SlideShare ist ein Scribd-Unternehmen logo

How IT Security Can Behave Like an Immune System

Als PPTX, PDF herunterladen
Frank Breedijk
Frank Breedijk
Internet
1 von 43
How trends in IT force Security to behave as an Immune System RED TEAM, BLUE TEAM OR WHITE CELLS? This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Image: Yersinia pestis (bubonic plague) a CC NC ND image by Philip Moyer - https://www.flickr.com/photos/59039691@N00/2539168777/
Frank Breedijk • Security Officer at Schuberg Philis • (Official) Security dude since 2000 • Author of Seccubus Coordinates: • https://www.linkedin.com/in/seccubus • @Seccubus on Twitter • fbreedijk@schubergphilis.com WHO AM I?
Barriers – First line of defense • Skin • Stomach acid • Acidic oil on skin Sort of our firewalls, IPS, Anti-virus IMMUNE SYSTEM 101 – NONSPECIFIC Image: boom barrier a CC NC SA image by miez! https://www.flickr.com/photos/41449558@N06/6941463985/
Hard shell, soft center… OLD STYLE SECURITY APPROACH Image: Egg with glowing eyes a CC NC SA image by Keith Marshall https://www.flickr.com/photos/69877992@N00/304559359/
THE EGG HAS HATCHED… SaaS PaaS
The ugly truth has been revealed We still suck at making good eggshells… THE EGG HAS HATCHED Image: P1010649 a CC SA image by Rick Kimpel https://www.flickr.com/photos/18606128@N00/201198827/ Image: @akaasjager’s top by Frank Breedijk
No matter how well you secure an infrastructure, there is always somebody who can break into it. JOIN THE RED TEAM, WE HAVE COOKIES… Image: http://devopsreactions.tumblr.com/post/4916808
Humans are not wrapped in bubble wrap (mostly) Humans ingest parts of their environment Humans interact in funny ways While we do get sick, we don’t die often… THE IMMUNE SYSTEM IS AWESOME! Image: Bubble mummy a CC NC SA image by Katie Laird https://www.flickr.com/photos/48889057845@N01/8583055777/
Not just barriers Inflamation • Getting materials where they need to be • Making life a bit harder for the attacker Phagocytes • Know what a bacterium/virus looks like • Eat it Comparable to incident response… IMMUNE SYSTEM 101 – NONSPECIFIC Video source: https://www.youtube.com/watch?v=aWItglvTiLc Mist, schon Vormittags Brand! a CC NC SA image by André https://www.flickr.com/photos/30982194@N05/3700447633/
When a white cell eats an antigen it represents its receptor on its outside The immune system ( the T and B Lymphocytes) create anti-bodies and effector T- Cells Antibodies fit the antigen receptors and kill antigens Effector T-Cells kill infected body cells Antibodies make you immune IMMUNE SYSTEM 102 – SPECIFIC / ADAPTIVE
Preferably before they can do harm ANTIBODIES KILLANTIGENS A CC NC SA image by Alex https://www.flickr.com/photos/95222260@N00/5190067591/
The body has several feedback loops like this Fast • Pain, bad taste • ‘Must not continue’ • ‘Must not do that again’ Moderate • Generation of antibodies Slow • Evolutionary • ‘Survival isn’t mandatory’ FEEDBACK LOOPS Image: Lightning Loop a CC image by Dakota Ray https://www.flickr.com/photos/54782241@N05/5855339649/
Sometimes the body cannot create enough anti-bodies Sometimes it cannot do it fast enough A treatment with anti-biotics will help Anti-biotics just kill any bacteria Good bacteria suffer as well ANTI-BIOTICS Image: Radioactive Injection a CC NC SA image by Taran Rampersad https://www.flickr.com/photos/35468158048@N01/2102121338/
Firewalls • What is not exposed cannot be attacked Web Application Firewall • OWASP Common Rule Set Intrusion Prevention Systems Minimize you exposure Keep out people that are clearly up to no good INFOSEC IMMUNITY NONSPECIFIC IMMUNITY - BARRIERS Source: http://devopsreactions.tumblr.com/post /46061575774/surviving-a- ddos-attack
