patterns: • HTML entity decoding functions or explicit string replacements • Data in formats that won’t be sanitized – Ex: Base64 encoded, double URL encoded, etc • Code that opts out of platform protections
Safe by default Fundamentally shifts us: From: “Where is my app missing protections?” (hard) To: “Where is it made deliberately unsafe?” (easy)
Safe by default Obviously not a panacea – DOM based XSS – Javascript: URLs – Can be a pain during internationalization efforts
Focus your efforts
Focus your efforts • Continuous deployment means code ships fast • Things will go out the door before security team knows about them • How can we detect high risk functionality?
Detect risky functionality • Know when sensitive portions of the codebase have been modified • Build automatic change alerting on the codebase – Identify sensitive portions of the codebase – Create automatic alerting on modifications
Detect risky functionality • Doesn’t have to be complex to be effective • Approach: – sha1sum sensitive platform level files – Unit tests alert if hash of the file changes – Notifies security team on changes, drives code review
Detect risky functionality • At the platform level, watching for changes to site-wide sensitive functionality – CSRF defenses – Session management – Encryption wrappers – Login/Authentication – Etc
Detect risky functionality • At the feature level, watching for changes to specific sensitive methods • Identifying these methods is part of initial code review/pen test of new features
Detect risky functionality • Watch for dangerous functions • Usual candidates: – File system operations – Process execution/control – HTML decoding (if you’re input encoding) – Etc
Detect risky functionality • Unit tests watch codebase for dangerous functions – Split into separate high risk/low risk lists • Alerts are emailed to the appsec team, drive code reviews
Detect risky functionality • Monitor application traffic • Purpose is twofold: – Detecting risky functionality that was missed by earlier processes – Groundwork for attack detection and verification
Detect risky functionality • Regex incoming requests at the framework – Sounds like performance nightmare, shockingly isn’t • Look for HTML/JS in request – This creates a huge number of false positives • That’s by design, we refine the search later
Detect risky functionality • We deliberately want to cast a wide net to see HTML entering the application • From there, build a baseline of HTML – Entering the application in aggregate – Received by specific endpoints
Detect risky functionality What to watch for: – Did a new endpoint suddenly show up? • A new risky feature might’ve just shipped – Did the amount of traffic containing HTML just significantly go up? • Worth investigating
Detect risky functionality Aggregate increased, time to investigate
Automate the easy stuff
Automate the easy stuff • Automate finding simple issues to free up resources for more complex tasks • Use attacker traffic to automatically drive testing • We call it Attack Driven Testing
Automate the easy stuff • Some cases where this is useful: – Application faults – Reflected XSS – SQLi
Automate the easy stuff • Application faults (HTTP 5xx errors) • As an attacker, these are one of the first signs of weakness in an app – As a defender, pay attention to them!
Automate the easy stuff • Just watching for 5xx errors results in a lot of ephemeral issues that don’t reproduce • Instead: – Grab last X hours worth of 5xx errors from access logs – Replay the original request – Alert on any requests which still return a 5xx
Automate the easy stuff • Cron this script to run every few hours • If a request still triggers an application fault hours later, it’s worth investigating
Automate the easy stuff • Similar methodology for verifying reflected XSS • For reflected XSS we: – Identify requests containing basic XSS payloads – Replay the request – Alert if the XSS payload executed
Automate the easy stuff • Basic payloads commonly used in testing for XSS: – alert() – document.write() – unescape() – String.fromCharCode() – etc
Safe by default We created a tool to use NodeJS as a headless browser for verification
Automate the easy stuff 1. Fetch URL containing potential XSS Test webserver
Automate the easy stuff 2. Page contents returned to a temp buffer, not interpreted yet Test webserver
Automate the easy stuff 3. Inject our instrumented JS into page contents + Our JS Page contents Test webserver
Automate the easy stuff 4. Combination of instrumented JS + page contents interpreted + Test webserver Our JS Page contents
Automate the easy stuff 5. If instrumented JS is executed, alert appsec team for review Test webserver
Automate the easy stuff • Sample instrumented JS: (function() { var proxiedAlert = window.alert; window.alert = function() { location="XSSDETECTED"; }; })();
Automate the easy stuff • Open sourced NodeJS tool – https://github.com/zanelackey/projects • Combine this approach with driving a browser via Watir/Selenium – Make sure to use all major browsers
Know when the house is burning down
Know when the house is burning down Graph early, graph often
Know when the house is burning down Which of these is a quicker way to spot a problem?
Know when the house is burning down
Know when the house is burning down
Know when the house is burning down • Methodology: – Instrument application to collect data points – Fire them off to an aggregation backend – Build individual graphs – Combine groups of graphs into dashboards • We’ve open sourced our instrumentation library – https://github.com/etsy/statsd
Know when the house is burning down
Know when the house is burning down
Know when the house is burning down Now we can visually spot attacks
Know when the house is burning down But who’s watching at 4AM?
Know when the house is burning down • In addition to data visualizations, we need automatic alerting • Look at the raw data to see if it exceeds certain thresholds • Works well for graphs like this…
Know when the house is burning down
Know when the house is burning down But not like this…
Know when the house is burning down
Know when the house is burning down • We need to smooth out graphs that follow usage patterns • Use exponential smoothing formulas like Holt- Winters • Math is hard, let’s look at screenshots!
Know when the house is burning down
Know when the house is burning down • Now that we’ve smoothed out the graphs… • Use the same approach as before: – Grab the raw data – Look for values above/below a set threshold – Alert
Know when the house is burning down What about exposure of internal info?
Know when the house is burning down • Paste sites are extremely useful – gist, pastebin, etc • If you don’t have one internally, external ones will be used – Or if you have a bad one internally
Know when the house is burning down • Use Google Alerts to monitor paste sites for internal info exposures – Ex: Hostnames, class names
Know when the house is burning down • Monitor cloud storage for ACLs that publicly expose data – S3 buckets – Google Docs • Open sourced S3 monitoring tool: – https://github.com/zanelackey/projects – Google Docs tool soon
Conclusions
Conclusions
Conclusions Have the ability to deploy/respond quickly
Conclusions • Make things safe by default • Focus your efforts / Detect risky functionality • Automate the easy stuff • Know when the house is burning down
Thanks! zane@etsy.com @zanelackey
References / Thanks • DevOpsSec: http://www.slideshare.net/nickgsuperstar/dev opssec-apply-devops-principles-to-security • Special Thanks: – Nick Galbreath, Dan Kaminsky, Marcus Barczak

