Secure DevOps: A Puma's Tail

1. Secure DevOps: A Puma’s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20)

2. Puma Security • Principal Security Engineer • Modern static code analysis • DevSecOps automation • Secure Development Lifecycle SANS Institute • Certified Instructor DEV541: Secure Coding in Java DEV534: Secure DevOps • Course Author DEV531: Mobile App Security Essentials DEV540: Secure DevOps & Cloud Application Security DEV544: Secure Coding in .NET Eric Johnson, CISSP, AWS CD, GSSP, GWAPT ©2018 – Puma Security, LLC

4. Case Study | Travel Industry Breaches • Airline Company • 5,000 employees • 50 .NET C# applications • 20 software engineers • 0 application security engineers • 1 deployment / week ©2017 – Puma Security, LLC

6. • External vendor performing annual code assessments • Internal security team receives 1,000 page PDF report • Internal security team performs dynamic pen testing, fuzzing, etc. Case Study | State of Security ©2017 – Puma Security, LLC

7. • Security was not invited to the DevOps party • Internal security team does not have development background • Frequent deployments invalidate assessment results • Missing a huge opportunity for app sec in the pipeline Case Study | The Problem ©2017 – Puma Security, LLC

8. • Published October 2016 • Release frequency up 30x • Silos still exist between Sec and DevOps HPE | AppSec & DevOps Survey 20% 38% 25% 17% Security in DevOps SecDevOps Gated Reviews Network Defenses Nothing ©2017 – Puma Security, LLC

10. SecDevOps Security Controls PRE-COMMIT COMMIT ACCEPTANCE DEPLOYMENT THREAT MODELING IDE SAST CODE REVIEWS SECURITY UNIT TESTS CI SAST HIGH RISK CODE ALERTS SECURITY ACCEPTANCE TESTS CI DAST AUTOMATED SECURITY ATTACKS AUTOMATE DEPLOYMENT SECURITY MONITORING SECURITY SMOKE TESTING SECURITY STORIES • Security controls in a Continuous Integration (CI) / Continuous Delivery (CD) pipeline: SUPPLY CHAIN SCANS MANUAL PEN TESTING VIRTUAL PATCHING ©2017 – Puma Security, LLC

11. SecDevOps Quick Wins PRE-COMMIT COMMIT ACCEPTANCE DEPLOYMENT THREAT MODELING IDE SAST CODE REVIEWS CI SAST HIGH RISK CODE ALERTS CI DAST AUTOMATED SECURITY ATTACKS AUTOMATE DEPLOYMENT SECURITY MONITORING SECURITY SMOKE TESTING • Narrowing the scope and identifying some quick wins for our case study: SUPPLY CHAIN SCANS MANUAL PEN TESTING VIRTUAL PATCHING ©2017 – Puma Security, LLC SECURITY UNIT TESTS SECURITY ACCEPTANCE TESTS SECURITY STORIES

13. Built on top of standard unit and integration tests to enforce security requirements: Security Unit / Integration Testing SECURITY STORIES UNIT / ACCEPTANCE TESTING PRE-COMMIT COMMIT ©2017 – Puma Security, LLC • Create abuse cases and evil user stories • Focus on high risk code and business logic flaws • Fast execution in the IDE / CI pipeline

14. • Engineers often stay on the "happy path" • Prove the code works under normal usage • Example: positive validation testing for a normal user's name The Happy Path ©2017 – Puma Security, LLC [Fact] public void NameValidationPositiveTest() { bool isValid = Validator.IsNameValid("Bobby Tables"); Assert.Equal(isValid, true); } 1 2 3 4 5 6

15. • Security works with engineers to write test cases • Prove the code is secure under abnormal usage • Example: Negative validation w/ evil injection characters Evil Security Stories ©2017 – Puma Security, LLC [Fact] public void ValidateNameNegativeTest() { string EVIL = "&<>"()|;!=~*/{}#"; foreach (char s in EVIL.ToArray()) Assert.Equal(Validator.IsNameValid(s.ToString()), false); } 1 2 3 4 5 6 7

16. Security identifies high risk code performing the following functionality: • Authentication • Access control • Output encoding • Input validation • High risk business logic • Data entitlement checks • Handling confidential data • Cryptography High Risk Code Examples ©2017 – Puma Security, LLC