Current feedback loops are too slow • Developer writes/tests code on own laptop • Developer checks in code • Code gets picked up by build system • Is (maybe) unit tested • Is manually tested for functionality • Many changes are accumulated in a release • Release is deployed in acceptance • Pentest is conducted on acceptance • Issues are discovered The shorter the feedback loop the greater the learning effect INFOSEC IMMUNITY FAST FEEDBACK LOOP Source: http://www.gifbay.com/gif/description-141598
Integrate security tools into your build street Plenty of code quality tools out there: • Commercial: HP, IBM, Veracode, WhiteHat Security, Qualys, Checkmarkx, Trustwave, Apptherity, Contrast Security, Pradco, Acunetix, N-Stalker, Virtual Forge, Trend Micro, Burp Suite • Open Source: Skipfish, Nikto, ZAP, Seccubus, Gauntlt Include checking for vulnerable sub-components INFOSEC IMMUNITY FASTER FEEDBACK LOOPS
Train developers • Good patterns prevent injuries • Learns developers to spot potential security issues early Do (peer) code review • Don’t commit directly, use pull requests Include security in your scrum • Standups • Sprint planning • Backlog grooming • Acceptance by product owner INFOSEC IMMUNITY LEARN FROM OTHERS Source: http://devopsreactions.tumblr.com/post/48511362536 /i-dont-need-to-test-that-what-can-possibly-go-wrong
Having Security review all changes simply doesn’t scale PEER REVIEW IS KEY Source: http://securityreactions.tumblr.com/post/ 67562914945/java-source-code-review
Learn from the failures of others • Including ‘Darwin Award winners’ Learn from good examples • Share your successes INFOSEC IMMUNITY FAST FEEDBACK LOOP Source: http://testerreactions.tumblr.com/post/50489315537 /new-implementation-first-verification
Heartbleed affected 2/3 of all SSL servers A small mistake implementing a ping “We can’t even add Ping, how the heck are we going to fix everything else?” – Dan Kaminsky Vulnerability introduced in code in December 2011 Vulnerability in production code since March 2012 Publicly known in August 2014 INFOSEC IMMUNITY NONSPECIFIC IMMUNITY – INFLAMATION
Finding and fixing incidents But, also representing these incidents to the feedback loops INFOSEC IMMUNITY NONSPECIFIC IMMUNITY - PHAGOCYTES Source: http://securityreactions.tumblr.com/post/59198452899/crypto- implementation-in-whistle-im
Feed back security findings Feed back as WAF signatures • Anti-bodies / Band-aid Feed back as Unit Tests • Anti-bodies • Shortens feedback loop to developers Feed back al lessons learned • Learn from those that have had (major) incidents INFOSEC IMMUNITY FASTER FEEDBACK LOOPS Image: TV Vortex a CC image by Alexis O’Connor https://www.flickr.com/photos/10088577@N00/707845930/
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash Vulnerability Requested (header) “; flow:established,to_server; content:”() {“; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)
Of course it is not a permanent solution But, it makes life a little bit harder for the attacker It buys you system so time to come up with a fix WAF SIGNATURES FOR VULNERABILITIES Bleeding Kitty a CC image by Daniel Lobo https://www.flickr.com/photos/62518311@N00/13900006125/
If a security issue has been discovered Or, if you are building a sensitive function Make sure you write a security unit test EXAMPLE 1 FEED BACK SECURITY UNIT TESTS
If a security issue has been discovered Or, if you are building a sensitive function Make sure you write a security unit test EXAMPLE 2 FEED BACK SECURITY UNIT TESTS
