Threat Modelling in DevSecOps Cultures
Die SlideShare-Präsentation wird heruntergeladen.
×
Hier ansehen
Empfohlen
Weitere Verwandte Inhalte
Diashows für Sie (20)
Ähnlich wie DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web Applications (20)
Weitere von DevSecCon (20)
Aktuellste (20)
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web Applications
- 1. Singapore | 28 Feb - 01 Mar 2019 Four years of reflection: How (not) to secure Web Applications @JulianBerton
- 2. @JulianBerton julianberton.com
- 3. DevSecQAFinOps
- 4. In the last 6 months who has felt like this?
- 5. ~150 tools, languages, platforms and frameworks
- 6. Developer in 2014
- 7. Developer in 2019
- 8. Dear Developers, 2019 called and said security is everyone's job… Soooooo here is a report with 2000 unvalidated issues for you to fix. Kthxbye
- 9. 58% Believe security is an inhibitor to DevOps agility.
- 10. No. of security controls No. of data breaches Source: My brain
- 11. Make security controls easy to adopt…
- 12. Developer Happiness™ ● Easy to adopt controls ● Clear actionable information ● Works with dev flow ● Low disruption ● Real prioritised risks
- 13. A journey back in time to the year 2014…
- 14. 2002
- 15. 2014
- 16. 2014 20195 years... ● < 70 developers ● 1 office building ● Simple software stack ● 1 physical data centre ● ~4 monolith applications ● < 100 git repositories ● ~10 deploy per day ● > 400 developers ● 18 countries ● Complex software stack ● 150+ AWS Cloud accounts ● 100’s of microservices ● > 2000 git repositories ● > 100 deploys per day
- 17. Shift Left Right?
- 18. Less than a day later...
- 19. 6 months later...
- 20. Qualys SSL Report - www.seek.com.au (Feb 2019)
- 21. Little bit too far right... What about from random internet people instead!?
- 22. www.openbugbounty.org
- 23. seek.com.au/jobs/searchFrom=Australia'-alert(document.cookie);
- 24. Attackers exploit SEEK via XSS vulnerability. SEEK
- 25. Hi Dimtry, If you find vulnerabilities in the future, please disclosure them to us via security@seek.com.au Unfortunately as you publicly disclosed the issues we cannot offer you any reward as per our policy. SEEK Security Team
- 26. Vulnerability Reported XSS March 2016 HTML Injection March 2016 XSS April 2016 XSS April 2016 XSS May 2016 XSS July 2016
- 27. Hi Dimtry, Thank you for reporting these issues. As a result we would like to offer you $550 USD. Could you please send us your Paypal details? SEEK Security Team
- 28. Hello, Email of my PayPal account is dmitry.ivasf128@gmail.com Thanks d1n0ck 10 minutes later...
- 29. SEEK’s Vulnerability Disclosure Policy... https://www.seek.com.au/reporting-security-vulnerabilities/
- 30. https://bugcrowd.com/seek
- 31. Total $115,000 (USD) Average $845 Highest $10,000 Bug Bounty Program Metrics (2016 to 2019)
- 32. https://medium.com/@berton.julian
- 33. Just-In-Time Security Education...
- 34. Of technology teams see security pros in the role of “nag” 54%
- 35. https://medium.com/@berton.julian
- 36. JIT Security Education ● Clear guidance around the “why” ● Relevant information only ● Getting help?
- 37. Ad Hoc Training Full Day Course Security Champion Program Tech Induction
- 38. https://medium.com/@berton.julian
- 39. #bug-bounty-alerts (69 people)
- 40. ● Description of the issue ● Impact to SEEK ● Likelihood of attack ● Proof of concept ● Metrics and ownership tags
- 41. #production-issues (414 people) Defense in Depth!! Not for shaming teams
- 42. Post Incident Review (PIR)
- 43. Scalable, alignment of technical patterns and standards… Via Request For Comments (RFC)
- 44. 2014 20195 years... ● < 70 developers ● 1 office building ● Simple software stack ● 1 physical data centre ● ~4 monolith applications ● < 100 git repositories ● ~10 deploy per day ● > 300 developers ● 18 countries ● Complex software stack ● 150+ AWS Cloud accounts ● 100’s of microservices ● > 2000 git repositories ● > 100 deploy per day
- 45. engineering.riotgames.com/news/evolution-security-riot
- 46. ● RFC process is used for internet standards (OAuth, TLS). ● Not an approval process.
- 47. 18 approvers
- 48. #github-alerts
- 49. Open the gate for Secure-by-Default
- 50. High performing teams spend less time fixing security issues. 50%
- 51. Buildkite @ SEEK
- 52. Our current build system….
- 53. Secure-by-Default ● Comes out of the box ● Will not inhibit “innovation” ● Support when things don’t work
- 54. ● Secure Secret Storage ● Key Rotation ● Local Build Agents ● SSO SAML Support ● Audit Logging ● Zero Vendor Trust ● Build Reporting ● Event Notifications ● Codified Build Pipelines ● Native Docker Builds ● Low Latency Build Start RFC014 - CICD Tool Requirements
- 55. github.com/seek-oss/snyk-buildkite-plugin github.com/seek-oss/aws-sm-buildkite-plugin Pipeline.yml
- 56. Scan PR’s for issues
- 57. Fixable Ignore
- 58. A macro view of your software maturity
- 59. 116 Activities 4 Domains 12 Practices
- 60. Example Activities ● Educate executives on security. ● Use centralized reporting. ● Track bugs through the fix process. ● Operate a bug bounty program. ● Include security awareness.
- 61. Activity Firms (120) Black-box security tools into QA processes. 25% Use automated & manual code review tools. 63% Identify gate locations and gather artifacts. 84% Provide awareness training. 88%
- 62. Activities Completed Firms
- 63. Activity Change (%) 2% Overall Positive Change
- 64. https://medium.com/@berton.julian
- 65. Singapore | 28 Feb - 01 Mar 2019 Questions? Twitter: @JulianBerton
