![Sample of “Secure by Design”
Simple Login Program
Prog 1. Prog 2. Prog 3.
Input [login name]
Fetch [saved password]
If no entry then
exit
Input [password]
Compare passwords.
If valid then
start session
else
exit
End if
Input [login name]
Input [password]
Fetch [saved password]
If no entry then
exit
Compare passwords.
If valid then
start session
else
exit
End if
Input [login name]
Input [password]
Fetch [saved password]
If no entry then
[saved password] <-
random
Compare passwords.
If valid then
start session
else
exit
End if](https://image.slidesharecdn.com/ygxejxouqckqwha0tx2j-signature-4a0827a2f36bcd6cf89928c9e5e7e1ee1616f33973abcec092a05292e8e81365-poli-190103071713/85/Introduction-to-DevOps-and-DevOpsSec-with-Secure-Design-by-Prof-Krerk-Chulalongkorn-University-Thailand-26-320.jpg)
![Prog 1.
Input [login name]
Fetch [saved password]
If no entry then
exit
Input [password]
Compare passwords.
If valid then
start session
else
exit
End if
login:
username
…..
login:](https://image.slidesharecdn.com/ygxejxouqckqwha0tx2j-signature-4a0827a2f36bcd6cf89928c9e5e7e1ee1616f33973abcec092a05292e8e81365-poli-190103071713/85/Introduction-to-DevOps-and-DevOpsSec-with-Secure-Design-by-Prof-Krerk-Chulalongkorn-University-Thailand-27-320.jpg)
![Prog 2.
Input [login name]
Input [password]
Fetch [saved password]
If no entry then
exit
Compare passwords.
If valid then
start session
else
exit
End if
login:
username
Password:
*********
…..
login:](https://image.slidesharecdn.com/ygxejxouqckqwha0tx2j-signature-4a0827a2f36bcd6cf89928c9e5e7e1ee1616f33973abcec092a05292e8e81365-poli-190103071713/85/Introduction-to-DevOps-and-DevOpsSec-with-Secure-Design-by-Prof-Krerk-Chulalongkorn-University-Thailand-28-320.jpg)
![Prog 3.
Input [login name]
Input [password]
Fetch [saved password]
If no entry then
[saved password] <- random
Compare passwords.
If valid then
start session
else
exit
End if
login:
username
Password:
*********
…..
login:](https://image.slidesharecdn.com/ygxejxouqckqwha0tx2j-signature-4a0827a2f36bcd6cf89928c9e5e7e1ee1616f33973abcec092a05292e8e81365-poli-190103071713/85/Introduction-to-DevOps-and-DevOpsSec-with-Secure-Design-by-Prof-Krerk-Chulalongkorn-University-Thailand-29-320.jpg)
Ad
More Related Content
What's hot (20)
Similar to Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulalongkorn University, Thailand) (20)
Ad
Recently uploaded (20)
Ad
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulalongkorn University, Thailand)
- 1. Introduction to DevOps and DevOpsSec with Secure Design Krerk Piromsopa, Ph.D. Directory of Comp. Eng. Program Computer Engineering Chulalongkorn University
- 2. Overview What is DevOps? What is DevOpsSec? What is Security? (Brief) History of Cyber Security. What have we learned? Challenges
- 3. What is DevOps? Software development methodology Combination of software development (Dev) information technology operations (Ops)
- 4. How and Why? Shorten systems development life cycle (SDLC) Automation and event monitoring at all steps of the software build
- 5. BuzzWords Agile - SDLC release software faster and more frequent > Continuous Integration & Continuous Delivery ArchOps - DevOps, but starting from architecture DataOps - DevOps for Data Analytics WinOps - DevOps for Microsoft-centric system DevSecOps (or DevOpsSec) - DevOps with IT Security
- 6. Tools and Skills required Code Build Test Package Release Config Monitor i.redd.it
- 7. Why it does matter now? Microservices Automation (tools) Infrastructure as code — Ansible, Puppet, Chef CI/CD — Jenkins, Shippable, Bamboo Test automation — Selenium, Cucumber, Apache JMeter Containerization — Docker, Rocket, Unik Orchestration — Kubernetes, Swarm, Mesos Deployment — Elastic Beanstalk, Octopus, Vamp Measurement — NewRelic, Kibana, Datadog, Graphana ChatOps — Hubot, Lita, Cog Clouds, Containers etc….
- 8. Why it does matter now? https://marketplace.atlassian.com/categories/devops
- 9. GitLab CI/CD
- 10. What/Why DevOpsSec? (aka. DevSecOps) Developers and Administrators working together Secure Design Faster Update More Security Issues?
