This was a talk given by me at Cashfree. Focussed towards development teams, it talks about what each one of us can do to build a secure product. Here we discuss about how to make security everyone's responsibility
2. NEELU
TRIPATHY
Work
Conferences
Contact
Interests & Certifications
§ Security Practice Lead, Thoughtworks India
§ 13+ years of InfoSec experience
§ Establishing Security practices for client
facing product development
§ Speaker/Trainer: c0c0n, BlackHat, BSidesDelhi,
NSRCEL IIMB; Villages at Nullcon, DefCon, rootconf
§ Organizer: SecConf, Thoughtworks
§ Review Board: NullCon, bSides SGP, CySEK Karnataka
§ DevSecOps, Continuous Security, Vulnerability
Assessments, Pentesting for Web & Networks, Red
Teaming, Social Engineering, Threat Modelling &
Design Reviews
§ OSCP, GraphQLParser for Burp
@neelutripathy
br3akp0int@Null/Git
neelutripathy
ABOUT ME
3. NEELU
TRIPATHY
§ Affected: 23000
users/customers
§ Leaked Credentials in
Docker image
§ Bash uploader Script
modified
§ Created a backdoor from
customer Cis
§ Stole Git creds, tokens,
keys
§ Malware: APT29
§ Affected: FireEye, US
Treasury
§
§ Target: NMS Orion;
300000 Customers(US
Fed, DoD, 425/Fortune
500)
§ Build Server compromised
§ Wasn’t present in code
§ March – June – 2020
§ Handcrafted: sleep b4
execute, custom to
environments, avoid
private IPs
§ 57 million customer and
driver records stolen
§ $100,000 for cover-up
§ $148 million total cost to
Uber
§ AWS credentials in Github
§ Github repo was exposed
§ CSO Joe Sullivan forced to
leave
LAST FEW YEARS..
11. NEELU
TRIPATHY
PRODUCT SECURITY: KASEYA
KASEYA
• Ransomware attack
• Kaseya's VSA software
• Affected: 50 direct customers,
and between 800 and 1,500
businesses down the chain
• Cause: authentication bypass
vulnerability in the Kaseya VSA
• Authentication Bypass >> SQL
injection >> code execution >>
management agent update with
REvil ransomware.
21. NEELU
TRIPATHY
21
Educate Dev Teams Define and design Security backlog Planning
Team card
wall/board
1 2 3 4 5
Feedback/Security
Unit Tests
Infra Security Review Container Scanning DAST Develop
10 9 8 7 6
Security Epic
User Story-Sec
ACs
Epic
User Story
Epic
Fix Story TO DO DOING DONE
Analyze
SCA
SAST
Test and review
Network
Vulnerability
Assessment
Inspect
and adapt
Priority
Threat
Modelling
Technology & Automation
Process
People
Sec Champ
/Dev/QA/TL/BA
Sec Champ/Expert:
Optional
DevOps
Product Tech
Principle/Lead
Project Manager
Security Expert
Sec Champ
/Dev/QA/TL/BA
As the story goes
22. NEELU
TRIPATHY
1
2
3
4
5
Promote security as code
Secure by design
Automating security gates
Security is everyone’s responsibility
Security in the definition of done
Key Takeaways