17. • Automated and configurable security unit testing framework written by @sethlaw • Payload lists for XSS and Injection SQLi, NoSQL, LDAP, XML, XPath, OS vulnerabilities • Supports Java Spring, ASP.NET MVC, and Django • https://github.com/sethlaw/sputr Security Payload Unit Test Repository (SPUTR) ©2017 – Puma Security, LLC

19. Limited opportunity for static analysis in CI & CD pipelines: SecDevOps Static Analysis IDE SAST CI SAST PRE-COMMIT COMMIT • Speed matters (< 10 minutes) • High accuracy rules • Low false positive rates ©2017 – Puma Security, LLC

21. • Purposely vulnerable eCommerce application • Contains over 50 different vulnerabilities • Across two different versions: • Web Forms • .NET MVC 5 • Contributors: • Louis Gardina • Eric Johnson The Target ©2017 – Puma Security, LLC

23. FxCop / Code Analysis Security Benchmark • Rule target results from the “Microsoft Security Rules” rule set • Widget Town scan results: • 2 SQL Injection instances, 1 is a false positive ©2017 – Puma Security, LLC

24. • Widget Town combined CAT.NET and VS Code analysis scan results: Scan Result Summary Category Valid False Positive Cross-Site Scripting 2 0 SQL Injection 1 1 Unvalidated Redirect 1 0 ©2017 – Puma Security, LLC

25. • Widget Town combined CAT.NET and VS Code analysis scan results: Scan Result Summary Category Valid False Positive Cross-Site Scripting 2 0 SQL Injection 1 1 Unvalidated Redirect 1 0 ©2017 – Puma Security, LLC

28. Session recorded at OWASP AppSec USA 2016: • Continuous Integration: Live Code Analysis using Visual Studio and the Roslyn API https://youtube.com/watch?v=Y8JKVjY-7T0 • Demonstration analyzers from the presentation: https://github.com/ejohn20/puma-scan-demo Building Security Analyzers 101 ©2017 – Puma Security, LLC

29. • Open source security source code analyzer built using Roslyn • 50+ application security-specific rules • Version 1.0.6 is available via NuGet & VS Marketplace • Install guide, rule docs, source code: https://www.pumascan.com https://github.com/pumasecurity @puma_scan Introducing the Puma Scan ©2017 – Puma Security, LLC

30. • SQLi via an EF Command Creating a Puma Analyzer ©2017 – Puma Security, LLC […] public void Delete(string id) { using (WidgetTownDBEntities context = new WidgetTownDBEntities()) { string q = string.Format("DELETE FROM Contests WHERE Id = {0}", id); context.Database.ExecuteSqlCommand(q); } } 36 37 38 39 40 41 42 43 44 45

31. • How can we search for this vulnerability? • Which interface? ISyntaxAnalyzer Implementing the Interface ©2017 – Puma Security, LLC public interface ISyntaxAnalyzer { SyntaxKind SinkKind { get; } ConcurrentStack<VulnerableSyntaxNode> VulnerableSyntaxNodes { get; } void GetSinks(SyntaxNodeAnalysisContext context); } 10 11 12 13 14 15 16 17 19

32. • Syntax Kind Enum SimpleAssignmentExpression, MemberAccessExpression, InvocationExpression, ObjectCreationExpression TrueKeyword, LiteralTextExpression, PlusToken Choosing the Syntax Kind ©2017 – Puma Security, LLC […] using (WidgetTownDBEntities context = new WidgetTownDBEntities()) { string q = string.Format("DELETE FROM Contests WHERE Id = {0}", id); context.Database.ExecuteSqlCommand(q); } 23 24 25 26 27 28 29

33. • Configure the analyzer to only inspect InvocationExpression types Choosing the Syntax Kind ©2017 – Puma Security, LLC […] public SyntaxKind SinkKind { get { return SyntaxKind.InvocationExpression; } } […] 23 24 25 26 27 28 29

34. • Tread lightly at first – weed out nodes cheaply Finding the Sink | Cheap Check ©2017 – Puma Security, LLC […] public void GetSinks(SyntaxNodeAnalysisContext context) { var syntax = context.Node as InvocationExpressionSyntax; if (!syntax.ToString().Contains("ExecuteSqlCommand")) return; […] 36 37 38 39 40 41 42 43

