O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Weaponizing Your DevOps Pipeline

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Carregando em…3
×

Confira estes a seguir

1 de 50 Anúncio

Weaponizing Your DevOps Pipeline

Baixar para ler offline

Modern development teams are delivering features at a rapid pace using modern technologies such as containers, microservices, and serverless functions. Operations and infrastructure teams are supporting these rapid delivery cycles using Infrastructure as Code, Test Driven Infrastructure (TDI), and cloud automation. Yet, most security teams are still using traditional security approaches and can't keep up with the rate of accelerated change.

Security must be reinvented in a DevOps world to take advantage of the opportunities provided by continuous integration and delivery pipelines. In this talk, attendees will take a journey through the DevSecOps Toolchain broken down into the key phases: pre-commit, commit, acceptance, production, and operations. We will explore the pre-commit and commit phases in-depth, identifying security controls, open source tools, and how to integrate these tools into a pipeline. Attendees will walk away with a practical approach for weaponizing the toolchain and building a successful DevSecOps program.

Modern development teams are delivering features at a rapid pace using modern technologies such as containers, microservices, and serverless functions. Operations and infrastructure teams are supporting these rapid delivery cycles using Infrastructure as Code, Test Driven Infrastructure (TDI), and cloud automation. Yet, most security teams are still using traditional security approaches and can't keep up with the rate of accelerated change.

Security must be reinvented in a DevOps world to take advantage of the opportunities provided by continuous integration and delivery pipelines. In this talk, attendees will take a journey through the DevSecOps Toolchain broken down into the key phases: pre-commit, commit, acceptance, production, and operations. We will explore the pre-commit and commit phases in-depth, identifying security controls, open source tools, and how to integrate these tools into a pipeline. Attendees will walk away with a practical approach for weaponizing the toolchain and building a successful DevSecOps program.

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Weaponizing Your DevOps Pipeline (20)

Anúncio

Mais recentes (20)

