(as presented at Codemotion Rome 2016)
This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive
A healthy diet for your Java application Devoxx France.pdf
New Era of Software with modern Application Security v1.0
1. N E W E R A O F S O F T WA R E W I T H
M O D E R N A P P L I C AT I O N S E C U R I T Y
V E R S I O N 1 . 0 ( 1 9 / M A R / 2 0 1 6 )
C O D E M O T I O N R O M E
@ D I N I S C R U Z
2. C O U P L E D I S C L A M E R S
• This presentation has 233 slides and is designed to guide the delivery of
this presentation and provide background information for offline reading
• I speak really fast (for an English audience)
• I have too much content - even when I deliver three-day courses :)
• I abuse the term ‘Unit Testing’ :
• for me the ‘Unit’ can be anything, from just a method to a full browser
automation workflow
• if it can be executed with a Unit Test Framework (NUnit, Mocha, Karma)
then it is a Unit Test ( even if it is called an e2e or Integration test)
3. M E
• Developer for 25 years
• AppSec for 13 years
• Day jobs:
• Leader OWASP O2 Platform
project
• Head of Application Security at
The Hut Group
• Application Security Training
for JBI Training
• AppSec Consultant and Mentor
4. P E R F O R M E D H U N D R E D S O F S E C U R I T Y
R E V I E W S
• Found critical vulnerabilities in high profile applications
(impacting millions of users)
• desktop apps, websites, mobile apps, web services,
security tools, frameworks, telephony, networks, etc…
• Reported zero days to software vendors (before bug
bounties)
• 0wned data centres, networks, apps, databases
5. D E L I V E R E D T R A I N I N G T O 1 0 0 0 S O F
D E V E L O P E R S
• BBC
• BAE Applied Intelligence
• O2
• Alaska Airlines
• Ocado
• Capita (Orbit)
• BSkyB
• Harrods
• Microsoft
• Verifone
• OWASP Conferences
• BlackHat
• TotalJobs
• Cashflows
• RunEscape
• The Hut Group
6. I ’ M A D E V E L O P E R
• Have shipped code
• Have managed dev teams
• Have written tests (with 100% code coverage)
• Have created CI and CD environments (DevOps)
• Worked on Secure Software Architecture and
workflows (SecDevOps)
7. G R A P H S
• I love Graphs
• Recently I have realised that I have spend most of my
life thinking about graphs and coding graphs
• Graphs are great for data analysis and modelling
• … but this is a topic for another presentation
10. B O O K S
• Published at Leanpub (http://leanpub.com/u/DinisCruz)
• Minimum price: 0 €
11. O WA S P O 2 P L AT F O R M
• My brain in a tool
• Very powerful but not easy to start using
12. N E W E R A O F
S O F T WA R E W I T H
M O D E R N
A P P L I C AT I O N
S E C U R I T Y
13. My thesis is that
Application Security can be used to
define and measure Software Quality
14. • TDD with Code Coverage
• Threat Models
• Docker and Containers
• Test Automation
• SAST/DAST/IAST/WAF
M O D E R N A P P L I C AT I O N S E C U R I T Y
• Clever Fuzzing
• JIRA Risk workflows
• Kanban for Quality fixes
• Web Services visualisation
• ELK
39. T J X ( PA R T O F T X M A X )
• 94 Million customer’s data compromised
• $256 Million USD Settlement with Visa, MasterCard,
Customers
• Estimated cost to deal with incident (and improve
security): 1 Billion USD
66. R U S S I A N H A C K E R S M O V E D R U B L E R AT E
W I T H M A LWA R E
http://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency-rate-with-malware-group-ib-says
67.
68.
69. A G U Y C H A L L E N G E D H A C K E R S AT D E F C O N
T O H A C K H I M …
https://www.youtube.com/watch?v=bjYhmX_OUQQ
71. 1. Mass supermarket failure (no food, milk, water
available)
2. Bank or Financial Company collapse
3. Fabricated News
4. Mass loss, sale and exploitation of Individuals Private
information
72. 5. Mass Identify Theft!
• Can you prove that YOU are YOU?
• What if the ‘Computer says differently’?
• What if your picture ‘in the computer’ is modified?
• What if your date-of-birth and family name are modified?
• What if you are shown as DEAD in the system?
• How many databases would it take to kill you digitally
• What if there is NO record at ALL that you ever existed?
• in ID database
• in Financial database
• in Hospital databases
• etc...?