Empfohlen

Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defenseZane Lackey
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 

Empfohlen

Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Attack-driven defense
Attack-driven defenseAttack-driven defense
Attack-driven defenseZane Lackey
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Web2.0 : an introduction
Web2.0 : an introductionWeb2.0 : an introduction
Web2.0 : an introductionAnant Shrivastava
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINXWallarm
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
Case study
Case studyCase study
Case studykaran saini
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 

Weitere ähnliche Inhalte

Was ist angesagt?

Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINXWallarm
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 

Was ist angesagt? (20)

Web2.0 : an introduction
Web2.0 : an introductionWeb2.0 : an introduction
Web2.0 : an introduction
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
 
Case study
Case studyCase study
Case study
 

Ähnlich wie Zane lackey. security at scale. web application security in a continuous deployment environment

My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at GreenhouseMichael O'Neil
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owaspHelen Bravo
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...Niels Frydenholm
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Profiling and Tuning a Web Application - The Dirty Details
Profiling and Tuning a Web Application - The Dirty DetailsProfiling and Tuning a Web Application - The Dirty Details
Profiling and Tuning a Web Application - The Dirty DetailsAchievers Tech
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 

Ähnlich wie Zane lackey. security at scale. web application security in a continuous deployment environment (20)

My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Confidence web
Confidence webConfidence web
Confidence web
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at Greenhouse
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Profiling and Tuning a Web Application - The Dirty Details
Profiling and Tuning a Web Application - The Dirty DetailsProfiling and Tuning a Web Application - The Dirty Details
Profiling and Tuning a Web Application - The Dirty Details
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 

Mehr von Yury Chemerkin

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware descriptionYury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromiseYury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesYury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5sYury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd nsYury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesYury Chemerkin
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirusYury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesYury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesYury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisYury Chemerkin
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 

Mehr von Yury Chemerkin (20)

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
 
Jp3 13
Jp3 13Jp3 13
Jp3 13
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 

Kürzlich hochgeladen

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 

Kürzlich hochgeladen (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 

Zane lackey. security at scale. web application security in a continuous deployment environment

