Effective DevSecOps
0 likes407 views
- Modern web application frameworks have powerful security features built-in like template escaping, database abstraction, session management, and authentication that help prevent vulnerabilities like XSS and SQL injection. These features are standard, well-tested, and usually more robust than custom code. - Libraries and dependencies make up a large portion of modern applications. It is important to keep dependencies up-to-date with security patches and be careful about dependencies from untrusted sources like some examples on StackOverflow. - Different security scanners like SAST, DAST, and IAST scan applications in different ways and at different stages, but an important factor is how well they understand the specific programming languages, frameworks, and technologies used in the application being
Effective DevSecOps
- 1. Effective Security Lifecycle in DevOps Pawel Krawczyk
- 2. Intro ● In application security since 90’s – Worked for Motorola, Aon, Goldman-Sachs, HSBC – OWASP, open-source https://github.com/kravietz – Created https://webcookies.org/ ● Contact me at [email protected]
- 3. Three Riders of the Apocalypse ● Custom code exploits ● Framework and library exploits ● Infrastructure that allows all that
- 4. Self-defending web applications 4 • Modern web application frameworks have powerful security features − Template escaping and sanitization by design − Database abstraction − Session management − Authentication − Web security features • Advantages − They come for free − They’re standard − They’re thoroughly tested for QA and security audited − Usually more robust than home-brewed ones
- 5. Self-defending web applications 5 • Modern web application frameworks have powerful security features − Template escaping and sanitization by design → prevent XSS − Database abstraction → prevent SQLi − Session management → prevent session fixation, CSRF − Authentication → prevent admin/admin1 − Web security features → protect client-side • Advantages − They come for free − They’re standard − They’re thoroughly tested for QA and security audited − Usually more robust than home-brewed ones
- 6. Primary „do not repeat at home” areas 6 • Input validation, sanitization and escaping • Cryptography • Authentication, authorization • A lot of libraries on GitHub − Most are of poor quality! − Many users != quality code − Be very careful when using samples from StackOverflow!
- 9. 9
- 10. SAP Java
- 14. Libraries and Dependencies 14 What really makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
- 15. Libraries and Dependencies 15 What really makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
- 16. Libraries and Dependencies 16 What really makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
- 17. Libraries and Dependencies 17 What really makes your application? 1. The code you wrote ● “our code”, “custom code” 2. Platform API and standard libraries ● Django, ASP.NET, DropWizard, JAX-WS, Node.js 3. 3rd party libraries ● Include a dozen, you’ll get hundreds – chain reaction
- 18. Vulnerabilities in client-side libraries 18
- 20. OWASP Dependency Check (Java) 20
- 22. npm audit (previously: Node Security Platform) 22
- 26. Keeping up to date ● Abandon the “n-1” nonsense ● Always upgrade libraries with security patches – Even if they are not exploitable right now ● Prefer to install any bugfix updates – If you hold, you only accumulate tech debt – Twice the work when a security update comes
- 28. Security Scanners 28 • Huge market with very inconsistent quality and maturity − Good salesmen with nearly useless products − Mature products with too many bells-and-whistles − Ancient scanning engines poorly handling modern code − Expensive, but price unrelated to quality • Key segments − SAST („static application security testing”) − DAST („dynamic”) − IAST („interacive”) − RASP (“run-time application self-protection”) • Security scanner buyer’s guide − Always evaluate scanner for specific project
- 29. What various scanners see? 29 API #1 API #2 Nginx Load balancer SAML
- 30. DAST Different scopes of SAST/DAST/IAST 30 API #1 API #2 Nginx Load balancer SAML
- 31. DAST Different scopes of SAST/DAST/IAST 31 API #1 API #2 Nginx Load balancer SAML DAST – dynamic scanning “curl on steroids” HTTP crawler & scanner + sees whole app - requires working app - noisy - false positives
- 32. SAST DAST Different scopes of SAST/DAST/IAST 32 API #1 API #2 Java Nginx Load balancer SAML
- 33. SAST DAST Different scopes of SAST/DAST/IAST 33 API #1 API #2 Java Nginx Load balancer SAML SAST – source code “grep on steroids” + no binary required + all exec paths - very noisy - false positives - very expensive
- 34. SAST DAST IAST Different scopes of SAST/DAST/IAST 34 API #1 API #2 Nginx Load balancer SAML
- 35. SAST DAST IAST Different scopes of SAST/DAST/IAST 35 API #1 API #2 Nginx Load balancer SAMLIAST – run-time scan “strace on steroids” + low false positives + high precision - limited to one service - expensive
- 36. SAST DAST Different scopes of SAST/DAST/IAST 36 API #1 API #2 Nginx Load balancer SAML RASP IAST
- 37. SAST DAST Different scopes of SAST/DAST/IAST 37 API #1 API #2 Nginx Load balancer SAML RASP IAST RASP – run-time protection “AppArmor for Java” + high precision + better than WAF
- 38. Scanners parade
- 42. 42 Formerly FindBugs and FindSecBugs SpotBugs (SAST)
- 44. OWASP ZAP (DAST)
- 45. 45 Bandit (SAST)
- 46. Security scanner buyer’s guide 46 • Programming language support − Language version and syntax supported • Supports JavaScript, but what about ES6? − Framework support • Nobody writes web apps in pure Java or Python • Frameworks provide key HTTP, templating, SQL abstraction • Scanner must know framework entry and exit points • Scanner supports JavaScript, but does it know about Node.js? • Understands Java, but what about JAX, Jackson, DropWizard? • Play Framework is part Java, part Scala, compiles to Java bytecode
- 47. Rule updates ● How frequently updated? – Vulnerability detection rules are the heart of each scanner – Not much joy from ASP.NET 2.0 rules ● Compiled binaries required? – Advantage of SAST is source-code only scanning – Compiled improve precision but limits deployment to developer environment
- 48. 48 Integration with build pipeline ● Inline scan vs dedicated scan server ● Headless (command line only) run vs GUI ● How much resources taken by the scanner? ● Some scanners require resource-intensive servers ● Integration with continuous integration tools (Jenkins plugins, API) ● Effectiveness of web crawling (DAST only, AngularJS apps)
- 49. Result analysis ● Precision of results ● Thousands of false positives render scanner useless ● Does it find actual vulnerabilities? (false sense of security) ● Can you rate and comment findings? ● Can you whitelist false positives or accepted risk? ● Can you report false positives to vendor? ● Does it integrate into IDE? ● Plugins for IntelliJ, Eclipse, Visual Studio?
- 50. Systems unpatched for years − “for security reasons we don’t install any security patches” − “we’re not target” No OS-level hardening − “for security reasons we keep all SUID binaries” Flat huge LANs − “it’s been like this since 80’s” No host-level firewalls − “our perimeter has three expensive firewalls” No intrusion detection − “why would anyone run a SSH scan against us for weeks?” Infrastructure horror
- 51. Blacklisting
- 54. apt install unattended-upgrades InSpec https://www.inspec.io/ Lynis https://cisofy.com/lynis/ SSH and OS hardening roles − https://dev-sec.io/ − Ansible, Chef, Puppet Operating system hardening
- 55. Questions ● [email protected] ● Signal: +44 7879 180015 ● Telegram, XMPP, SSB etc