Weaponizing Your DevOps Pipeline

  1. 1. Weaponizing Your DevOps Pipeline OWASP MSP Thursday, July 19th 2018 Eric Johnson (@emjohn20)
  2. 2. Puma Security • Principal Security Engineer • Modern static code analysis • DevSecOps automation • Secure Development Lifecycle SANS Institute • Certified Instructor DEV541: Secure Coding in Java DEV534: Secure DevOps • Course Author DEV531: Mobile App Security Essentials DEV540: Secure DevOps & Cloud Application Security DEV544: Secure Coding in .NET Eric Johnson, CISSP, AWS CD, GSSP, GWAPT ©2018 – Puma Security, LLC
  3. 3. Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
  4. 4. State of DevOps ©2018 – Puma Security, LLC State of DevOps report (2017) indicates high performing organizations: • Deploy 46x more frequently • Have 440x shorter lead times • Recover from failures 96x faster • Spend 50% less time remediating security issues
  5. 5. The DevOps toolchain enabling the rapid delivery cycles (not inclusive): The DevOps Toolchain ©2018 – Puma Security, LLC Git Jenkins Docker Artifactory Puppet / Chef Terraform Kubernetes Packer
  6. 6. • External vendor performing annual assessments • Internal security team receives 1,000 page PDF reports • Internal security team manually running scanners, fuzzers, etc. State of Traditional Security ©2018 – Puma Security, LLC img:https://paperlesschase.com/wp-content/uploads/2013/08/Tired-clerk-with-paper-on-desk.jpg
  7. 7. • Published October 2016 • Release frequency up 30x • 42% indicate silos still exist between Sec and DevOps HPE | AppSec & DevOps Survey 20% 38% 25% 17% Security in DevOps SecDevOps Gated Reviews Network Defenses Nothing ©2018 – Puma Security, LLC
  8. 8. • Security is not invited to the DevOps party • Internal security team does not have development background • Frequent deployments invalidate assessment results • Missing a huge opportunity for security in the pipeline The Problem ©2018 – Puma Security, LLC
  9. 9. Why The Cold Shoulder? ©2018 – Puma Security, LLC "DevOps is an excuse for developers to have global access to production. No way." - The dictator CISO "Perfect, I get to wire up crappy security scanners and break the build." - The security jerk "We cannot use continuous delivery and remain PCI compliant. " - The uninformed compliance manager
  10. 10. What is DevSecOps DevSecOps / SecDevOps / DevOpsSec is about breaking down walls between security and: • Development • Operations • Business ©2018 – Puma Security, LLC "In DevSecOps, security is a first-class problem and the security team is a first-class citizen." - Jim Bird, CTO, SANS Analyst & DEV540 co-author
  11. 11. Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
  12. 12. Applying security to Wills, Edwards, & Humble's CALMS: • Culture - No security jerks (Etsy), turning "no" into "yes" • Automation - Rely on security tools for efficiency + repeatability • Lean - Apply lean engineering practices to risk assessments / code reviews • Measurement - Use security data to drive decisions, improve, and respond in real time (or near real time) • Sharing - Sharing threat intel, secure frameworks, and postmortems across the organization Keeping CALM & DevSecOps On ©2018 – Puma Security, LLC
  13. 13. DevSecOps Phases • DevSecOps cycles through 5 key phases • SANS DevSecOps Toolchain lists several OSS tools for each phase – Written by Ben Allen, Jim Bird, Eric Johnson, & Frank Kim • https://sans.org/u/zAi ©2018 – Puma Security, LLC PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS sans.org/u/zAi
  14. 14. Breaking down the security controls in each DevSecOps phase: DevSecOps Security Controls PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
  15. 15. Applying security controls before code is written and committed: DevSecOps Phases | Pre-Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
  16. 16. Threat modeling must apply lean engineering principles: • Lightweight and incremental review • The source code is the design • Focus on data classification, entry points, high risk code, and writing security stories / abuse cases • Categorize the risk level (high risk, paved road, control gates) Pre-Commit| Threat Modeling PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING
  17. 17. Weaponizing the toolchain: • Raindance – https://github.com/devsecops/raindance • Mozilla's Rapid Risk Assessment (RRA) – https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessme nt.html • OWASP Threat Dragon – https://www.owasp.org/index.php/OWASP_Threat_Dragon Pre-Commit| Threat Modeling Tools PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING
  18. 18. High risk code may perform any of following functionality (not inclusive): • Infrastructure Code • Pipeline definitions • Authentication • Access control • Output encoding • Input validation • Automated security / compliance tests • High risk business logic • Data entitlement checks • Handling confidential data • Cryptography Pre-Commit | High Risk Code Examples ©2018 – Puma Security, LLC
  19. 19. Mozilla's rapid risk assessment guidance and Google Doc provide a blueprint for 30 minute RRAs: Pre-Commit| Threat Modeling Example ©2018 – Puma Security, LLC
  20. 20. Opportunity to identify vulnerabilities in infrastructure and application code as code is written or saved to disk: Pre-Commit | IDE Security Plugins IDE SECURITY PLUGINS PRE- COMMIT • Security becomes part of the engineering workflow • Shiftings as far left as possible in the kill chain • Must have low false positive rates (important) ©2018 – Puma Security, LLC
  21. 21. Weaponizing the toolchain: Pre-Commit | IDE Security Tools IDE SECURITY PLUGINS PRE- COMMIT • FindSecurityBugs (Java) • Puma Scan (C#) • Sonar Lint (Java, C#, JavaScript) • DevSkim (C#, JavaScript) ©2018 – Puma Security, LLC
  22. 22. Puma Scan identifying a JSON deserialization vulnerability: Pre-Commit | IDE Security Example ©2018 – Puma Security, LLC
  23. 23. Run security checkers before committing code to git: Pre-Commit | Git Hooks PRE- COMMIT • Invoke additional CLI scans / security checks before code reaches continuous integration • Use for secrets management, keys, access keys, etc. • Important to note these client-side protections can be disabled by engineers ©2018 – Puma Security, LLC PRE-COMMIT HOOKS
  24. 24. Weaponizing the toolchain: Pre-Commit | Git Hook Tools PRE- COMMIT • AWS Labs git-secrets – https://github.com/awslabs/git-secrets • Talisman – https://github.com/thoughtworks/talisman • Auth0 repo-supervisor – https://github.com/auth0/repo-supervisor • Yelp Pre-Commit Framework – https://pre-commit.com/ ©2018 – Puma Security, LLC PRE-COMMIT HOOKS