35. • …then a little more aggressive Finding the Sink | Symbol Check ©2017 – Puma Security, LLC […] public void GetSinks(SyntaxNodeAnalysisContext context) { […] var symbol = context.SemanticModel .GetSymbolInfo(syntax) .Symbol as IMethodSymbol; if(!symbol.IsMethod("System.Data.Entity.Database" ,"ExecuteSqlCommand")) return; […] } 43 44 45 52 53 54 55 56 57 58 62

36. • Symbol Types Method symbol Property symbol Field symbol Many more Finding the Sink | Symbol Type ©2017 – Puma Security, LLC […] var symbol = context.SemanticModel .GetSymbolInfo(syntax) .Symbol as IMethodSymbol; […] 43 44 45 46 47

37. • Add the sink to the vulnerable collection Vulnerable Sink Collection ©2017 – Puma Security, LLC […] public void GetSinks(SyntaxNodeAnalysisContext context) { […] if (VulnerableSyntaxNodes.All(p => p.Sink.GetLocation() != syntax?.GetLocation())) { VulnerableSyntaxNodes.Push(new VulnerableSyntaxNode(syntax)); } } 55 56 57 58 59 60 61 62 63 64 65 66

38. • Tell Rosyln what diagnostic to report for this Supported Diagnostic ©2017 – Puma Security, LLC [SupportedDiagnostic( DiagnosticId.SEC0108, DiagnosticSeverity.Warning, DiagnosticCategory.Security)] public class EfExecuteSqlCommandInjectionAnalyzer : ISyntaxAnalyzer { […] } 10 11 12 13 14 15 16 50 51 52

39. • Add informative diagnostic description • Diagnostic Analyzers reporting method plays nicely with localized strings and resource files. • Uses default Resouces.resx file Supported Diagnostic Descriptors ©2017 – Puma Security, LLC

40. • Suite is a logical grouping of analyzer • Suite base classes handle the registering of analyzers and reporting of the results • Examples of groupings SQL Injection Cross site scripting Path tampering Open redirects Analyzer Suites ©2017 – Puma Security, LLC

41. • Add analyzer to the array of analyzers Adding an Analyzer to the Suite ©2017 – Puma Security, LLC [DiagnosticAnalyzer(LanguageNames.CSharp, LanguageNames.VisualBasic)] public class SqlInjectionDiagnosticSuite : BaseSyntaxDiagnosticSuite { public SqlInjectionDiagnosticSuite() { Analyzers = new ISyntaxAnalyzer[]{ new EfExecuteSqlCommandInjectionAnalyzer(), new LinqSqlInjectionAnalyzer(), new SqlCommandInjectionAnalyzer() }.ToImmutableArray(); } } 10 11 12 13 14 15 16 17 18 19 21 22 23 24

42. • Widget Town Puma scan results: 56 valid issues, 10 false positives Puma Scan Result Summary Category Valid False Positive Cross-Site Scripting 19 3 SQL Injection 2 3 Misconfiguration 16 0 Path Tampering 3 0 Unvalidated Redirect 2 4 Cross-Site Request Forgery 8 0 Poor Password Management 3 0 Certificate Validation Disabled 1 0 ©2017 – Puma Security, LLC

44. Requirements for static scanning in the IDE. q Display vulnerabilities inside the IDE q Provide documentation on how to fix the issue q Allow engineers to suppress false positives IDE Static Analysis Checklist ©2017 – Puma Security, LLC

49. Requirements for static scanning in the CI pipeline: q Pipeline executes accurate static analysis rules q Process and capture results in pipeline q Configure build thresholds to mark builds as unhealthy or failed q Notify security when issues are suppressed by engineers CI Static Analysis Checklist ©2017 – Puma Security, LLC

54. • Welcoming contributions! • Gather feedback and address edge cases • Continue to build out additional rule categories: Cleartext secrets, insecure XML processing, etc. • Further refine results using data flow analysis to eliminate false positives • Identify rules that can apply suggested code fixes Puma Scan | Future Enhancements ©2017 – Puma Security, LLC

55. • Scott Sauber - Puma Security Engineer • James Kashevos – CDD Security Engineer • Josh Brown-White - Microsoft • Tom Meschter – Microsoft • Manish Vasani – Microsoft • Gitter Rosyln Channel Acknowledgements ©2017 – Puma Security, LLC

Secure DevOps: A Puma's Tail

Esté a ler uma amostra.

Confira estes a seguir

Secure DevOps: A Puma's Tail

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Secure DevOps: A Puma's Tail (20)

Mais recentes (20)