  • 1. Security at Scale: Effective approaches to web application security zane@etsy.com @zanelackey
  • 2. Who am I? • Engineering Manager @ Etsy – Lead appsec/netsec/seceng teams • Formerly @ iSEC Partners • Books/presentations primarily focused on application and mobile security
  • 3. What is Etsy? Online marketplace for creative independent businesses
  • 4. Scale at Etsy 1.5B pageviews/mo 40M uniques/mo #51 by US traffic * * April 2012, Alexa site ranking
  • 5. About this talk Real world approaches to web application security challenges
  • 6. About this talk Specifically, techniques that are simple and effective
  • 8. Continuous deployment <- What it (hopefully) isn’t
  • 9. Continuous deployment Three words: iterate, iterate, iterate
  • 11. Continuous deployment Etsy pushes to production 30 times a day on average
  • 12. Continuous deployment (dogs push too)
  • 13. But… Doesn’t the rapid rate of change mean things are less secure?
  • 14. Actually, the opposite Being able to deploy quick is our #1 security feature
  • 15. Compared to We’ll rush that security fix. It will go out in the next release in about 6 weeks. - Former vender at Etsy
  • 16. What it boils down to (spoiler alert) • Make things safe by default • Detect risky functionality / Focus your efforts • Automate the easy stuff • Know when the house is burning down
  • 18. Safe by default • Traditional defenses for XSS – Input validation – Output encoding • How have they worked out?
  • 20. Safe by default • Problems? – Often done on a per-input basis • Easy to miss an input or output – May use defenses in wrong context • Input validation pattern may blocks full HTML injection, but not injecting inside JS – May put defenses on the client side in JS – Etc … These problems miss the point
  • 21. Safe by default • The real problem is that it’s hard to find where protections have been missed • How can we change our approach to make it simpler?
  • 22. Safe by default Input validation Output encoding
  • 23. Safe by default Input validation Output encoding
  • 24. Safe by default Encode dangerous HTML characters to HTML entities at the very start of your framework To repeat… Before input reaches main application code
  • 25. Safe by default On the surface this doesn’t seem like much of a change
  • 26. Safe by default Except, we’ve just made lots of XSS problems grep-able
  • 28. Safe by default Now we look for a small number of patterns: • HTML entity decoding functions or explicit string replacements • Data in formats that won’t be sanitized – Ex: Base64 encoded, double URL encoded, etc • Code that opts out of platform protections
  • 29. Safe by default Fundamentally shifts us: From: “Where is my app missing protections?” (hard) To: “Where is it made deliberately unsafe?” (easy)
  • 30. Safe by default Obviously not a panacea – DOM based XSS – Javascript: URLs – Can be a pain during internationalization efforts
  • 32. Focus your efforts • Continuous deployment means code ships fast • Things will go out the door before security team knows about them • How can we detect high risk functionality?
  • 33. Detect risky functionality • Know when sensitive portions of the codebase have been modified • Build automatic change alerting on the codebase – Identify sensitive portions of the codebase – Create automatic alerting on modifications
  • 34. Detect risky functionality • Doesn’t have to be complex to be effective • Approach: – sha1sum sensitive platform level files – Unit tests alert if hash of the file changes – Notifies security team on changes, drives code review
  • 35. Detect risky functionality • At the platform level, watching for changes to site-wide sensitive functionality – CSRF defenses – Session management – Encryption wrappers – Login/Authentication – Etc
  • 36. Detect risky functionality • At the feature level, watching for changes to specific sensitive methods • Identifying these methods is part of initial code review/pen test of new features
  • 37. Detect risky functionality • Watch for dangerous functions • Usual candidates: – File system operations – Process execution/control – HTML decoding (if you’re input encoding) – Etc
  • 38. Detect risky functionality • Unit tests watch codebase for dangerous functions – Split into separate high risk/low risk lists • Alerts are emailed to the appsec team, drive code reviews
  • 39. Detect risky functionality • Monitor application traffic • Purpose is twofold: – Detecting risky functionality that was missed by earlier processes – Groundwork for attack detection and verification
  • 40. Detect risky functionality • Regex incoming requests at the framework – Sounds like performance nightmare, shockingly isn’t • Look for HTML/JS in request – This creates a huge number of false positives • That’s by design, we refine the search later
  • 41. Detect risky functionality • We deliberately want to cast a wide net to see HTML entering the application • From there, build a baseline of HTML – Entering the application in aggregate – Received by specific endpoints
  • 42. Detect risky functionality What to watch for: – Did a new endpoint suddenly show up? • A new risky feature might’ve just shipped – Did the amount of traffic containing HTML just significantly go up? • Worth investigating