- 11. Security before DevOpsSec Developers (+ Tester) Administrators (Security) • Code (Functions) • Build • Test • Package • Release (Installation) • Performance Tuning • Security • Firewall • Harden • Monitoring
- 12. Security in DevOpsSec Developers (+ Tester) Administrators (Security) • Code (Functions) +Security • Build • Test + Security • Package • Release (Installation) • Performance Tuning • Security • Firewall • Harden • Monitoring +
- 14. What is Security? Security is the first cause of misfortune. German Proverb
- 16. History of Security As people formed early communities, the issue of physical security emerged. the oldest known lock is a 4,000 year old Egyptian lock
- 17. Security vs. Privacy a hacker is able to compromise a computer system and find out that a person is a homosexual or is infected with a bad decease. Security or Privacy ?
- 20. Security Components Authentication “Who are you? Are you really the person whom you claim to be?” Authorization “Do you have the authority to do what you are trying to do?” Accounting (Auditing) “What did you do?” the AAA of Security
- 21. Cerberus or Kerberos (Greek Κέρβερος, Kerberos, "demon of the pit") was the hound of Hades, a monstrous three-headed dog with a snake for a tail (sometimes said to have 50 or 100 heads) called a hellhound.
- 22. Supporting Concepts Integrity Integrity (n) “the quality or state of being complete or undivided” Validation of Input “All input is evil until proven otherwise” Software Engineering & Threat Modeling “Threat modeling is a method of addressing and documenting the security risks associated with an application.”
- 23. The forth A Integrity is sometime referred as Authenticity—hence it is sometime mentioned as the forth “A” of security components. How can we preserve the integrity of data?
- 24. What have we learned? Authentication Authorization Confidentiality Integrity Availability Auditing
- 25. What is secure by design? Plan more than just functionality (Plan for Security) Attack Surface Reduction Threats & Risk Modeling
- 26. Sample of “Secure by Design” Simple Login Program Prog 1. Prog 2. Prog 3. Input [login name] Fetch [saved password] If no entry then exit Input [password] Compare passwords. If valid then start session else exit End if Input [login name] Input [password] Fetch [saved password] If no entry then exit Compare passwords. If valid then start session else exit End if Input [login name] Input [password] Fetch [saved password] If no entry then [saved password] <- random Compare passwords. If valid then start session else exit End if
- 27. Prog 1. Input [login name] Fetch [saved password] If no entry then exit Input [password] Compare passwords. If valid then start session else exit End if login: username ….. login:
- 28. Prog 2. Input [login name] Input [password] Fetch [saved password] If no entry then exit Compare passwords. If valid then start session else exit End if login: username Password: ********* ….. login:
- 29. Prog 3. Input [login name] Input [password] Fetch [saved password] If no entry then [saved password] <- random Compare passwords. If valid then start session else exit End if login: username Password: ********* ….. login:
- 30. What is Attack Surface?
- 31. Attack Surface Reduction Defense in Depth Least Privilege Secure Defaults Less code running = less stuff to attack
- 32. Let’s see how Microsoft apply this. Some slides from Microsoft’s faculty summit 2004.
- 33. Copyright Microsoft Corp. 2004 33 Early Results of the SDL 55 17 455
- 34. Copyright Microsoft Corp. 2004 34 Secure Design Reduce Attack Surface Defense in Depth Least Privilege Secure Defaults
- 35. Copyright Microsoft Corp. 2004 35 Defense in Depth (MS03-007) Windows Server 2003 Unaffected The underlying DLL (NTDLL.DLL) not vulnerable Code fixed during the Windows Security Push Even if it was running IIS 6.0 doesn’t have WebDAV enabled by default Even if it did have WebDAV enabled Default maximum URL length (16kb) prevented exploitation (>64kb needed) Even if it was vulnerable IIS 6.0 not running by default on Windows Server 2003 Even if it there was an exploitable buffer overrun Would only ‘network service’ privileges – commensurate with a normal user Even if the buffer was large enough Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)
- 36. Copyright Microsoft Corp. 2004 36 Secure Defaults Less code running by default = less stuff to attack by default Slammer & CodeRed would not have happened if the features were not enabled by default Reduces the urgency to deploy security fixes A ‘critical’ may be rated ‘important’ Defense in depth removes single points of failure Reduces the need for customers to ‘harden’ the product Reduces your testing workload Reduce your attack surface early!