17 class ApiRbacTest(ResourceTestCaseWithHelpers): 18 fixtures = ( 19 'auth_user', 20 'team', 21 ) 22 23 def test_candidate_resource(self): 24 bundle = self.create_bundle_for_resource_test(models.Candidate) 25 26 def test_list_endpoints(url): 27 # As an anonymous user. 28 TeamGroupPermission.objects.all().delete() 29 self.logout() 30 31 self.assertHttpUnauthorized(self.api_client.get(url)) 32 self.assertHttpUnauthorized(self.api_client.put(url)) 33 self.assertHttpUnauthorized(self.api_client.post(url)) 34 self.assertHttpUnauthorized(self.api_client.patch(url, data=bundle.data_list)) 35 self.assertHttpUnauthorized(self.api_client.delete(url)) 36 37 # As a user with read-only permissions. 38 self.add_permission_for_user('admin', 'comp_sbp', settings.PERMISSIONS.SHOW_ATS) 39 self.logout() 40 self.login('admin', 'admin') 41 42 self.assertHttpOK(self.api_client.get(url)) 43 self.assertHttpUnauthorized(self.api_client.put(url, data=bundle.data_list)) 44 self.assertHttpUnauthorized(self.api_client.post(url, data=bundle.data_detail)) 45 self.assertHttpUnauthorized(self.api_client.patch(url, data=bundle.data_list)) 46 self.assertHttpUnauthorized(self.api_client.delete(url)) 47 48 # As a user with read-write permissions. 49 self.add_permission_for_user('admin', 'comp_sbp', settings.PERMISSIONS.EDIT_ATS)
If a security issue has been discovered Or, if you are building a sensitive function Make sure you write a security unit test EXAMPLE 3 FEED BACK SECURITY UNIT TESTS
The negative space is just as interesting DON’T JUST TEST THE HAPPY FLOW
Sometimes you just have to say NO. INFOSEC IMMUNITY ANTI-BIOTICS
Sometimes you just have to say NO. INFOSEC IMMUNITY ANTI-BIOTICS
So parts of your code really need to be protected CROWN JUWELS Crown of King Christian IV a CC NC ND image by Ville Misaki https://www.flickr.com/photos/75595126@N00/7432041286/
INFOSEC IMMUNITY SIGNATURES ON CRITICAL CODE New/changed code is checked in Critical code does NOT match signature Build fails Security team reviews critical code and signs it Build ok!
Life (in Infosec) is full of little surprises Attacks only get better, they never get worse DON’T EXPECT TO BE PERFECT Source: http://imgur.com/c9pCa18
The days of InfoSec Island/Castle have ended If you didn’t realize this this, don’t worry: “Survival isn’t mandatory” Security needs to align to the tools used by developers Acting as immune system means • Help stopping blatantly offensive elements • Provide early feedback • Cleaning up infections and • Help build resistance against new vulnerabilities • Providing a shot of anti-biotics if needed SUMMARY Image: Fortress Lérins a CC SA image by Mark Fischer https://www.flickr.com/photos/80854685@N08/8730781472/
SECURITY IS PART OF ALL THE WAYS OF DEVOP System thinking • Code not in production isn’t code • Code that isn’t secure isn’t code Stop treating security as a silo… Image: 2010 a CC NC ND image by Annais Ferreira, http://www.flickr.com/photos/79083322@N00/4453826217/
ALLOW SECURITY TO PROVIDE A STRONG FEEDBACK SIGNAL The shorter the feedback loops are, the better the learning effect • Automated security testing • Unit tests for security • Signed code • Allow security to pull the Andon cord • Have Nagios tests for security?
ALLOW FOR EXPERIMENTATION??? DevOps is THE chance for security to finally get it right Image: Rainbolt a CC NC ND image by Brian Auer, http://www.flickr.com/photos/29814800@N00/1480408255/
Doctor Jack • Registered EDP auditor • Licensed MD • Good friend • ‘Dirty mind is a joy forever…’ THANK YOU…
Frank Breedijk • Security Officer at Schuberg Philis • (Official) Security dude since 2000 • Author of Seccubus Coordinates: • https://www.linkedin.com/in/seccubus • @Seccubus on Twitter • fbreedijk@schubergphilis.com WHO AM I?

