Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Secure DevOps: A Puma's Tail

171 visualizaciones

Publicado el

DevOps is changing the way that organizations design, build, deploy and operate online systems. Engineering teams are making hundreds, or even thousands, of changes per day, and traditional approaches to security are struggling to keep up. Security must be reinvented in a DevOps world and take advantage of the opportunities provided by continuous integration and delivery pipelines.

In this talk, we start with a case study of an organization trying to leverage the power of Continuous Integration (CI) and Continuous Delivery (CD) to improve their security posture. After identifying the key security checkpoints in the pre-commit, commit, acceptance, and deployment lifecycle phases, we will explore how unit testing and static analysis fit into DevSecOps. Live demonstrations will show how to identify vulnerabilities pre-commit inside the Visual Studio development environment, and how to enforce security unit tests and static analysis in a Jenkins continuous integration (CI) build pipeline. Attendees will walk away with a better understanding of how security fits into DevOps, and an open source .NET static analysis engine to help secure your organization’s applications.

Publicado en: Software
  • Sé el primero en comentar

Secure DevOps: A Puma's Tail

  1. 1. Secure DevOps: A Puma’s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20)
  2. 2. Puma Security • Principal Security Engineer • Modern static code analysis • DevSecOps automation • Secure Development Lifecycle SANS Institute • Certified Instructor DEV541: Secure Coding in Java DEV534: Secure DevOps • Course Author DEV531: Mobile App Security Essentials DEV540: Secure DevOps & Cloud Application Security DEV544: Secure Coding in .NET Eric Johnson, CISSP, AWS CD, GSSP, GWAPT ©2018 – Puma Security, LLC
  3. 3. Roadmap • The DevOps Problem • Security Unit / Integration Testing • Static Analysis Options • Pre-Commit • Continuous Integration • Conclusion ©2017 – Puma Security, LLC
  4. 4. Case Study | Travel Industry Breaches • Airline Company • 5,000 employees • 50 .NET C# applications • 20 software engineers • 0 application security engineers • 1 deployment / week ©2017 – Puma Security, LLC
  5. 5. • Continuous Integration via Jenkins • Continuous Delivery via Jenkins pipeline plugin Case Study | State of DevOps ©2017 – Puma Security, LLC
  6. 6. • External vendor performing annual code assessments • Internal security team receives 1,000 page PDF report • Internal security team performs dynamic pen testing, fuzzing, etc. Case Study | State of Security ©2017 – Puma Security, LLC
  7. 7. • Security was not invited to the DevOps party • Internal security team does not have development background • Frequent deployments invalidate assessment results • Missing a huge opportunity for app sec in the pipeline Case Study | The Problem ©2017 – Puma Security, LLC
  8. 8. • Published October 2016 • Release frequency up 30x • Silos still exist between Sec and DevOps HPE | AppSec & DevOps Survey 20% 38% 25% 17% Security in DevOps SecDevOps Gated Reviews Network Defenses Nothing ©2017 – Puma Security, LLC
  9. 9. What is SecDevOps SecDevOps / DevSecOps / DevOpsSec is about breaking down walls between security and: • Development • Operations • Business ©2017 – Puma Security, LLC
  10. 10. SecDevOps Security Controls PRE-COMMIT COMMIT ACCEPTANCE DEPLOYMENT THREAT MODELING IDE SAST CODE REVIEWS SECURITY UNIT TESTS CI SAST HIGH RISK CODE ALERTS SECURITY ACCEPTANCE TESTS CI DAST AUTOMATED SECURITY ATTACKS AUTOMATE DEPLOYMENT SECURITY MONITORING SECURITY SMOKE TESTING SECURITY STORIES • Security controls in a Continuous Integration (CI) / Continuous Delivery (CD) pipeline: SUPPLY CHAIN SCANS MANUAL PEN TESTING VIRTUAL PATCHING ©2017 – Puma Security, LLC
