O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Secure Application
Development in the Age
of Continuous Delivery
LinuxCon/ContainerCon Europe 2016 – Berlin Germany
#whoami – Tim Mackey
Current roles: Senior Technical Evangelist; Occasional coder
• Former XenServer Community Manager in ...
Standard Development Workflow
DEVELOP BUILD PACKAGE DEPLOY PRODUCTION
BUG TRACKING
TEST
AUTOMATION
Understanding the
Attacker Model
Vulnerability Management Implies Data Breach Management
 89% of data breaches had a
financial or espionage motive
 Legal...
Attackers Decide What’s Valuable …
But security investment is often not aligned with actual risks
Anatomy of a New Attack
Potential Attack
Iterate
Test against platforms
Document
Don’t forget PR department!
Deploy
Exploiting a
Vulnerability
CLOSED SOURCE COMMERCIAL CODE
• DEDICATED SECURITY RESEARCHERS
• ALERTING AND NOTIFICATION INFRASTRUCTURE
• REGULAR PATCH ...
Knowledge is Key. Can You Keep Up?
glibc
Bug
Reported
July 2015
Vuln: CVE-2015-7547: glibc getaddrinfo stack-based
buffer ...
Knowledge is Key. Can You Keep Up?
glibc
Vuln
Introduced
May 2008
glibc
Bug
Reported
July 2015
CVE-2015-
7547
CVE
Assigned...
Knowledge is Key. Can You Keep Up?
glibc
Vuln
Introduced
May 2008
CVE-2015-
7547
CVE
Assigned
Feb 16-2016
glibc
Bug
Report...
Knowledge is Key. Can You Keep Up?
glibc
Vuln
Introduced
National
Vulnerability
Database
Vuln
Published
You
Find It
May 20...
Understanding Vulnerability Impact
0
500
1000
1500
2000
2500
3000
3500
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Open S...
0
500
1000
1500
2000
2500
3000
3500
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Open S...
Vulnerabilities Enter Product and Become Deployed
DEVELOP BUILD PACKAGE DEPLOY PRODUCTION
BUG TRACKING
TEST
AUTOMATION
Workflow Integrations Matter
Understanding the
Deployment
Environment
Primary goals
• Protect against BIOS and firmware attacks
• Protect cryptographic host state
• Ensure valid hypervisor ker...
Intel EPT – Extended Page Tables
Page 0
…
Page
13553
Page
13554
…
…
Page 126
Page 127
…
Page
64589
Page
64590
Page
64591
P...
Hypervisor
Hypervisor Memory Introspection – Enabled by EPT
Implementation Overview
• Critical memory pages are
assigned p...
Guest Guest Guest Guest Guest
Critical
Memory
Access
Critical
Memory
Access
Critical
Memory
Access
Critical
Memory
Access
...
Virtual Switches as Local Edge Protection – Silent Block
Guest
VM
SSL access
Attack silently blocked
Virtual Switch Rules
...
Virtual Switches as Local Edge Protection – Traffic Monitor
Guest
VM
SSL access
Attack blocked with traffic log
Virtual Sw...
Guest
VM
Virtual Switches as Local Edge Protection – Quarantine
Guest
VM
SSL access
Attack quarantined with full log
Virtu...
Production
Container Usage
Are Containers Production Ready?
Container Use Cases
Application containers
• Hold a single application
• Can follow micro-services, cloud native design pa...
Securing the
Container
Contents and
Environment
Baseline to Limit the Scope of Compromise
• Enable Linux Security Modules
• SELinux
• --selinux-enabled on Docker engine, ...
Red Hat Enterprise Linux Atomic Host 7
• What is Atomic Host?
• Optimized RHEL7 variation designed for use with Docker
• U...
Container Source Trust
Red Hat Atomic Host
AtomicApp
AtomicApp
AtomicApp
Red Hat Registry
MySQL
Redis
Jenkins
Docker Hub
D...
OpenSCAP vs. Black Duck Hub
OpenSCAP
• Profile driven compliance policy engine
• Vendor vulnerability data is but one comp...
A DONATION HAPPILY GIVEN
TO THE DEMO GODS
Gating Builds for Vulnerabilities
DEVELOP BUILD PACKAGE
BUG TRACKING
VULNERABILITY
ASSESMENT
Control
Domain
NetworkingCompute Storage
Hypervisor
Container
VM
Minimal OS
Understanding Scope of Compromise – Protect Fr...
Understanding Scope of Compromise – Protect From the Inside
Container VM
Minimal OS
Container
Container
Unpatched
Containe...
