Weaponizing Your DevOps Pipeline

1. Weaponizing Your DevOps Pipeline OWASP MSP Thursday, July 19th 2018 Eric Johnson (@emjohn20)

2. Puma Security • Principal Security Engineer • Modern static code analysis • DevSecOps automation • Secure Development Lifecycle SANS Institute • Certified Instructor DEV541: Secure Coding in Java DEV534: Secure DevOps • Course Author DEV531: Mobile App Security Essentials DEV540: Secure DevOps & Cloud Application Security DEV544: Secure Coding in .NET Eric Johnson, CISSP, AWS CD, GSSP, GWAPT ©2018 – Puma Security, LLC

4. State of DevOps ©2018 – Puma Security, LLC State of DevOps report (2017) indicates high performing organizations: • Deploy 46x more frequently • Have 440x shorter lead times • Recover from failures 96x faster • Spend 50% less time remediating security issues

6. • External vendor performing annual assessments • Internal security team receives 1,000 page PDF reports • Internal security team manually running scanners, fuzzers, etc. State of Traditional Security ©2018 – Puma Security, LLC img:https://paperlesschase.com/wp-content/uploads/2013/08/Tired-clerk-with-paper-on-desk.jpg

7. • Published October 2016 • Release frequency up 30x • 42% indicate silos still exist between Sec and DevOps HPE | AppSec & DevOps Survey 20% 38% 25% 17% Security in DevOps SecDevOps Gated Reviews Network Defenses Nothing ©2018 – Puma Security, LLC

8. • Security is not invited to the DevOps party • Internal security team does not have development background • Frequent deployments invalidate assessment results • Missing a huge opportunity for security in the pipeline The Problem ©2018 – Puma Security, LLC

9. Why The Cold Shoulder? ©2018 – Puma Security, LLC "DevOps is an excuse for developers to have global access to production. No way." - The dictator CISO "Perfect, I get to wire up crappy security scanners and break the build." - The security jerk "We cannot use continuous delivery and remain PCI compliant. " - The uninformed compliance manager

10. What is DevSecOps DevSecOps / SecDevOps / DevOpsSec is about breaking down walls between security and: • Development • Operations • Business ©2018 – Puma Security, LLC "In DevSecOps, security is a first-class problem and the security team is a first-class citizen." - Jim Bird, CTO, SANS Analyst & DEV540 co-author

12. Applying security to Wills, Edwards, & Humble's CALMS: • Culture - No security jerks (Etsy), turning "no" into "yes" • Automation - Rely on security tools for efficiency + repeatability • Lean - Apply lean engineering practices to risk assessments / code reviews • Measurement - Use security data to drive decisions, improve, and respond in real time (or near real time) • Sharing - Sharing threat intel, secure frameworks, and postmortems across the organization Keeping CALM & DevSecOps On ©2018 – Puma Security, LLC

13. DevSecOps Phases • DevSecOps cycles through 5 key phases • SANS DevSecOps Toolchain lists several OSS tools for each phase – Written by Ben Allen, Jim Bird, Eric Johnson, & Frank Kim • https://sans.org/u/zAi ©2018 – Puma Security, LLC PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS sans.org/u/zAi

14. Breaking down the security controls in each DevSecOps phase: DevSecOps Security Controls PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE

15. Applying security controls before code is written and committed: DevSecOps Phases | Pre-Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE

16. Threat modeling must apply lean engineering principles: • Lightweight and incremental review • The source code is the design • Focus on data classification, entry points, high risk code, and writing security stories / abuse cases • Categorize the risk level (high risk, paved road, control gates) Pre-Commit| Threat Modeling PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING

17. Weaponizing the toolchain: • Raindance – https://github.com/devsecops/raindance • Mozilla's Rapid Risk Assessment (RRA) – https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessme nt.html • OWASP Threat Dragon – https://www.owasp.org/index.php/OWASP_Threat_Dragon Pre-Commit| Threat Modeling Tools PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING

18. High risk code may perform any of following functionality (not inclusive): • Infrastructure Code • Pipeline definitions • Authentication • Access control • Output encoding • Input validation • Automated security / compliance tests • High risk business logic • Data entitlement checks • Handling confidential data • Cryptography Pre-Commit | High Risk Code Examples ©2018 – Puma Security, LLC

20. Opportunity to identify vulnerabilities in infrastructure and application code as code is written or saved to disk: Pre-Commit | IDE Security Plugins IDE SECURITY PLUGINS PRE- COMMIT • Security becomes part of the engineering workflow • Shiftings as far left as possible in the kill chain • Must have low false positive rates (important) ©2018 – Puma Security, LLC

21. Weaponizing the toolchain: Pre-Commit | IDE Security Tools IDE SECURITY PLUGINS PRE- COMMIT • FindSecurityBugs (Java) • Puma Scan (C#) • Sonar Lint (Java, C#, JavaScript) • DevSkim (C#, JavaScript) ©2018 – Puma Security, LLC

23. Run security checkers before committing code to git: Pre-Commit | Git Hooks PRE- COMMIT • Invoke additional CLI scans / security checks before code reaches continuous integration • Use for secrets management, keys, access keys, etc. • Important to note these client-side protections can be disabled by engineers ©2018 – Puma Security, LLC PRE-COMMIT HOOKS

24. Weaponizing the toolchain: Pre-Commit | Git Hook Tools PRE- COMMIT • AWS Labs git-secrets – https://github.com/awslabs/git-secrets • Talisman – https://github.com/thoughtworks/talisman • Auth0 repo-supervisor – https://github.com/auth0/repo-supervisor • Yelp Pre-Commit Framework – https://pre-commit.com/ ©2018 – Puma Security, LLC PRE-COMMIT HOOKS