  11. 11. SecDevOps Quick Wins PRE-COMMIT COMMIT ACCEPTANCE DEPLOYMENT THREAT MODELING IDE SAST CODE REVIEWS CI SAST HIGH RISK CODE ALERTS CI DAST AUTOMATED SECURITY ATTACKS AUTOMATE DEPLOYMENT SECURITY MONITORING SECURITY SMOKE TESTING • Narrowing the scope and identifying some quick wins for our case study: SUPPLY CHAIN SCANS MANUAL PEN TESTING VIRTUAL PATCHING ©2017 – Puma Security, LLC SECURITY UNIT TESTS SECURITY ACCEPTANCE TESTS SECURITY STORIES
  12. 12. Roadmap • The DevOps Problem • Security Unit / Integration Testing • Static Analysis Options • Pre-Commit • Continuous Integration • Conclusion ©2017 – Puma Security, LLC
  13. 13. Built on top of standard unit and integration tests to enforce security requirements: Security Unit / Integration Testing SECURITY STORIES UNIT / ACCEPTANCE TESTING PRE-COMMIT COMMIT ©2017 – Puma Security, LLC • Create abuse cases and evil user stories • Focus on high risk code and business logic flaws • Fast execution in the IDE / CI pipeline
  14. 14. • Engineers often stay on the "happy path" • Prove the code works under normal usage • Example: positive validation testing for a normal user's name The Happy Path ©2017 – Puma Security, LLC [Fact] public void NameValidationPositiveTest() { bool isValid = Validator.IsNameValid("Bobby Tables"); Assert.Equal(isValid, true); } 1 2 3 4 5 6
  15. 15. • Security works with engineers to write test cases • Prove the code is secure under abnormal usage • Example: Negative validation w/ evil injection characters Evil Security Stories ©2017 – Puma Security, LLC [Fact] public void ValidateNameNegativeTest() { string EVIL = "&<>"()|;!=~*/{}#"; foreach (char s in EVIL.ToArray()) Assert.Equal(Validator.IsNameValid(s.ToString()), false); } 1 2 3 4 5 6 7
  16. 16. Security identifies high risk code performing the following functionality: • Authentication • Access control • Output encoding • Input validation • High risk business logic • Data entitlement checks • Handling confidential data • Cryptography High Risk Code Examples ©2017 – Puma Security, LLC
  17. 17. • Automated and configurable security unit testing framework written by @sethlaw • Payload lists for XSS and Injection SQLi, NoSQL, LDAP, XML, XPath, OS vulnerabilities • Supports Java Spring, ASP.NET MVC, and Django • https://github.com/sethlaw/sputr Security Payload Unit Test Repository (SPUTR) ©2017 – Puma Security, LLC
  18. 18. Roadmap • The DevOps Problem • Security Unit / Integration Testing • Static Analysis Options • Pre-Commit • Continuous Integration • Conclusion ©2017 – Puma Security, LLC
  19. 19. Limited opportunity for static analysis in CI & CD pipelines: SecDevOps Static Analysis IDE SAST CI SAST PRE-COMMIT COMMIT • Speed matters (< 10 minutes) • High accuracy rules • Low false positive rates ©2017 – Puma Security, LLC
  20. 20. Free / Open Source .NET Options • CAT.NET • FxCop • Visual Studio Code Analysis • Web Config Security Analyzer • Custom Roslyn Analyzers ©2017 – Puma Security, LLC
  21. 21. • Purposely vulnerable eCommerce application • Contains over 50 different vulnerabilities • Across two different versions: • Web Forms • .NET MVC 5 • Contributors: • Louis Gardina • Eric Johnson The Target ©2017 – Puma Security, LLC
  22. 22. CAT.NET v1.1 Security Benchmark • Widget Town scan results: • 2 XSS, 1 Unvalidated Redirect issues • CAT.NET is a very limited security scanner ©2017 – Puma Security, LLC
  23. 23. FxCop / Code Analysis Security Benchmark • Rule target results from the “Microsoft Security Rules” rule set • Widget Town scan results: • 2 SQL Injection instances, 1 is a false positive ©2017 – Puma Security, LLC