Vulnerability Assessment Post Deployment
DEVELOP BUILD PACKAGE DEPLOY PRODUCTION
BUG TRACKING
TEST
AUTOMATION
VULNERABILIT...
Risk Mitigation Shrinks Scope of Compromise
Open source license compliance
• Ensure project dependencies are understood
Us...
Vulnerability Analysis Compliments SAST/DAST
Vulnerability Analysis
- Identifies vulnerable dependencies
- 3000+ disclosur...
7 of the top 10
Software Companies
(44 of the top 100)
6 of the top 8
Mobile Handset Vendors
6 of the top 10
Investment Ba...
8,500
WEBSITES
350
BILLION LINES OF CODE
2,400
LICENSE TYPES
1.5
MILLION PROJECTS
76,000
VULNERABILITIES
• Largest databas...
Black Duck Hub Security Architecture
Hub Scan1 File and Directory Signatures2 Open Source
Component Identified
3
Hub Web A...
We Need Your Help
Knowledge is power
• Know what’s running and why
• Define proactive vulnerability response process
• Don...
Free Tools to Help
Free Docker Container Security Scanner
• https://info.blackducksoftware.com/Security-Scan.html
14 Day F...
Secure Application Development in the Age of Continuous Delivery
Próximos SlideShares
Carregando em…5
×

Secure Application Development in the Age of Continuous Delivery

As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.

Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.

In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Secure Application Development in the Age of Continuous Delivery

  1. 1. Secure Application Development in the Age of Continuous Delivery LinuxCon/ContainerCon Europe 2016 – Berlin Germany
  2. 2. #whoami – Tim Mackey Current roles: Senior Technical Evangelist; Occasional coder • Former XenServer Community Manager in Citrix Open Source Business Office Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system Find me • Twitter: @TimInTech ( https://twitter.com/TimInTech ) • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim
  3. 3. Standard Development Workflow DEVELOP BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING TEST AUTOMATION
  4. 4. Understanding the Attacker Model
  5. 5. Vulnerability Management Implies Data Breach Management  89% of data breaches had a financial or espionage motive  Legal costs and forensics dominate remediation expenses Source: Verizon 2016 Data Breach Report
  6. 6. Attackers Decide What’s Valuable …
  7. 7. But security investment is often not aligned with actual risks
  8. 8. Anatomy of a New Attack Potential Attack Iterate Test against platforms Document Don’t forget PR department! Deploy
  9. 9. Exploiting a Vulnerability
  10. 10. CLOSED SOURCE COMMERCIAL CODE • DEDICATED SECURITY RESEARCHERS • ALERTING AND NOTIFICATION INFRASTRUCTURE • REGULAR PATCH UPDATES • DEDICATED SUPPORT TEAM WITH SLA OPEN SOURCE CODE • “COMMUNITY”-BASED CODE ANALYSIS • MONITOR NEWSFEEDS YOURSELF • NO STANDARD PATCHING MECHANISM • ULTIMATELY, YOU ARE RESPONSIBLE Who is Responsible for Code and Security?
  11. 11. Knowledge is Key. Can You Keep Up? glibc Bug Reported July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
  12. 12. Knowledge is Key. Can You Keep Up? glibc Vuln Introduced May 2008 glibc Bug Reported July 2015 CVE-2015- 7547 CVE Assigned Feb 16-2016 Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
  13. 13. Knowledge is Key. Can You Keep Up? glibc Vuln Introduced May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 glibc Bug Reported July 2015 National Vulnerability Database Vuln Published Feb 18-2016 Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
  14. 14. Knowledge is Key. Can You Keep Up? glibc Vuln Introduced National Vulnerability Database Vuln Published You Find It May 2008 CVE-2015- 7547 CVE Assigned Feb 16-2016 Feb 18-2016 glibc Bug Reported July 2015 Patches Available You Fix It Highest Security Risk Moderate Security Risk Low Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
  15. 15. Understanding Vulnerability Impact
  16. 16. 0 500 1000 1500 2000 2500 3000 3500 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year BDS-Enhanced Vulnerability Data nvd Reference: Black Duck Software KnowledgeBase, NVD Vulnerability Disclosures Trending Upward
  17. 17. 0 500 1000 1500 2000 2500 3000 3500 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Open Source Vulnerabilities Reported Per Year nvd BDS-Enhanced Vulnerability Data Reference: Black Duck Software KnowledgeBase, NVD Vulnerability Disclosures Trending Upward
  18. 18. Vulnerabilities Enter Product and Become Deployed DEVELOP BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING TEST AUTOMATION
  19. 19. Workflow Integrations Matter
  20. 20. Understanding the Deployment Environment
  21. 21. Primary goals • Protect against BIOS and firmware attacks • Protect cryptographic host state • Ensure valid hypervisor kernel • Validate launch of critical VMs • Attest to hosts’ trust state Implemented by • Intel Haswell and newer • Cryptographic hashes stored in TPM Intel TXT – Trusted Execution Protection - Foundational
