Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.

1. 1© 2017 Rogue Wave Software, Inc. All Rights Reserved. 1
Continuous security:
Bringing agility to the
secure development
lifecycle
Rod Cope, CTO
Twitter: @RodCope
AppSec California 2017

2. 2© 2017 Rogue Wave Software, Inc. All Rights Reserved. 2
Rod Cope, CTO
Rogue Wave Software
Presenter

3. 3© 2017 Rogue Wave Software, Inc. All Rights Reserved. 3
Agenda
• A holistic approach to
cybersecurity
• Making security agile
• Implementing in Jenkins
• Vulnerability examples

4. 4© 2017 Rogue Wave Software, Inc. All Rights Reserved. 4
A holistic approach to
cybersecurity

5. 5© 2017 Rogue Wave Software, Inc. All Rights Reserved. 5
We’re inundated by security threats

6. 6© 2017 Rogue Wave Software, Inc. All Rights Reserved. 6
We’re inundated by data
News
Blogs, social media
conferences
Security standards
OWASP, CWE, CERT, etc.
NVD, White Hat, Black Hat OEMs, internal
Media
More and more software running inside
your car
Standards & legislation
Research
Developers don’t know security
(80% failed security knowledge survey)
Requirements
Source

7. 7© 2017 Rogue Wave Software, Inc. All Rights Reserved. 7
A holistic approach to cybersecurity
Threat
Model
Internal
Threat
Metric
External
Data
Action
Information overload Develop an adaptive
threat model

8. 8© 2017 Rogue Wave Software, Inc. All Rights Reserved. 8
 Scanning to discover open
Threat modelling identifies, quantifies, and addresses
security risks by:
1. Understanding the application & environment
2. Identifying & prioritizing threats
3. Determining mitigation actions
Identify
Assets
System
Overview
Decompose
Application
Identify
Threats
Prioritize
Threats
Threat model

9. 9© 2017 Rogue Wave Software, Inc. All Rights Reserved. 9
Developing a threat metric
Build Score
Automated and functional
testing Pass fail metrics
Penetration testing Number of exploitable paths
Static analysis Compiler warnings, defects
Open source audits Unknown OSS
.
.
.
.
.
.

10. 10© 2017 Rogue Wave Software, Inc. All Rights Reserved. 10
More on open source
• Growth in software complexity leads to more vulnerabilities
• Large OSS developer base doesn’t imply constant (or skilled) vigilance
• Using risky components in #9 on OWASP Top 10 list
On Apache Struts: “It is not noteworthy that an open source project could
have a severe vulnerability [it’s] that this flaw went undetected for at least
seven years.”
• “Over 680 TB of data exposed”1
• Ransomware groups have deleted over 30,000 databases2
• Example loss: 4.5 million patient records3
• 8 other flaws in core packages the first week of 2015
1. ComputerWorld
2. ComputerWorld
3. Reuters: U.S hospital breach biggest yet to exploit Heartbleed bug

11. 11© 2017 Rogue Wave Software, Inc. All Rights Reserved. 11
Open source protection
Identify
Assets
Identify
Threats
• Deploy a governance and provisioning
platform to white list/black list open
source packages
• Be informed when new vulnerabilities are
published through the National
Vulnerability Database
• Know what is in your source code by
scanning for source code snippets that
have been copied and pasted

12. 12© 2017 Rogue Wave Software, Inc. All Rights Reserved. 12
Other considerations
Isolate code to enforce strict boundaries between the
operating system and the processes.
Data in transit must be encrypted. Protect data at rest using
the underlying filesystem encryption features and employ
separate keys.
Every program and every user of the system should operate
using the least set of privileges necessary to complete the
job.
Use public key infrastructure (PKI) and sign actions with
private keys to prevent denial of authenticity.
If you employ cryptography, assume that algorithms will be
replaced over time. Keep your code modular for easy
replacement and don’t create custom algorithms.
Resource exhaustion makes software vulnerable to denial of
service (DoS) attacks.
Authenticate
Authentication should be strong and managed centrally to
ensure inputs are from trusted sources.