Empfohlen

LISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendLISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendEmilyGladstoneCole
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)ClubHack
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Denim Group
 
Mastering the Curriculum in Reading and Math
Mastering the Curriculum in Reading and MathMastering the Curriculum in Reading and Math
Mastering the Curriculum in Reading and MathLeah Vestal
 
Redes Sociales
Redes SocialesRedes Sociales
Redes SocialesPaola Avila
 
Physical Science Chapter 3 sec1
Physical Science Chapter 3 sec1Physical Science Chapter 3 sec1
Physical Science Chapter 3 sec1mshenry
 
Unravel uranus
Unravel uranus Unravel uranus
Unravel uranus Lisa Baird
 

Empfohlen

LISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendLISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendEmilyGladstoneCole
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)ClubHack
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Denim Group
 
Mastering the Curriculum in Reading and Math
Mastering the Curriculum in Reading and MathMastering the Curriculum in Reading and Math
Mastering the Curriculum in Reading and MathLeah Vestal
 
Redes Sociales
Redes SocialesRedes Sociales
Redes SocialesPaola Avila
 
Physical Science Chapter 3 sec1
Physical Science Chapter 3 sec1Physical Science Chapter 3 sec1
Physical Science Chapter 3 sec1mshenry
 
Unravel uranus
Unravel uranus Unravel uranus
Unravel uranus Lisa Baird
 
The Halifax Index 2012 Summary
The Halifax Index 2012 Summary The Halifax Index 2012 Summary
The Halifax Index 2012 Summary Halifax Partnership
 
Networking 101 - Building Relationships
Networking 101 - Building RelationshipsNetworking 101 - Building Relationships
Networking 101 - Building RelationshipsHalifax Partnership
 
The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...
The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...
The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...Verina Ingram
 
Communications Systems Research
Communications Systems ResearchCommunications Systems Research
Communications Systems ResearchPeter Lancaster
 
CityThink 2011
CityThink 2011CityThink 2011
CityThink 2011Halifax Partnership
 
Computing - Delivering Innovative Research
Computing - Delivering Innovative ResearchComputing - Delivering Innovative Research
Computing - Delivering Innovative ResearchPeter Lancaster
 
Integrating Customary and Statutory Systems. The struggle to develop a Legal ...
Integrating Customary and Statutory Systems. The struggle to develop a Legal ...Integrating Customary and Statutory Systems. The struggle to develop a Legal ...
Integrating Customary and Statutory Systems. The struggle to develop a Legal ...Verina Ingram
 
Dream's graphic
Dream's graphicDream's graphic
Dream's graphicWalter
 
Women and Dependency
Women and DependencyWomen and Dependency
Women and DependencyRavi Samuel
 
Responsible Disclosure - For Dutch ISACA chapter
Responsible Disclosure - For Dutch ISACA chapterResponsible Disclosure - For Dutch ISACA chapter
Responsible Disclosure - For Dutch ISACA chapterFrank Breedijk
 
Andy warhol
Andy warholAndy warhol
Andy warholiLoveGeorgeStr8
 
Halifax Economic Review and Renewal - September 2010
Halifax Economic Review and Renewal - September 2010Halifax Economic Review and Renewal - September 2010
Halifax Economic Review and Renewal - September 2010Halifax Partnership
 
How to use spagepark billing
How to use spagepark billingHow to use spagepark billing
How to use spagepark billingAmiel Pangilinan
 
Halifax Economic Strategy 2012
Halifax Economic Strategy 2012Halifax Economic Strategy 2012
Halifax Economic Strategy 2012Halifax Partnership
 
Halifax: Economic Trends
Halifax: Economic Trends Halifax: Economic Trends
Halifax: Economic Trends Halifax Partnership
 
Chelsea Rivera- The Golden Gate Bridge
Chelsea Rivera- The Golden Gate BridgeChelsea Rivera- The Golden Gate Bridge
Chelsea Rivera- The Golden Gate BridgeiLoveGeorgeStr8
 
Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...
Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...
Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...Halifax Partnership
 
Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...
Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...
Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...UCL
 
F:\Itag48 (53011810065)
F:\Itag48 (53011810065)F:\Itag48 (53011810065)
F:\Itag48 (53011810065)BenjamasS
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Testing software security
Testing software securityTesting software security
Testing software securityAbdul Basit
 

Weitere ähnliche Inhalte

Andere mochten auch

Networking 101 - Building Relationships
Networking 101 - Building RelationshipsNetworking 101 - Building Relationships
Networking 101 - Building RelationshipsHalifax Partnership
 
The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...
The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...
The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...Verina Ingram
 
Communications Systems Research
Communications Systems ResearchCommunications Systems Research
Communications Systems ResearchPeter Lancaster
 
Computing - Delivering Innovative Research
Computing - Delivering Innovative ResearchComputing - Delivering Innovative Research
Computing - Delivering Innovative ResearchPeter Lancaster
 
Integrating Customary and Statutory Systems. The struggle to develop a Legal ...
Integrating Customary and Statutory Systems. The struggle to develop a Legal ...Integrating Customary and Statutory Systems. The struggle to develop a Legal ...
Integrating Customary and Statutory Systems. The struggle to develop a Legal ...Verina Ingram
 
Dream's graphic
Dream's graphicDream's graphic
Dream's graphicWalter
 
Women and Dependency
Women and DependencyWomen and Dependency
Women and DependencyRavi Samuel
 
Responsible Disclosure - For Dutch ISACA chapter
Responsible Disclosure - For Dutch ISACA chapterResponsible Disclosure - For Dutch ISACA chapter
Responsible Disclosure - For Dutch ISACA chapterFrank Breedijk
 