- 37. Copyright Microsoft Corp. 2004 37 Attack Surface Reduction (ASR) Ideas Service: Autostart SYSTEM TCP/UDP TCP/UDP TCP/UDP
- 38. Copyright Microsoft Corp. 2004 38 Turn off less-used ports Service: Autostart SYSTEM TCP/UDP TCP/UDP TCP/UDP
- 39. Copyright Microsoft Corp. 2004 39 Turn off UDP connections Service: Autostart SYSTEM TCP/UDP
- 40. Copyright Microsoft Corp. 2004 40 Restrict requests to a small IP range and subnet Service: Autostart SYSTEM TCP only
- 41. Copyright Microsoft Corp. 2004 41 Authenticate Connections Service: Autostart SYSTEM TCP only
- 42. Copyright Microsoft Corp. 2004 42 Reduce Privilege and Disable Service: Manual NetService TCP only
- 43. Copyright Microsoft Corp. 2004 43 Harden ACLs Service: Manual NetService TCP only Everyone (Full Control) Admin (Full Control) Everyone (Read) Service (RW)
- 44. Copyright Microsoft Corp. 2004 44 Increased Attack Surface means Increased Security Scrutiny… • On by default • Running as SYSTEM • Open, unauth TCP socket • Off by default • Running with least priv • Open, TCP socket limited to local subnet
- 45. Threat Modeling Think like a bad guy.. (but do not be a bad guy yourself) What will a bad guy do to your software/system? Some slides from Microsoft’s faculty summit 2004.
- 46. Threat Analysis Some slides from Microsoft’s faculty summit 2004.
- 47. Copyright Microsoft Corp. 2004 47 Threat Analysis Secure software starts with understanding the threats Threats are not vulnerabilities Threats live forever, they are the attacker’s goal(s) Threat AssetMitigation Vulnerability
- 48. Threats in Software/System Spoofing Tampering Repudiation Information Disclosure Denial of Services Elevation of Privilege Picture taken from http://www.threatgeek.com/2013/11/threattoons-trick-or-treat.html
- 49. Copyright Microsoft Corp. 2004 49 Determining Threat Types Each element in the DFD is susceptible to one or more threat types 1.0 5.0 2.0. 3.0 4.0 10.0 8.0 6.0 11.0 9.0 7.0 STRI DE STRI DE STRI DE TID TID TID TID TID TID SR SR
- 50. Copyright Microsoft Corp. 2004 50 Threat Tree Format Threat Condition Condition Condition Condition Condition Condition Condition ‘And’ clause ‘Or’ clause
- 51. Copyright Microsoft Corp. 2004 51 Threat Tree Pattern Examples Spoofing Obtain legitimate credentials Falsify Credentials Leverage insufficient authentication Weak storage Weak transit Guessed Equivalence Predictable Credentials Server Client Downgrade authentication Weak change management Secure Channel Non-secure channel No Authentication System Null Credentials Spoofing Interactor or Process Tampering Threats Against Auth Process Tampering/ Information Disclosure Threats against data flows
- 52. Copyright Microsoft Corp. 2004 52 Threat Tree Pattern Examples Thinking Like a Security Pro! Obtain legitimate credentials Falsify Credentials Leverage insufficient authentication Weak storage Weak transit Guessed Equivalence Predictable Credentials Server Client Downgrade authenticationWeak change management Null Credentials Secure Channel Non-secure channel No Authentication System Tampering / Information Disclosure Threats against data flows There is an authentication system, so this threat tree doesn’t apply Where are the password stored on the server? Are credentials stored on the client? If so, how? Mac clients often store passwords in aliases, etc. How are credentials transmitted to the server? How are credentials changed? Is there more than one authentication method, and if so, is it negotiable? Are there password quality features? Are there agency relationships? What if the client is acting as a server itself? Can a request to user1 (in its server role) cause it to automatically authenticate as a client? Are null credentials possible? Are the credentials a function of the username? Client address? Time? Spoofing User Tampering Threats Against Auth Process
- 53. Copyright Microsoft Corp. 2004 53 Calculating Risk with Numbers DREAD etc. Very subjective Often requires the analyst be a security expert On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private key? Where do you draw the line? Do you fix everything above 0.4 risk and leave everything below as “Won’t Fix”?
- 54. Copyright Microsoft Corp. 2004 54 Mitigation Techniques Threat Mitigation Feature Spoofing Authentication Tampering Integrity Repudiation Nonrepudiaton Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization Attend “Secure Design Principles”
- 55. Copyright Microsoft Corp. 2004 55 ☑ No design is complete without a threat model! ☑ Follow anonymous data paths☑ Every threat needs a security test plan ☑ Check all information disclosure threats – are they privacy issues?☑ Be wary of elevated processes ☑ Use the threat modeling tool Threat Model Checklist threat asset vuln
- 56. Summary Every design should be secure from the ground up. (SecureDesign) DevOpsSec = incorporate security into systems development life cycle.