13. 13© 2017 Rogue Wave Software, Inc. All Rights Reserved. 13
Making security agile

14. 14© 2017 Rogue Wave Software, Inc. All Rights Reserved. 14
Release
to
Market
AcceptSprint 1
Sprint 2
Sprint n Release
Change
Adjust and Track
Feedback
Review
Next Iteration
No!
Yes!
Integrate
and Test
Integrate
and TestIntegrate
and Test
Characteristics
• Multiple testing points
• Rapid feedback
required
• “Outside” testing does
not meet agile needs
Agile development – integrate security

15. 15© 2017 Rogue Wave Software, Inc. All Rights Reserved. 15
Understand
Needs
Invent
Solution
Develop
Build
Commit
Performance
Security
Release Deploy
Load
UAT/
Exploratory
Testing
Functional
Testing
Accept
Idea
Continuous Integration
SDLC Step
DevOps SDLC

16. 16© 2017 Rogue Wave Software, Inc. All Rights Reserved. 16
Example of build score component
Static analysis Compiler warnings, defects
• Standards
• Rely on tool to maintain updates to the latest
security standards
• Research
• Rely on tool to develop custom rules based on
research shared by security analysts
• Customization
• Rely on tool to allow custom rules for your specific
needs

17. 17© 2017 Rogue Wave Software, Inc. All Rights Reserved. 17
Implementing in Jenkins

18. 18© 2017 Rogue Wave Software, Inc. All Rights Reserved. 18
Jenkins CI

19. 19© 2017 Rogue Wave Software, Inc. All Rights Reserved. 19
Example: Enterprise web deployment
UI
Business
logic
Connectors
Data
layer
App 1
App 2
Services
Admin
Workflows
MySQL
Existing bug > OK
New flaw > FAIL
Oracle

20. 20© 2017 Rogue Wave Software, Inc. All Rights Reserved. 20
Fast feedback; seeing trends helps identify
areas of bad code
Free up developer’s time, ensure consistency
+ repeatability (avoid human error)
Automate the discovery of security
weaknesses, compliance violations, OSS use
Best practices
Automate
the build
process
Automate
testing
Automate
reporting

21. 21© 2017 Rogue Wave Software, Inc. All Rights Reserved. 21
Vulnerability example

22. 22© 2017 Rogue Wave Software, Inc. All Rights Reserved. 22
Buffer overflow
Security

23. 23© 2017 Rogue Wave Software, Inc. All Rights Reserved. 23
Static analysis report

24. 24© 2017 Rogue Wave Software, Inc. All Rights Reserved. 24
Validate length, commit, build again

25. 25© 2017 Rogue Wave Software, Inc. All Rights Reserved. 25
Real vulnerability: GNU libc
CVE-2015-1472
https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
• Under certain conditions wscanf can allocate too little
memory for the to-be-scanned arguments and overflow
the allocated buffer.
• Theoretically, any Linux machine connected to the
internet, using this version, is at risk

26. 26© 2017 Rogue Wave Software, Inc. All Rights Reserved. 26
GNU libc example: fail

27. 27© 2017 Rogue Wave Software, Inc. All Rights Reserved. 27
GNU libc example: fix

28. 28© 2017 Rogue Wave Software, Inc. All Rights Reserved. 28
The application security world is fluid
Create concrete,
actionable strategies
(Threat metric, analysis tools)
Delivery cycles are short
Update regularly with
well-defined process
(Agile, CI)
Conclusions

29. 29© 2017 Rogue Wave Software, Inc. All Rights Reserved. 29
Q&A

30. 30© 2017 Rogue Wave Software, Inc. All Rights Reserved. 30
See us in action:
www.roguewave.com

31. 31© 2017 Rogue Wave Software, Inc. All Rights Reserved. 31