73. 6. Medical systems exploitation:
• Wrong medicaments delivered, sold
• Manipulating hospital systems
• Corruption of medial records
• Sale of medial records
7. Car/Plane/Train crashes:
• all lights are made green at the same time
• maintenance records are fiddled or manipulated (Fake parts
scam)
• Remote control and manipulation
• Manipulation of traffic guidance systems
74. 8. ID cards/Passport exploits
• Government loses ability to issue new ID cards
• Massive ID Card fraud
9. Companies are selling Fake ID carts with no ability to
stop them
10.No Cashpoints
11.New laws introduced in parliament (without formal
discussion/approval)
12.Fighter jet fires missile into crowd / building / city
75. 13. Mass hysteria at stadium, where a big message on screen says:
•"...RUN!!!!!! The stadium is going to blow in 2 minutes..."
•"...There is a terrorist in the stadium, here is his picture! Find him
and kill him!!..."
14. Water poisoning
15. Manipulation of controls that introduce or remove chemicals in water
16. Attacks on electric grid
17. Mass compromise of online email systems
18.Corruption of Inland Revenue database (if they did not know who
owed what and they could not be able to collect money from taxes)
19. Websites massively attack users and users are afraid to go online
20. Localised or global Internet shutdowns
76. I think you get the idea
for more examples read:
91. “After police & PWC
investigation TalkTalk
CEO admits firm
'underestimated'
cybersecurity and touts
change in culture”
“Investigation by PwC shown TalkTalk has been acting like a startup
rather than a major company, (new services, innovate, move fast) and
they saw security as a technology issue, not a business one and
underestimated the challenge.”
115. L E T ’ S H A C K ( A L I T T L E B I T )
H T T P : / / N E W S . B B C . C O . U K
H T T P : / / M A N I F E S T O . S O F T WA R E C R A F T S M A N S H I P. O R G /
Demo
128. 1 ) T D D W I T H C O D E C O V E R A G E
• All code changes must have tests
• Code Coverage is key to understand the impact of
those changes
• Devs, QA and Security teams should be
communicating using tests
130. 2 ) T H R E AT M O D E L S
• Are ‘technical briefs’ (i.e. better briefs)
• Should be the ‘source of truth’ in an organisation
about their apps and code
• Should be done for:
• Applications
• Components
• Features
132. 3 ) D O C K E R A N D C O N TA I N E R S
• Provide repeatable and destroyable QA environments
• Enable DevOps
• Next paradigm of Secure Applications
• Dramatically improve the quality and resilience of Tests
133. 4 ) S A S T / D A S T / I A S T / WA F
• SAST - Static Application Security Testing
• DAST - Dynamic Application Security Testing
• IAST - Interactive Application Security Testing
• WAF - Web Application Security Firewall
134. 5 ) T E S T A U T O M AT I O N
• Tests must run automatically on all commits of all
branches
• AppSec tests must be used to ‘identify changes to
attack surface’
• Empower two CI pipelines
• Super fast - push to production
• Pause - needs review
137. 7 ) K A N B A N F O R Q U A L I T Y F I X E S
• SCRUM tends to be more of a Religion than Agile
• Kanban WIP (Work in Progress) is key for Application Security Fixes
138. 8 ) W E B S E R V I C E S V I S U A L I S AT I O N
139. 9 ) E L K
• ElasticSearch + LogStash + Kibana
• Use it everywhere and everybody customises it
• Also for developers (not just Ops)
140. Just to say it again ….
These tools/techniques are designed to
A) Improve code Quality
B) Make AppSec possible
145. “I like my code to be elegant and efficient"
Bjarne Stroustup, inventor of C++
“Clean code is simple and direct. Clean
code reads like well-designed prose”
Grady Booch, author
“Clean code can be read, and enhanced by
a developer other than its original author”
”Big” Dave Thomas, founder of OTI
“Clean code always looks like it was written
by someone that how cares”
Michael Feathers, author
“You know you are working on clean code when each routine you
read turns out to be pretty much what you expected”
Ward Cunningham, inventor of Wiki
146. a big problem with the previous comments and the
Software Craftsmanship concept is
‘How to define Quality?’