Halifax Economic Review and Renewal - September 2010
Halifax Economic Review and Renewal - September 2010Halifax Economic Review and Renewal - September 2010
Halifax Economic Review and Renewal - September 2010Halifax Partnership
 
How to use spagepark billing
How to use spagepark billingHow to use spagepark billing
How to use spagepark billingAmiel Pangilinan
 
Chelsea Rivera- The Golden Gate Bridge
Chelsea Rivera- The Golden Gate BridgeChelsea Rivera- The Golden Gate Bridge
Chelsea Rivera- The Golden Gate BridgeiLoveGeorgeStr8
 
Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...
Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...
Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...Halifax Partnership
 
Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...
Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...
Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...UCL
 
F:\Itag48 (53011810065)
F:\Itag48 (53011810065)F:\Itag48 (53011810065)
F:\Itag48 (53011810065)BenjamasS
 

Andere mochten auch (19)

The Halifax Index 2012 Summary
The Halifax Index 2012 Summary The Halifax Index 2012 Summary
The Halifax Index 2012 Summary
 
Networking 101 - Building Relationships
Networking 101 - Building RelationshipsNetworking 101 - Building Relationships
Networking 101 - Building Relationships
 
The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...
The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...
The Fuelwood Market Chain of Kinshasa: Socio-economic and sustainability outc...
 
Communications Systems Research
Communications Systems ResearchCommunications Systems Research
Communications Systems Research
 
CityThink 2011
CityThink 2011CityThink 2011
CityThink 2011
 
Computing - Delivering Innovative Research
Computing - Delivering Innovative ResearchComputing - Delivering Innovative Research
Computing - Delivering Innovative Research
 
Integrating Customary and Statutory Systems. The struggle to develop a Legal ...
Integrating Customary and Statutory Systems. The struggle to develop a Legal ...Integrating Customary and Statutory Systems. The struggle to develop a Legal ...
Integrating Customary and Statutory Systems. The struggle to develop a Legal ...
 
Dream's graphic
Dream's graphicDream's graphic
Dream's graphic
 
Women and Dependency
Women and DependencyWomen and Dependency
Women and Dependency
 
Responsible Disclosure - For Dutch ISACA chapter
Responsible Disclosure - For Dutch ISACA chapterResponsible Disclosure - For Dutch ISACA chapter
Responsible Disclosure - For Dutch ISACA chapter
 
Andy warhol
Andy warholAndy warhol
Andy warhol
 
Halifax Economic Review and Renewal - September 2010
Halifax Economic Review and Renewal - September 2010Halifax Economic Review and Renewal - September 2010
Halifax Economic Review and Renewal - September 2010
 
How to use spagepark billing
How to use spagepark billingHow to use spagepark billing
How to use spagepark billing
 
Halifax Economic Strategy 2012
Halifax Economic Strategy 2012Halifax Economic Strategy 2012
Halifax Economic Strategy 2012
 
Halifax: Economic Trends
Halifax: Economic Trends Halifax: Economic Trends
Halifax: Economic Trends
 
Chelsea Rivera- The Golden Gate Bridge
Chelsea Rivera- The Golden Gate BridgeChelsea Rivera- The Golden Gate Bridge
Chelsea Rivera- The Golden Gate Bridge
 
Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...
Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...
Canada's National Shipbuilding Procurement Strategy: Potential Impact on Nova...
 
Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...
Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...
Bridging the Gaps Final Event: Managing Resource Networks with a Generic Open...
 
F:\Itag48 (53011810065)
F:\Itag48 (53011810065)F:\Itag48 (53011810065)
F:\Itag48 (53011810065)
 

Ähnlich wie How IT Security Can Behave Like an Immune System

Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Testing software security
Testing software securityTesting software security
Testing software securityAbdul Basit
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Defense In Depth With AOP
Defense In Depth With AOPDefense In Depth With AOP
Defense In Depth With AOPnerdybeardo
 
Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Alan Richardson
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec Californialeifdreizler
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
Slaying Sacred Cows: Deconstructing Dependency Injection
Slaying Sacred Cows: Deconstructing Dependency InjectionSlaying Sacred Cows: Deconstructing Dependency Injection
Slaying Sacred Cows: Deconstructing Dependency InjectionTomer Gabel
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Dinis Cruz
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchJasonRomero21
 
AWS Cloud Account Hacked
AWS Cloud Account HackedAWS Cloud Account Hacked
AWS Cloud Account HackedAli Raza
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainMichele Chubirka
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouAnton Chuvakin
 