  25. 25. AWS git-secrets blocking a commit that contains an access key and secret key id: Pre-Commit | Git Hook Example ©2018 – Puma Security, LLC $ git commit -m "testing git-secrets" Web/PumaScan.Licensing.Web/appsettings.json:5: "AccessKey": "AKIAJNQ7C2FCRR6B4VWA", Web/PumaScan.Licensing.Web/appsettings.json:6: "SecretKey": "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" [ERROR] Matched one or more prohibited patterns 1 2 3 4 5 6 7
  26. 26. Peer code reviews are mandatory in disciplined DevSecOps organizations: Pre-Commit | Peer Reviews PRE- COMMIT • Allows engineers to discover hard-coded secrets, logic flaws in high risk code, backdoors • Compensating control for separation of duties in continuous deployment • Relies on the reviewer's application security skillset ©2018 – Puma Security, LLC PEER CODE REVIEWS
  27. 27. Weaponizing the toolchain: Pre-Commit | Peer Review Toolchain PRE- COMMIT • GitHub Pull Request • GitLab Merge Request • Bitbucket Pull Request • Gerrit (Google) • Review Board – https://github.com/reviewboard/reviewboard ©2018 – Puma Security, LLC PEER CODE REVIEWS
  28. 28. GitHub pull request requiring peer review approval: Pre-Commit | Peer Review Example ©2018 – Puma Security, LLC
  29. 29. Applying automated, fast, accurate security controls in the CI pipeline: DevSecOps Phases | Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
  30. 30. Limited opportunity for static analysis in CI & CD pipelines: Commit | Static Code Analysis STATIC CODE ANALYSIS COMMIT • Speed matters (< 5 minutes) • High accuracy rules • Low false positive rates • Disable rules that do not provide value to engineers ©2018 – Puma Security, LLC
  31. 31. Weaponizing the toolchain: Commit | Static Code Analysis Tools STATIC CODE ANALYSIS COMMIT • Brakeman (Ruby) • ESLint (NodeJS) • Puma Scan (C#) • FindSecurityBugs (Java) • Puppet Lint Security • And many, many commercial offerings…. ©2018 – Puma Security, LLC
  32. 32. Puma Scan failing a build in a Jenkins CI pipeline: Commit | Static Code Analysis Example ©2018 – Puma Security, LLC
  33. 33. Capturing and reporting vulnerability data in a Jenkins CI pipeline: Commit | Static Code Analysis Example ©2018 – Puma Security, LLC
  34. 34. Built on top of standard unit and integration tests to enforce security requirements: Commit | Security Unit Tests SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • Leverage abuse cases and evil user stories from rapid risk assessment • Focus on high risk code and business logic flaws • Fast execution in the IDE / CI pipeline • Can be used to enforce security requirements
  35. 35. Weaponizing the toolchain: Commit | Security Unit Test Tools SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • JUnit • XUnit • Mocha (NodeJS) • RSpec
  36. 36. • Engineers often stay on the "happy path" • Prove the code works under normal usage Commit | Happy Path Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "1", HttpStatusCode.Found)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11
  37. 37. Testing common SQL injection characters: Commit | Validation Unit Text Example ©2018 – Puma Security, LLC [Theory] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "'", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "*", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ")", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ",", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ";", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "#", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "&", HttpStatusCode.NotFound)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
  38. 38. Verifying checksums on high risk code: Commit | High Risk Code Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("/Web/Controllers/AccountController.cs", "2ffbf33b66ddb07616f882ceed0718826af298a7")] [InlineData("/Shared/Services/Cryptography/Hash.cs", "d51bfd137d37a7ed908737552568bcc5241f5021")] [InlineData("/Shared/Services/Cryptography/Asymmetric.cs", "fe83bf6f453698c5f78cab167bca14c72daf32c0")] [InlineData("/Shared/Services/Cryptography/Symmetric.cs", "ae951207f4fbdbe2d9661297f285dc99857f32d4")] public void HighRiskCode_CheckSumTest(string file, string checksum) { bool match = checksum.Equals(Hash.GetChecksum(file)); if(!match) NotificaionService.RequestCodeReview(file); Assert.True(match); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
  39. 39. Containers present an entirely new attack surface for engineering teams to deal with: Commit | Container Security COMMIT ©2018 – Puma Security, LLC • Managing container secrets • Poisoned / untrusted images • Hardening image operating system • Docker daemon / API attack surface • This topic alone is an hour + conversation CONTAINER SECURITY
  40. 40. Weaponizing the toolchain: Commit | Container Security Tools COMMIT ©2018 – Puma Security, LLC • Anchore – https://anchore.com/opensource/ • Actuary – https://github.com/diogomonica/actuary • Clair – https://github.com/coreos/clair • Falco – https://github.com/draios/falco CONTAINER SECURITY
  41. 41. Anchore scan results via Jenkins CI: Commit | Container Security Scan Example ©2018 – Puma Security, LLC
  42. 42. Builds a bill of material from operation and application dependencies Commit | Dependency Management COMMIT ©2018 – Puma Security, LLC • Scans manifests, templates, and libraries • Identifies packages and libraries with known vulnerabilities • Suggests package version updates to remediate vulnerabilities DEPENDENCY MANAGEMENT
  43. 43. Weaponizing the toolchain: Commit | Dependency Management Tools COMMIT ©2018 – Puma Security, LLC • OWASP Dependency Check • PHP Security Checker • Retire.JS • Node Security Project DEPENDENCY MANAGEMENT
  44. 44. Dependency check scan results via Jenkins CI: Commit | Dependency Management Example ©2018 – Puma Security, LLC
  45. 45. Applying security controls during delivery of infrastructure or applications to acceptance: DevSecOps Phases | Acceptance PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
  46. 46. Applying security controls during deployment of infrastructure or application to production: DevSecOps Phases | Production PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
  47. 47. Continuous security monitoring, testing, and compliance checks in production: DevSecOps Phases | Operations PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
  48. 48. Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
  49. 49. • Open source security source code analyzers • 50+ application security-specific rules • Install guide, rule docs, source code: https://www.pumascan.com/community https://github.com/pumasecurity @puma_scan • Presenting Wednesday August 8th at Black Hat Arsenal https://www.blackhat.com/us-18/arsenal/schedule/#puma- scan-12003 Puma Scan | Black Hat Arsenal 2018 ©2018 – Puma Security, LLC
  50. 50. Questions? Contact Info: eric.johnson@pumascan.com @emjohn20 ©2018 – Puma Security, LLC

×