  22. 22. Intel EPT – Extended Page Tables Page 0 … Page 13553 Page 13554 … … Page 126 Page 127 … Page 64589 Page 64590 Page 64591 Page 0 … Page 217 … Page 31289 … … Page 78924 … Page 97586 … 0→64589 13553→127 13554→64591 App Memory OS Memory TLB CR3 Virtual Machine 126→31289 127→0 64589→97586 64590→217 64591→78924 Host Memory EPT
  23. 23. Hypervisor Hypervisor Memory Introspection – Enabled by EPT Implementation Overview • Critical memory pages are assigned permissions in EPT • Exception handler defined in hypervisor • Shadow EPT defined with elevated privs Protects Against Attack Techniques • Rootkit injection • Buffer overflow • API hooking VM Kernel Memory Layout … Kernel Code (R/X) Driver Code (R/X) … Driver Data (R/W) Kernel Code (R/X) Kernel Data (R/W) … 126→31289 (R/X) 127→0 (R/X) 64589→97586 (R/W) 64590→217 (R/X) 64591→78924 (R/W) EPT#1 126→31289 (+W) 127→0 (+W) 64589→97586 (+X) 64590→217 (+W) 64591→78924 (+X) EPT#2 (Shadow) Exception Handler
  24. 24. Guest Guest Guest Guest Guest Critical Memory Access Critical Memory Access Critical Memory Access Critical Memory Access Critical Memory Access Networking StorageCompute Simplified Hypervisor Introspection Architecture Diagram Xen Project Hypervisor Control Domain (dom0) Security Appliance (domU) Memory Introspection Engine Direct Inspect APIs
  25. 25. Virtual Switches as Local Edge Protection – Silent Block Guest VM SSL access Attack silently blocked Virtual Switch Rules Ingress: HTTPS public Egress: Dynamic port to origin MySQL internal Private CIDR internal Port 22 access
  26. 26. Virtual Switches as Local Edge Protection – Traffic Monitor Guest VM SSL access Attack blocked with traffic log Virtual Switch Rules Ingress: HTTPS public Egress: Dynamic port to origin MySQL internal Private CIDR internal Port 22 access ovs Controller Log SSH Port 22 access Create port mirror for attacker Traffic Monitor Virtual Switch Rules Ingress: HTTPS public Egress: Dynamic port to origin MySQL internal Private CIDR internal Mirror: Port 22 to Traffic Monitor All attacker traffic to monitor
  27. 27. Guest VM Virtual Switches as Local Edge Protection – Quarantine Guest VM SSL access Attack quarantined with full log Virtual Switch Rules Ingress: HTTPS public Egress: Dynamic port to origin MySQL internal Private CIDR internal Port 22 access ovs Controller Log SSH Port 22 access Create port mirror for attacker Quarantine VM for attacker use Trigger replacement VM for farm Traffic Monitor Virtual Switch Rules Ingress: HTTPS attacker Egress: Dynamic port to origin Mirror: Port 22 to Traffic Monitor All attacker traffic to monitor
  28. 28. Production Container Usage
  29. 29. Are Containers Production Ready?
  30. 30. Container Use Cases Application containers • Hold a single application • Can follow micro-services, cloud native design pattern • Starting point for most container usage • Short lifespan, many per host System containers • Proxy for a VM • Insulate against core operating system • Perfect for legacy apps • Long lifespan, few per host MySQL Tomcat nginx Kernel MySQL Tomcat nginx Kernel
  31. 31. Securing the Container Contents and Environment
  32. 32. Baseline to Limit the Scope of Compromise • Enable Linux Security Modules • SELinux • --selinux-enabled on Docker engine, --security-opt=“label:profile” • AppArmor • -- security-opt=“apparmor:profile” • Apply Linux kernel security profiles • grsecurity, PaX and seccomp protections for ALSR and RBAC • Adjust privileged kernel capabilities • Reduce capabilities with --cap-drop • Beware –cap-add and –privileged=false, and CAP_SYS_ADMIN • Use a minimal Linux host OS • Red Hat Enterprise Linux Atomic Host 7, CoreOS, RancherOS, Intel Clear Linux, Alpine, etc • Reduce impact of noisy neighbors • Use cgroups to set CPU shares and memory
  33. 33. Red Hat Enterprise Linux Atomic Host 7 • What is Atomic Host? • Optimized RHEL7 variation designed for use with Docker • Uses SELinux for safeguards • Provides atomic upgrade and rollback capabilities via rpm-ostree • Pre-installed with Docker and Kubernetes • Atomic App and Atomic Nulecule • Provides a model for multi-container application definition • Supports Docker, Kubernetes, OpenShift and Mesos • OpenShift artifacts run natively or via atomic provider • Provides security compliance scan capabilities
  34. 34. Container Source Trust Red Hat Atomic Host AtomicApp AtomicApp AtomicApp Red Hat Registry MySQL Redis Jenkins Docker Hub DockerContainer DockerContainer DockerContainer DockerContainer DockerContainer Third Party and Custom Problem: Who to trust, and why? • Trusted source? • Unexpected image contents • Locked application layer versions (e.g. no yum update) • Layer dependencies (monolithic vs micro-services) • Validated when?