Ähnlich wie How IT Security Can Behave Like an Immune System (20)

Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Testing software security
Testing software securityTesting software security
Testing software security
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Defense In Depth With AOP
Defense In Depth With AOPDefense In Depth With AOP
Defense In Depth With AOP
 
Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec California
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
Slaying Sacred Cows: Deconstructing Dependency Injection
Slaying Sacred Cows: Deconstructing Dependency InjectionSlaying Sacred Cows: Deconstructing Dependency Injection
Slaying Sacred Cows: Deconstructing Dependency Injection
 
Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018Using security to drive chaos engineering - April 2018
Using security to drive chaos engineering - April 2018
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
 
AWS Cloud Account Hacked
AWS Cloud Account HackedAWS Cloud Account Hacked
AWS Cloud Account Hacked
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chain
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
 

Kürzlich hochgeladen

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 

Kürzlich hochgeladen (20)

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 

How IT Security Can Behave Like an Immune System

  • 1. How trends in IT force Security to behave as an Immune System RED TEAM, BLUE TEAM OR WHITE CELLS? This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Image: Yersinia pestis (bubonic plague) a CC NC ND image by Philip Moyer - https://www.flickr.com/photos/59039691@N00/2539168777/
  • 2. Frank Breedijk • Security Officer at Schuberg Philis • (Official) Security dude since 2000 • Author of Seccubus Coordinates: • https://www.linkedin.com/in/seccubus • @Seccubus on Twitter • fbreedijk@schubergphilis.com WHO AM I?
  • 3. Barriers – First line of defense • Skin • Stomach acid • Acidic oil on skin Sort of our firewalls, IPS, Anti-virus IMMUNE SYSTEM 101 – NONSPECIFIC Image: boom barrier a CC NC SA image by miez! https://www.flickr.com/photos/41449558@N06/6941463985/
  • 4. Hard shell, soft center… OLD STYLE SECURITY APPROACH Image: Egg with glowing eyes a CC NC SA image by Keith Marshall https://www.flickr.com/photos/69877992@N00/304559359/
  • 5. THE EGG HAS HATCHED… SaaS PaaS
  • 6. The ugly truth has been revealed We still suck at making good eggshells… THE EGG HAS HATCHED Image: P1010649 a CC SA image by Rick Kimpel https://www.flickr.com/photos/18606128@N00/201198827/ Image: @akaasjager’s top by Frank Breedijk
  • 7. No matter how well you secure an infrastructure, there is always somebody who can break into it. JOIN THE RED TEAM, WE HAVE COOKIES… Image: http://devopsreactions.tumblr.com/post/4916808
  • 8. Humans are not wrapped in bubble wrap (mostly) Humans ingest parts of their environment Humans interact in funny ways While we do get sick, we don’t die often… THE IMMUNE SYSTEM IS AWESOME! Image: Bubble mummy a CC NC SA image by Katie Laird https://www.flickr.com/photos/48889057845@N01/8583055777/
  • 9. Not just barriers Inflamation • Getting materials where they need to be • Making life a bit harder for the attacker Phagocytes • Know what a bacterium/virus looks like • Eat it Comparable to incident response… IMMUNE SYSTEM 101 – NONSPECIFIC Video source: https://www.youtube.com/watch?v=aWItglvTiLc Mist, schon Vormittags Brand! a CC NC SA image by André https://www.flickr.com/photos/30982194@N05/3700447633/
  • 10. When a white cell eats an antigen it represents its receptor on its outside The immune system ( the T and B Lymphocytes) create anti-bodies and effector T- Cells Antibodies fit the antigen receptors and kill antigens Effector T-Cells kill infected body cells Antibodies make you immune IMMUNE SYSTEM 102 – SPECIFIC / ADAPTIVE
  • 11. Preferably before they can do harm ANTIBODIES KILLANTIGENS A CC NC SA image by Alex https://www.flickr.com/photos/95222260@N00/5190067591/
  • 12. The body has several feedback loops like this Fast • Pain, bad taste • ‘Must not continue’ • ‘Must not do that again’ Moderate • Generation of antibodies Slow • Evolutionary • ‘Survival isn’t mandatory’ FEEDBACK LOOPS Image: Lightning Loop a CC image by Dakota Ray https://www.flickr.com/photos/54782241@N05/5855339649/