25. AWS git-secrets blocking a commit that contains an access key and secret key id: Pre-Commit | Git Hook Example ©2018 – Puma Security, LLC $ git commit -m "testing git-secrets" Web/PumaScan.Licensing.Web/appsettings.json:5: "AccessKey": "AKIAJNQ7C2FCRR6B4VWA", Web/PumaScan.Licensing.Web/appsettings.json:6: "SecretKey": "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" [ERROR] Matched one or more prohibited patterns 1 2 3 4 5 6 7

26. Peer code reviews are mandatory in disciplined DevSecOps organizations: Pre-Commit | Peer Reviews PRE- COMMIT • Allows engineers to discover hard-coded secrets, logic flaws in high risk code, backdoors • Compensating control for separation of duties in continuous deployment • Relies on the reviewer's application security skillset ©2018 – Puma Security, LLC PEER CODE REVIEWS

27. Weaponizing the toolchain: Pre-Commit | Peer Review Toolchain PRE- COMMIT • GitHub Pull Request • GitLab Merge Request • Bitbucket Pull Request • Gerrit (Google) • Review Board – https://github.com/reviewboard/reviewboard ©2018 – Puma Security, LLC PEER CODE REVIEWS

29. Applying automated, fast, accurate security controls in the CI pipeline: DevSecOps Phases | Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE

30. Limited opportunity for static analysis in CI & CD pipelines: Commit | Static Code Analysis STATIC CODE ANALYSIS COMMIT • Speed matters (< 5 minutes) • High accuracy rules • Low false positive rates • Disable rules that do not provide value to engineers ©2018 – Puma Security, LLC

31. Weaponizing the toolchain: Commit | Static Code Analysis Tools STATIC CODE ANALYSIS COMMIT • Brakeman (Ruby) • ESLint (NodeJS) • Puma Scan (C#) • FindSecurityBugs (Java) • Puppet Lint Security • And many, many commercial offerings…. ©2018 – Puma Security, LLC

34. Built on top of standard unit and integration tests to enforce security requirements: Commit | Security Unit Tests SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • Leverage abuse cases and evil user stories from rapid risk assessment • Focus on high risk code and business logic flaws • Fast execution in the IDE / CI pipeline • Can be used to enforce security requirements

36. • Engineers often stay on the "happy path" • Prove the code works under normal usage Commit | Happy Path Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "1", HttpStatusCode.Found)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11

37. Testing common SQL injection characters: Commit | Validation Unit Text Example ©2018 – Puma Security, LLC [Theory] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "'", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "*", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ")", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ",", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ";", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "#", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "&", HttpStatusCode.NotFound)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

38. Verifying checksums on high risk code: Commit | High Risk Code Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("/Web/Controllers/AccountController.cs", "2ffbf33b66ddb07616f882ceed0718826af298a7")] [InlineData("/Shared/Services/Cryptography/Hash.cs", "d51bfd137d37a7ed908737552568bcc5241f5021")] [InlineData("/Shared/Services/Cryptography/Asymmetric.cs", "fe83bf6f453698c5f78cab167bca14c72daf32c0")] [InlineData("/Shared/Services/Cryptography/Symmetric.cs", "ae951207f4fbdbe2d9661297f285dc99857f32d4")] public void HighRiskCode_CheckSumTest(string file, string checksum) { bool match = checksum.Equals(Hash.GetChecksum(file)); if(!match) NotificaionService.RequestCodeReview(file); Assert.True(match); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

39. Containers present an entirely new attack surface for engineering teams to deal with: Commit | Container Security COMMIT ©2018 – Puma Security, LLC • Managing container secrets • Poisoned / untrusted images • Hardening image operating system • Docker daemon / API attack surface • This topic alone is an hour + conversation CONTAINER SECURITY

40. Weaponizing the toolchain: Commit | Container Security Tools COMMIT ©2018 – Puma Security, LLC • Anchore – https://anchore.com/opensource/ • Actuary – https://github.com/diogomonica/actuary • Clair – https://github.com/coreos/clair • Falco – https://github.com/draios/falco CONTAINER SECURITY

42. Builds a bill of material from operation and application dependencies Commit | Dependency Management COMMIT ©2018 – Puma Security, LLC • Scans manifests, templates, and libraries • Identifies packages and libraries with known vulnerabilities • Suggests package version updates to remediate vulnerabilities DEPENDENCY MANAGEMENT

43. Weaponizing the toolchain: Commit | Dependency Management Tools COMMIT ©2018 – Puma Security, LLC • OWASP Dependency Check • PHP Security Checker • Retire.JS • Node Security Project DEPENDENCY MANAGEMENT

45. Applying security controls during delivery of infrastructure or applications to acceptance: DevSecOps Phases | Acceptance PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE

46. Applying security controls during deployment of infrastructure or application to production: DevSecOps Phases | Production PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE

47. Continuous security monitoring, testing, and compliance checks in production: DevSecOps Phases | Operations PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE

49. • Open source security source code analyzers • 50+ application security-specific rules • Install guide, rule docs, source code: https://www.pumascan.com/community https://github.com/pumasecurity @puma_scan • Presenting Wednesday August 8th at Black Hat Arsenal https://www.blackhat.com/us-18/arsenal/schedule/#pumascan-12003 Puma Scan | Black Hat Arsenal 2018 ©2018 – Puma Security, LLC

Weaponizing Your DevOps Pipeline

Esté a ler uma amostra.

Confira estes a seguir

Weaponizing Your DevOps Pipeline

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Weaponizing Your DevOps Pipeline (20)

Mais recentes (20)