  35. 35. OpenSCAP vs. Black Duck Hub OpenSCAP • Profile driven compliance policy engine • Vendor vulnerability data is but one component of policy • Integrated directly with Red Hat Atomic • Usage: atomic scan --scanner openscap {container id} Black Duck Hub integration with Red Hat Atomic • Broad vulnerability data for most open source components • Covers vulnerability, license compliance and operational risk • Integrated with Red Hat Atomic • Rich tooling integration for development teams • Installed via: atomic install blackducksoftware/atomic • Usage: atomic scan --scanner blackduck {container id}
  36. 36. A DONATION HAPPILY GIVEN TO THE DEMO GODS
  37. 37. Gating Builds for Vulnerabilities DEVELOP BUILD PACKAGE BUG TRACKING VULNERABILITY ASSESMENT
  38. 38. Control Domain NetworkingCompute Storage Hypervisor Container VM Minimal OS Understanding Scope of Compromise – Protect From the Inside Container Container Container Container VM Minimal OS Container Container Container SecurityService Container
  39. 39. Understanding Scope of Compromise – Protect From the Inside Container VM Minimal OS Container Container Unpatched Container Compromised Container Compromised Container
  40. 40. Vulnerability Assessment Post Deployment DEVELOP BUILD PACKAGE DEPLOY PRODUCTION BUG TRACKING TEST AUTOMATION VULNERABILITY ASSESMENT
  41. 41. Risk Mitigation Shrinks Scope of Compromise Open source license compliance • Ensure project dependencies are understood Use of vulnerable open source components • Is component a fork or dependency? • How is component linked? Operational risk • Can you differentiate between “stable” and “dead”? • Is there a significant change set in your future? • API versioning • Security response process for project
  42. 42. Vulnerability Analysis Compliments SAST/DAST Vulnerability Analysis - Identifies vulnerable dependencies - 3000+ disclosures in 2015 - Most vulnerabilities found by researchers All possible security vulnerabilities Static and Dynamic Analysis - Discover common security patterns - Challenged by nuanced bugs - Focuses on your code; not upstream
  43. 43. 7 of the top 10 Software Companies (44 of the top 100) 6 of the top 8 Mobile Handset Vendors 6 of the top 10 Investment Banks 24 Countries 250+ Employees 1,800Customers Who is Black Duck Software? 27Founded 2002
  44. 44. 8,500 WEBSITES 350 BILLION LINES OF CODE 2,400 LICENSE TYPES 1.5 MILLION PROJECTS 76,000 VULNERABILITIES • Largest database of open source project information in the world. • Vulnerabilities coverage extended through partnership with Risk Based Security. • The KnowledgeBase is essential for identifying and solving open source issues. Comprehensive KnowledgeBase
  45. 45. Black Duck Hub Security Architecture Hub Scan1 File and Directory Signatures2 Open Source Component Identified 3 Hub Web Application Black Duck KnowledgeBase On Premise Black Duck Data Center
  46. 46. We Need Your Help Knowledge is power • Know what’s running and why • Define proactive vulnerability response process • Don’t let technology hype cycle dictate security Invest in defense in depth models • Don’t rely on perimeter security to do heavy lifting • Do look at hypervisor & container trends in security • Make developers and ops teams part of the solution • Focus attention on vulnerability remediation Together we can build a more secure data center
  47. 47. Free Tools to Help Free Docker Container Security Scanner • https://info.blackducksoftware.com/Security-Scan.html 14 Day Free Trial to Black Duck Hub • https://info.blackducksoftware.com/Demo.html

×