148. My thesis is that
Application Security can be used to
define and measure Software Quality
149. Not all Software Quality issues are
Application Security issues
But all Application Security issues are
Software Quality issues
S h e r i f M a n s o u r, E x p e d i a
150. Application Security is all about the
non-functional requirements of software*
* s o f t w a re = a p p s , w e b s i t e s , w e b s e r v i c e s , a p i s , t o o l s , b u i l d s c r i p t s = c o d e
151. Application Security is all about understanding
HOW the software works*
* v s h o w s o f t w a re b e h a v e s
155. T E C H N I C A L D E B T I S A B A D A N A L O G Y
• The developers are the ones who pays the debt
• Pollution is a much better analogy
• The key is to make the business accept the risk (i.e the
debt)
• Which is done using the JIRA RISK Workflows
165. F U L L W O R K F L O W
( f ro m D e v p o i n t o f v i e w )
1. Vulnerability/issue is found (RISK ticket opened)
2. Dev understands the issue, writes test that replicates the issue,
opens ticket in his project’s JIRA and tries to figure out the best
way to fix it
3. Dev asks for guidance to AppSec team
4. AppSec team points to WIKI page (existing or newly created)
5. Dev uses guidance to fix it (and updates test so that is is now a
regression test)
6. Commit(s) are made, RISK ticket is updated with link to commit(s)
7. Dev asks AppSec to review fix
8. AppSec reviews fix, and if all looks ok, close the RISK ticket
166. M A P P I N G T O I N F O S E C R I S K S
Labels for
reporting
and
filters
167. M A P P I N G J I R A T I C K E T S T O T E S T S
169. W E E K LY E M A I L S W I T H R I S K S TAT U S
170. K E Y C O N C E P T S O F T H I S W O R K F L O W
• All tests should pass all the time
• Tests that check/confirm vulnerabilities should also
pass
• The key to make this work is to:
Make business owners understand the risks of their
decisions (and click on the ‘accept risk’ button)
171. You have to make sure that it is your
boss that gets fired
172. … he/she should make sure that it is
his/hers boss that gets fired …
173. … all the way to the CTO
(i.e. Board level responsibility)
178. As a developer you need to have pressure from
management to deliver code that is:
Solid
Secure
Testable
Provable
Readable
Maintainable
Basically, deliver Quality Code
179. 9 9 % C O D E C O V E R A G E
…is not the destination
…it is ‘base camp’
181. Without 99% code coverage
you have not solved really hard
problems in the testability of your
code
182. Import note:
If 99% code coverage is just an
‘management requirement’
… and is being gamed by devs
… and you have LOTS of stupid
‘Unit tests’
i.e. 99 x 1% code coverage or
999 x 0.1 % code coverage
210. How insecure is your code?
How many risks/vulnerabilities are
you aware of?
And have Accepted?
211. How long does it take you to
Fix Security/Quality
issues?
212. E X T E R N A L S I G N S O F L A C K O F F O C U S
& L A C K O F A P P S E C P O W E R
• Not 100% SSL (with HSTS and Secure Cookies)
• No consolidation of Javascripts, which implies No CI (Continuous
Integration)
• Cookie Salad (caused by lack of State Service in back end)
• Easy DoS by normal business activities
• “We’re hiring for AppSec” jobs posts
• Easy-to-find vulnerabilities (low-hanging-fruit)
• No public bug bounty
213. D O E S Y O U R C O M PA N Y / T E A M H AV E :
• AppSec team/person
• Security Champion
• Secure coding standards
• Threat Models
• OWASP contributors
• Secure code reviews
214. If your answer was not YES to all of them...
then
Your Application WILL have a high
number of Security Vulnerabilities
215. And you need to invest in Application
Security
Which if done correctly will improve the
Quality of your code
216. M A N A G E R S
A N D B U S I N E S S
O W N E R S
217. S E N I O R M A N A G E M E N T O V E R S I G H T
• ‘Security Memo’ (from God)
• Incident response plans
• Emergency response exercises (can you detect them?)
• Cyber Insurance
• Enterprise Cyber Risk management
• Which C-level executive will get fired?
218. 6 M O N T H A P P S E C I N V E S T M E N T
What Description Cost
Head Of Appsec 1 x person £100K
Senior Developers 2 x persons £120K
Appsec Ops 2 x persons £80K
External Security Company 100 x days £100K
Security Tools
Static, Dynamic, Interactive
Scanners
£100K
Dev App Sec Tools
CI , Collaboration, Cloud,
IDE plugins
£50K
Education
Training, Conferences, Bug
Bounties,
£50K
Total £600K
221. G R E AT P R E S E N TAT I O N O N S E C D E V O P S
https://www.youtube.com/watch?v=jQblKuMuS0Y
222. O p e n S A M M ( S e c u r i t y A s s u r a n c e S e c u r i t y M o d e l )
https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
223. B S I M M ( B u i l d i n g S e c u r i t y i n M a t u r i t y M o d e l )
224. S E C U R I T Y D E V E L O P M E N T L I F E C Y C L E
https://www.microsoft.com/en-us/sdl/process/design.aspx
225. T I P S F O R B U I L D I N G A M O D E R N
S E C U R I T Y E N G I N E E R I N G O R G A N I S AT I O N
https://georgianpartners.com/tips-for-building-a-modern-security-engineering-organization
226. H O W T O B U I L D S E C U R E W E B A P P L I C AT I O N
http://blog.knoldus.com/2016/02/03/how-to-build-secure-web-application/
228. D E P L O Y, D E P L O Y, D E P L O Y
• Push to production and refactor without fear
• Be like GitHub and use CI/CD to deploy 175 times in
one day and 12,602 times in one year
https://github.com/blog/1241-deploying-at-github