  • 13. Sometimes the body cannot create enough anti-bodies Sometimes it cannot do it fast enough A treatment with anti-biotics will help Anti-biotics just kill any bacteria Good bacteria suffer as well ANTI-BIOTICS Image: Radioactive Injection a CC NC SA image by Taran Rampersad https://www.flickr.com/photos/35468158048@N01/2102121338/
  • 14. Firewalls • What is not exposed cannot be attacked Web Application Firewall • OWASP Common Rule Set Intrusion Prevention Systems Minimize you exposure Keep out people that are clearly up to no good INFOSEC IMMUNITY NONSPECIFIC IMMUNITY - BARRIERS Source: http://devopsreactions.tumblr.com/post /46061575774/surviving-a- ddos-attack
  • 15. Current feedback loops are too slow • Developer writes/tests code on own laptop • Developer checks in code • Code gets picked up by build system • Is (maybe) unit tested • Is manually tested for functionality • Many changes are accumulated in a release • Release is deployed in acceptance • Pentest is conducted on acceptance • Issues are discovered The shorter the feedback loop the greater the learning effect INFOSEC IMMUNITY FAST FEEDBACK LOOP Source: http://www.gifbay.com/gif/description-141598
  • 16. Integrate security tools into your build street Plenty of code quality tools out there: • Commercial: HP, IBM, Veracode, WhiteHat Security, Qualys, Checkmarkx, Trustwave, Apptherity, Contrast Security, Pradco, Acunetix, N-Stalker, Virtual Forge, Trend Micro, Burp Suite • Open Source: Skipfish, Nikto, ZAP, Seccubus, Gauntlt Include checking for vulnerable sub-components INFOSEC IMMUNITY FASTER FEEDBACK LOOPS
  • 17. Train developers • Good patterns prevent injuries • Learns developers to spot potential security issues early Do (peer) code review • Don’t commit directly, use pull requests Include security in your scrum • Standups • Sprint planning • Backlog grooming • Acceptance by product owner INFOSEC IMMUNITY LEARN FROM OTHERS Source: http://devopsreactions.tumblr.com/post/48511362536 /i-dont-need-to-test-that-what-can-possibly-go-wrong
  • 18. Having Security review all changes simply doesn’t scale PEER REVIEW IS KEY Source: http://securityreactions.tumblr.com/post/ 67562914945/java-source-code-review
  • 19. Learn from the failures of others • Including ‘Darwin Award winners’ Learn from good examples • Share your successes INFOSEC IMMUNITY FAST FEEDBACK LOOP Source: http://testerreactions.tumblr.com/post/50489315537 /new-implementation-first-verification
  • 20. Heartbleed affected 2/3 of all SSL servers A small mistake implementing a ping “We can’t even add Ping, how the heck are we going to fix everything else?” – Dan Kaminsky Vulnerability introduced in code in December 2011 Vulnerability in production code since March 2012 Publicly known in August 2014 INFOSEC IMMUNITY NONSPECIFIC IMMUNITY – INFLAMATION
  • 21. Finding and fixing incidents But, also representing these incidents to the feedback loops INFOSEC IMMUNITY NONSPECIFIC IMMUNITY - PHAGOCYTES Source: http://securityreactions.tumblr.com/post/59198452899/crypto- implementation-in-whistle-im
  • 22. Feed back security findings Feed back as WAF signatures • Anti-bodies / Band-aid Feed back as Unit Tests • Anti-bodies • Shortens feedback loop to developers Feed back al lessons learned • Learn from those that have had (major) incidents INFOSEC IMMUNITY FASTER FEEDBACK LOOPS Image: TV Vortex a CC image by Alexis O’Connor https://www.flickr.com/photos/10088577@N00/707845930/
  • 23. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash Vulnerability Requested (header) “; flow:established,to_server; content:”() {“; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)
  • 24. Of course it is not a permanent solution But, it makes life a little bit harder for the attacker It buys you system so time to come up with a fix WAF SIGNATURES FOR VULNERABILITIES Bleeding Kitty a CC image by Daniel Lobo https://www.flickr.com/photos/62518311@N00/13900006125/
  • 25. If a security issue has been discovered Or, if you are building a sensitive function Make sure you write a security unit test EXAMPLE 1 FEED BACK SECURITY UNIT TESTS
