Upload
rogue-wave-software
View
113
Download
0
Embed Size (px)
Citation preview
1© 2017 Rogue Wave Software, Inc. All Rights Reserved.
1
Continuous security:Bringing agility to the secure development lifecycleRod Cope, CTOTwitter: @RodCopeAppSec California 2017
2© 2017 Rogue Wave Software, Inc. All Rights Reserved.
2
Rod Cope, CTORogue Wave Software
Presenter
3© 2017 Rogue Wave Software, Inc. All Rights Reserved.
3
Agenda
• A holistic approach to cybersecurity
• Making security agile• Implementing in Jenkins• Vulnerability examples
4© 2017 Rogue Wave Software, Inc. All Rights Reserved.
4
A holistic approach to cybersecurity
5© 2017 Rogue Wave Software, Inc. All Rights Reserved.
5
We’re inundated by security threats
6© 2017 Rogue Wave Software, Inc. All Rights Reserved.
6
We’re inundated by data
NewsBlogs, social media
conferences
Security standardsOWASP, CWE, CERT, etc.
NVD, White Hat, Black Hat OEMs, internal
Media More and more software running inside your carStandards & legislation
Research
Developers don’t know security
(80% failed security knowledge survey)
Requirements
Source
7© 2017 Rogue Wave Software, Inc. All Rights Reserved.
7
A holistic approach to cybersecurity
Threat Model
Internal Threat Metric
External Data Action
Information overload
Develop an adaptive threat model
8© 2017 Rogue Wave Software, Inc. All Rights Reserved.
8
Scanning to discover openThreat modelling identifies, quantifies, and
addresses security risks by:
1. Understanding the application & environment
2. Identifying & prioritizing threats3. Determining mitigation actions
Identify Assets
System Overview
Decompose
ApplicationIdentify Threats
Prioritize
Threats
Threat model
9© 2017 Rogue Wave Software, Inc. All Rights Reserved.
9
Developing a threat metric
Build Score
Automated and functional testing Pass fail metrics
Penetration testing Number of exploitable paths
Static analysis Compiler warnings, defects
Open source audits Unknown OSS
.
.
.
.
.
.
10© 2017 Rogue Wave Software, Inc. All Rights Reserved.
10
More on open source• Growth in software complexity leads to more vulnerabilities• Large OSS developer base doesn’t imply constant (or skilled)
vigilance• Using risky components in #9 on OWASP Top 10 listOn Apache Struts: “It is not noteworthy that an open source project
could have a severe vulnerability [it’s] that this flaw went undetected for at least seven years.”
• “Over 680 TB of data exposed”1
• Ransomware groups have deleted over 30,000 databases2
• Example loss: 4.5 million patient records3
• 8 other flaws in core packages the first week of 2015 1. ComputerWorld
2. ComputerWorld3. Reuters: U.S hospital breach biggest yet to exploit Heartbleed bug
11© 2017 Rogue Wave Software, Inc. All Rights Reserved.
11
Open source protection
Identify Assets
Identify Threats
• Deploy a governance and provisioning platform to white list/black list open source packages
• Be informed when new vulnerabilities are published through the National Vulnerability Database
• Know what is in your source code by scanning for source code snippets that have been copied and pasted
12© 2017 Rogue Wave Software, Inc. All Rights Reserved.
12
Other considerationsEnforce boundaries Isolate code to enforce strict boundaries between the
operating system and the processes.
Protect data in transit and at rest
Data in transit must be encrypted. Protect data at rest using the underlying filesystem encryption features and employ separate keys.
Enforce least privilege
Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
Non-repudiation Use public key infrastructure (PKI) and sign actions with private keys to prevent denial of authenticity.
Use modular cryptography
If you employ cryptography, assume that algorithms will be replaced over time. Keep your code modular for easy replacement and don’t create custom algorithms.
Protect against denial of service
Resource exhaustion makes software vulnerable to denial of service (DoS) attacks.
Authenticate Authentication should be strong and managed centrally to ensure inputs are from trusted sources.
13© 2017 Rogue Wave Software, Inc. All Rights Reserved.
13
Making security agile
14© 2017 Rogue Wave Software, Inc. All Rights Reserved.
14
Release to
Market
AcceptSprint 1
Sprint 2Sprint n Release
ChangeAdjust and Track
FeedbackReview
Next Iteration
No!
Yes!
Integrate and Test
Integrate and TestIntegrate
and TestCharacteristics• Multiple testing
points• Rapid feedback
required• “Outside” testing
does not meet agile needs
Agile development – integrate security
15© 2017 Rogue Wave Software, Inc. All Rights Reserved.
15
UnderstandNeedsInvent
Solution
DevelopBuild
Commit
Performance
Security
Release Deploy
Load
UAT/Exploratory
Testing
Functional Testing
Accept
Idea
Continuous Integration
SDLC Step
DevOps SDLC
16© 2017 Rogue Wave Software, Inc. All Rights Reserved.
16
Example of build score component
Static analysis Compiler warnings, defects
• Standards• Rely on tool to maintain updates to the
latest security standards • Research
• Rely on tool to develop custom rules based on research shared by security analysts
• Customization• Rely on tool to allow custom rules for your
specific needs
17© 2017 Rogue Wave Software, Inc. All Rights Reserved.
17
Implementing in Jenkins
18© 2017 Rogue Wave Software, Inc. All Rights Reserved.
18
Jenkins CI
19© 2017 Rogue Wave Software, Inc. All Rights Reserved.
19
Example: Enterprise web deployment
UI Business logic
Connectors
Data layer
App 1
App 2 Services
Admin
Workflows
MySQL
Existing bug > OK
New flaw > FAIL
Oracle
20© 2017 Rogue Wave Software, Inc. All Rights Reserved.
20
Fast feedback; seeing trends helps identify areas of bad code
Free up developer’s time, ensure consistency + repeatability (avoid human error)
Automate the discovery of security weaknesses, compliance violations, OSS use
Best practices
Automate the build
process
Automate testing
Automate
reporting
21© 2017 Rogue Wave Software, Inc. All Rights Reserved.
21
Vulnerability example
22© 2017 Rogue Wave Software, Inc. All Rights Reserved.
22
Buffer overflow
Security
23© 2017 Rogue Wave Software, Inc. All Rights Reserved.
23
Static analysis report
24© 2017 Rogue Wave Software, Inc. All Rights Reserved.
24
Validate length, commit, build again
25© 2017 Rogue Wave Software, Inc. All Rights Reserved.
25
Real vulnerability: GNU libc
CVE-2015-1472https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
• Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer.
• Theoretically, any Linux machine connected to the internet, using this version, is at risk
26© 2017 Rogue Wave Software, Inc. All Rights Reserved.
26
GNU libc example: fail
27© 2017 Rogue Wave Software, Inc. All Rights Reserved.
27
GNU libc example: fix
28© 2017 Rogue Wave Software, Inc. All Rights Reserved.
28
The application security world is fluid
Create concrete, actionable strategies(Threat metric, analysis tools)
Delivery cycles are short Update regularly with well-defined process
(Agile, CI)
Conclusions
29© 2017 Rogue Wave Software, Inc. All Rights Reserved.
29
Q&A
30© 2017 Rogue Wave Software, Inc. All Rights Reserved.
30
See us in action:
www.roguewave.com
31© 2017 Rogue Wave Software, Inc. All Rights Reserved.
31