Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web Applications

343 visualizaciones

Publicado el

Julian Berton

Preventing a company from becoming the newest data breach statistic can be a daunting prospect. Especially working within a company that employs hundreds of engineers pushing code to production daily, it often feels like everything is on fire and the holy grail of producing a security inspired product is but a dim light growing further and further away. The same feeling is true for security aware engineers being pushed to develop products quickly but also expected to consider quality assurance, operations, security and the reliability of their application or service.

To help reduce the bleeding and build more security aware applications at scale, a balance of firefighting, preventative initiatives, automation and "JIT" education is required. So strap yourself in while we take you on a journey through 4 years of security successes and epic failures:

* Automation - Implementing a secure-by-default build system (Buildkite) that makes detecting vulnerable dependencies (Snyk), storing secrets (AWS Secrets Manager) and scanning Docker containers, an effortless process.

* Prevention - Eradicate several classes of bugs by selecting secure architectural patterns and using automated scripts to detect operational misconfigurations like dangling DNS entries, open S3 buckets, secrets checked into source code and repositories that have been made accidentally public.

* "JIT” Education - Changing a companies security culture with RFC's for security standards, security integrated PIR via bug bounty program reports, visibility through security maturity frameworks (BSIMM).

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web Applications

  1. 1. Singapore | 28 Feb - 01 Mar 2019 Four years of reflection: How (not) to secure Web Applications @JulianBerton
  2. 2. @JulianBerton julianberton.com
  3. 3. DevSecQAFinOps
  4. 4. In the last 6 months who has felt like this?
  5. 5. ~150 tools, languages, platforms and frameworks
  6. 6. Developer in 2014
  7. 7. Developer in 2019
  8. 8. Dear Developers, 2019 called and said security is everyone's job… Soooooo here is a report with 2000 unvalidated issues for you to fix. Kthxbye
  9. 9. 58% Believe security is an inhibitor to DevOps agility.
  10. 10. No. of security controls No. of data breaches Source: My brain
  11. 11. Make security controls easy to adopt…
  12. 12. Developer Happiness™ ● Easy to adopt controls ● Clear actionable information ● Works with dev flow ● Low disruption ● Real prioritised risks
  13. 13. A journey back in time to the year 2014…
  14. 14. 2002
  15. 15. 2014
  16. 16. 2014 20195 years... ● < 70 developers ● 1 office building ● Simple software stack ● 1 physical data centre ● ~4 monolith applications ● < 100 git repositories ● ~10 deploy per day ● > 400 developers ● 18 countries ● Complex software stack ● 150+ AWS Cloud accounts ● 100’s of microservices ● > 2000 git repositories ● > 100 deploys per day
  17. 17. Shift Left Right?
  18. 18. Less than a day later...
  19. 19. 6 months later...
  20. 20. Qualys SSL Report - www.seek.com.au (Feb 2019)
  21. 21. Little bit too far right... What about from random internet people instead!?
  22. 22. www.openbugbounty.org
  23. 23. seek.com.au/jobs/searchFrom=Australia'-alert(document.cookie);
  24. 24. Attackers exploit SEEK via XSS vulnerability. SEEK
  25. 25. Hi Dimtry, If you find vulnerabilities in the future, please disclosure them to us via security@seek.com.au Unfortunately as you publicly disclosed the issues we cannot offer you any reward as per our policy. SEEK Security Team
  26. 26. Vulnerability Reported XSS March 2016 HTML Injection March 2016 XSS April 2016 XSS April 2016 XSS May 2016 XSS July 2016
  27. 27. Hi Dimtry, Thank you for reporting these issues. As a result we would like to offer you $550 USD. Could you please send us your Paypal details? SEEK Security Team
  28. 28. Hello, Email of my PayPal account is dmitry.ivasf128@gmail.com Thanks d1n0ck 10 minutes later...
  29. 29. SEEK’s Vulnerability Disclosure Policy... https://www.seek.com.au/reporting-security-vulnerabilities/
  30. 30. https://bugcrowd.com/seek
  31. 31. Total $115,000 (USD) Average $845 Highest $10,000 Bug Bounty Program Metrics (2016 to 2019)
  32. 32. https://medium.com/@berton.julian
  33. 33. Just-In-Time Security Education...
  34. 34. Of technology teams see security pros in the role of “nag” 54%
  35. 35. https://medium.com/@berton.julian
  36. 36. JIT Security Education ● Clear guidance around the “why” ● Relevant information only ● Getting help?
  37. 37. Ad Hoc Training Full Day Course Security Champion Program Tech Induction
  38. 38. https://medium.com/@berton.julian
  39. 39. #bug-bounty-alerts (69 people)
  40. 40. ● Description of the issue ● Impact to SEEK ● Likelihood of attack ● Proof of concept ● Metrics and ownership tags
  41. 41. #production-issues (414 people) Defense in Depth!! Not for shaming teams
  42. 42. Post Incident Review (PIR)
  43. 43. Scalable, alignment of technical patterns and standards… Via Request For Comments (RFC)
  44. 44. 2014 20195 years... ● < 70 developers ● 1 office building ● Simple software stack ● 1 physical data centre ● ~4 monolith applications ● < 100 git repositories ● ~10 deploy per day ● > 300 developers ● 18 countries ● Complex software stack ● 150+ AWS Cloud accounts ● 100’s of microservices ● > 2000 git repositories ● > 100 deploy per day
  45. 45. engineering.riotgames.com/news/evolution-security-riot
  46. 46. ● RFC process is used for internet standards (OAuth, TLS). ● Not an approval process.
  47. 47. 18 approvers
  48. 48. #github-alerts
  49. 49. Open the gate for Secure-by-Default
  50. 50. High performing teams spend less time fixing security issues. 50%
  51. 51. Buildkite @ SEEK
  52. 52. Our current build system….
  53. 53. Secure-by-Default ● Comes out of the box ● Will not inhibit “innovation” ● Support when things don’t work
  54. 54. ● Secure Secret Storage ● Key Rotation ● Local Build Agents ● SSO SAML Support ● Audit Logging ● Zero Vendor Trust ● Build Reporting ● Event Notifications ● Codified Build Pipelines ● Native Docker Builds ● Low Latency Build Start RFC014 - CICD Tool Requirements
  55. 55. github.com/seek-oss/snyk-buildkite-plugin github.com/seek-oss/aws-sm-buildkite-plugin Pipeline.yml
  56. 56. Scan PR’s for issues
  57. 57. Fixable Ignore
  58. 58. A macro view of your software maturity
  59. 59. 116 Activities 4 Domains 12 Practices
  60. 60. Example Activities ● Educate executives on security. ● Use centralized reporting. ● Track bugs through the fix process. ● Operate a bug bounty program. ● Include security awareness.
  61. 61. Activity Firms (120) Black-box security tools into QA processes. 25% Use automated & manual code review tools. 63% Identify gate locations and gather artifacts. 84% Provide awareness training. 88%
  62. 62. Activities Completed Firms
  63. 63. Activity Change (%) 2% Overall Positive Change
  64. 64. https://medium.com/@berton.julian
  65. 65. Singapore | 28 Feb - 01 Mar 2019 Questions? Twitter: @JulianBerton

×