  • 26.
  • 27. If a security issue has been discovered Or, if you are building a sensitive function Make sure you write a security unit test EXAMPLE 2 FEED BACK SECURITY UNIT TESTS
  • 28. 17 class ApiRbacTest(ResourceTestCaseWithHelpers): 18 fixtures = ( 19 'auth_user', 20 'team', 21 ) 22 23 def test_candidate_resource(self): 24 bundle = self.create_bundle_for_resource_test(models.Candidate) 25 26 def test_list_endpoints(url): 27 # As an anonymous user. 28 TeamGroupPermission.objects.all().delete() 29 self.logout() 30 31 self.assertHttpUnauthorized(self.api_client.get(url)) 32 self.assertHttpUnauthorized(self.api_client.put(url)) 33 self.assertHttpUnauthorized(self.api_client.post(url)) 34 self.assertHttpUnauthorized(self.api_client.patch(url, data=bundle.data_list)) 35 self.assertHttpUnauthorized(self.api_client.delete(url)) 36 37 # As a user with read-only permissions. 38 self.add_permission_for_user('admin', 'comp_sbp', settings.PERMISSIONS.SHOW_ATS) 39 self.logout() 40 self.login('admin', 'admin') 41 42 self.assertHttpOK(self.api_client.get(url)) 43 self.assertHttpUnauthorized(self.api_client.put(url, data=bundle.data_list)) 44 self.assertHttpUnauthorized(self.api_client.post(url, data=bundle.data_detail)) 45 self.assertHttpUnauthorized(self.api_client.patch(url, data=bundle.data_list)) 46 self.assertHttpUnauthorized(self.api_client.delete(url)) 47 48 # As a user with read-write permissions. 49 self.add_permission_for_user('admin', 'comp_sbp', settings.PERMISSIONS.EDIT_ATS)
  • 29. If a security issue has been discovered Or, if you are building a sensitive function Make sure you write a security unit test EXAMPLE 3 FEED BACK SECURITY UNIT TESTS
  • 30.
  • 31.
  • 32. The negative space is just as interesting DON’T JUST TEST THE HAPPY FLOW
  • 33. Sometimes you just have to say NO. INFOSEC IMMUNITY ANTI-BIOTICS
  • 34. Sometimes you just have to say NO. INFOSEC IMMUNITY ANTI-BIOTICS
  • 35. So parts of your code really need to be protected CROWN JUWELS Crown of King Christian IV a CC NC ND image by Ville Misaki https://www.flickr.com/photos/75595126@N00/7432041286/
  • 36. INFOSEC IMMUNITY SIGNATURES ON CRITICAL CODE New/changed code is checked in Critical code does NOT match signature Build fails Security team reviews critical code and signs it Build ok!
  • 37. Life (in Infosec) is full of little surprises Attacks only get better, they never get worse DON’T EXPECT TO BE PERFECT Source: http://imgur.com/c9pCa18
  • 38. The days of InfoSec Island/Castle have ended If you didn’t realize this this, don’t worry: “Survival isn’t mandatory” Security needs to align to the tools used by developers Acting as immune system means • Help stopping blatantly offensive elements • Provide early feedback • Cleaning up infections and • Help build resistance against new vulnerabilities • Providing a shot of anti-biotics if needed SUMMARY Image: Fortress Lérins a CC SA image by Mark Fischer https://www.flickr.com/photos/80854685@N08/8730781472/
  • 39. SECURITY IS PART OF ALL THE WAYS OF DEVOP System thinking • Code not in production isn’t code • Code that isn’t secure isn’t code Stop treating security as a silo… Image: 2010 a CC NC ND image by Annais Ferreira, http://www.flickr.com/photos/79083322@N00/4453826217/
  • 40. ALLOW SECURITY TO PROVIDE A STRONG FEEDBACK SIGNAL The shorter the feedback loops are, the better the learning effect • Automated security testing • Unit tests for security • Signed code • Allow security to pull the Andon cord • Have Nagios tests for security?
  • 41. ALLOW FOR EXPERIMENTATION??? DevOps is THE chance for security to finally get it right Image: Rainbolt a CC NC ND image by Brian Auer, http://www.flickr.com/photos/29814800@N00/1480408255/
  • 42. Doctor Jack • Registered EDP auditor • Licensed MD • Good friend • ‘Dirty mind is a joy forever…’ THANK YOU…
  • 43. Frank Breedijk • Security Officer at Schuberg Philis • (Official) Security dude since 2000 • Author of Seccubus Coordinates: • https://www.linkedin.com/in/seccubus • @Seccubus on Twitter • fbreedijk@schubergphilis.com WHO AM I?

Hinweis der Redaktion

  1. Apologies upfront to my friends who are in a red team