  • 43. Detect risky functionality Aggregate increased, time to investigate
  • 45. Automate the easy stuff • Automate finding simple issues to free up resources for more complex tasks • Use attacker traffic to automatically drive testing • We call it Attack Driven Testing
  • 46. Automate the easy stuff • Some cases where this is useful: – Application faults – Reflected XSS – SQLi
  • 47. Automate the easy stuff • Application faults (HTTP 5xx errors) • As an attacker, these are one of the first signs of weakness in an app – As a defender, pay attention to them!
  • 48. Automate the easy stuff • Just watching for 5xx errors results in a lot of ephemeral issues that don’t reproduce • Instead: – Grab last X hours worth of 5xx errors from access logs – Replay the original request – Alert on any requests which still return a 5xx
  • 49. Automate the easy stuff • Cron this script to run every few hours • If a request still triggers an application fault hours later, it’s worth investigating
  • 50. Automate the easy stuff • Similar methodology for verifying reflected XSS • For reflected XSS we: – Identify requests containing basic XSS payloads – Replay the request – Alert if the XSS payload executed
  • 51. Automate the easy stuff • Basic payloads commonly used in testing for XSS: – alert() – document.write() – unescape() – String.fromCharCode() – etc
  • 52. Safe by default We created a tool to use NodeJS as a headless browser for verification
  • 53. Automate the easy stuff 1. Fetch URL containing potential XSS Test webserver
  • 54. Automate the easy stuff 2. Page contents returned to a temp buffer, not interpreted yet Test webserver
  • 55. Automate the easy stuff 3. Inject our instrumented JS into page contents + Our JS Page contents Test webserver
  • 56. Automate the easy stuff 4. Combination of instrumented JS + page contents interpreted + Test webserver Our JS Page contents
  • 57. Automate the easy stuff 5. If instrumented JS is executed, alert appsec team for review Test webserver
  • 58. Automate the easy stuff • Sample instrumented JS: (function() { var proxiedAlert = window.alert; window.alert = function() { location="XSSDETECTED"; }; })();
  • 59. Automate the easy stuff • Open sourced NodeJS tool – https://github.com/zanelackey/projects • Combine this approach with driving a browser via Watir/Selenium – Make sure to use all major browsers
  • 60. Know when the house is burning down
  • 61. Know when the house is burning down Graph early, graph often
  • 62. Know when the house is burning down Which of these is a quicker way to spot a problem?
  • 63. Know when the house is burning down
  • 64. Know when the house is burning down
  • 65. Know when the house is burning down • Methodology: – Instrument application to collect data points – Fire them off to an aggregation backend – Build individual graphs – Combine groups of graphs into dashboards • We’ve open sourced our instrumentation library – https://github.com/etsy/statsd
  • 66. Know when the house is burning down
  • 67. Know when the house is burning down
  • 68. Know when the house is burning down Now we can visually spot attacks
  • 69. Know when the house is burning down But who’s watching at 4AM?
  • 70. Know when the house is burning down • In addition to data visualizations, we need automatic alerting • Look at the raw data to see if it exceeds certain thresholds • Works well for graphs like this…
  • 71. Know when the house is burning down
  • 72. Know when the house is burning down But not like this…
  • 73. Know when the house is burning down
  • 74. Know when the house is burning down • We need to smooth out graphs that follow usage patterns • Use exponential smoothing formulas like Holt- Winters • Math is hard, let’s look at screenshots!
  • 75. Know when the house is burning down
  • 76. Know when the house is burning down • Now that we’ve smoothed out the graphs… • Use the same approach as before: – Grab the raw data – Look for values above/below a set threshold – Alert
  • 77. Know when the house is burning down What about exposure of internal info?
  • 78. Know when the house is burning down • Paste sites are extremely useful – gist, pastebin, etc • If you don’t have one internally, external ones will be used – Or if you have a bad one internally
  • 79. Know when the house is burning down • Use Google Alerts to monitor paste sites for internal info exposures – Ex: Hostnames, class names
  • 80. Know when the house is burning down • Monitor cloud storage for ACLs that publicly expose data – S3 buckets – Google Docs • Open sourced S3 monitoring tool: – https://github.com/zanelackey/projects – Google Docs tool soon
  • 83. Conclusions Have the ability to deploy/respond quickly
  • 84. Conclusions • Make things safe by default • Focus your efforts / Detect risky functionality • Automate the easy stuff • Know when the house is burning down
  • 85. Thanks! zane@etsy.com @zanelackey
  • 86. References / Thanks • DevOpsSec: http://www.slideshare.net/nickgsuperstar/dev opssec-apply-devops-principles-to-security • Special Thanks: – Nick Galbreath, Dan Kaminsky, Marcus Barczak