  24. 24. • Widget Town combined CAT.NET and VS Code analysis scan results: Scan Result Summary Category Valid False Positive Cross-Site Scripting 2 0 SQL Injection 1 1 Unvalidated Redirect 1 0 ©2017 – Puma Security, LLC
  25. 25. • Widget Town combined CAT.NET and VS Code analysis scan results: Scan Result Summary Category Valid False Positive Cross-Site Scripting 2 0 SQL Injection 1 1 Unvalidated Redirect 1 0 ©2017 – Puma Security, LLC
  26. 26. Introducing Roslyn • Open-source C# and VB compilers with code analysis APIs • Capable of producing warnings in source code as you type: ©2017 – Puma Security, LLC
  27. 27. Roslyn Diagnostic Warnings • Roslyn diagnostics are also reported during MSBuild compilation: ©2017 – Puma Security, LLC
  28. 28. Session recorded at OWASP AppSec USA 2016: • Continuous Integration: Live Code Analysis using Visual Studio and the Roslyn API https://youtube.com/watch?v=Y8JKVjY-7T0 • Demonstration analyzers from the presentation: https://github.com/ejohn20/puma-scan-demo Building Security Analyzers 101 ©2017 – Puma Security, LLC
  29. 29. • Open source security source code analyzer built using Roslyn • 50+ application security-specific rules • Version 1.0.6 is available via NuGet & VS Marketplace • Install guide, rule docs, source code: https://www.pumascan.com https://github.com/pumasecurity @puma_scan Introducing the Puma Scan ©2017 – Puma Security, LLC
  30. 30. • SQLi via an EF Command Creating a Puma Analyzer ©2017 – Puma Security, LLC […] public void Delete(string id) { using (WidgetTownDBEntities context = new WidgetTownDBEntities()) { string q = string.Format("DELETE FROM Contests WHERE Id = {0}", id); context.Database.ExecuteSqlCommand(q); } } 36 37 38 39 40 41 42 43 44 45
  31. 31. • How can we search for this vulnerability? • Which interface? ISyntaxAnalyzer Implementing the Interface ©2017 – Puma Security, LLC public interface ISyntaxAnalyzer { SyntaxKind SinkKind { get; } ConcurrentStack<VulnerableSyntaxNode> VulnerableSyntaxNodes { get; } void GetSinks(SyntaxNodeAnalysisContext context); } 10 11 12 13 14 15 16 17 19
  32. 32. • Syntax Kind Enum SimpleAssignmentExpression, MemberAccessExpression, InvocationExpression, ObjectCreationExpression TrueKeyword, LiteralTextExpression, PlusToken Choosing the Syntax Kind ©2017 – Puma Security, LLC […] using (WidgetTownDBEntities context = new WidgetTownDBEntities()) { string q = string.Format("DELETE FROM Contests WHERE Id = {0}", id); context.Database.ExecuteSqlCommand(q); } 23 24 25 26 27 28 29
  33. 33. • Configure the analyzer to only inspect InvocationExpression types Choosing the Syntax Kind ©2017 – Puma Security, LLC […] public SyntaxKind SinkKind { get { return SyntaxKind.InvocationExpression; } } […] 23 24 25 26 27 28 29
  34. 34. • Tread lightly at first – weed out nodes cheaply Finding the Sink | Cheap Check ©2017 – Puma Security, LLC […] public void GetSinks(SyntaxNodeAnalysisContext context) { var syntax = context.Node as InvocationExpressionSyntax; if (!syntax.ToString().Contains("ExecuteSqlCommand")) return; […] 36 37 38 39 40 41 42 43
  35. 35. • …then a little more aggressive Finding the Sink | Symbol Check ©2017 – Puma Security, LLC […] public void GetSinks(SyntaxNodeAnalysisContext context) { […] var symbol = context.SemanticModel .GetSymbolInfo(syntax) .Symbol as IMethodSymbol; if(!symbol.IsMethod("System.Data.Entity.Database" ,"ExecuteSqlCommand")) return; […] } 43 44 45 52 53 54 55 56 57 58 62
  36. 36. • Symbol Types Method symbol Property symbol Field symbol Many more Finding the Sink | Symbol Type ©2017 – Puma Security, LLC […] var symbol = context.SemanticModel .GetSymbolInfo(syntax) .Symbol as IMethodSymbol; […] 43 44 45 46 47
  37. 37. • Add the sink to the vulnerable collection Vulnerable Sink Collection ©2017 – Puma Security, LLC […] public void GetSinks(SyntaxNodeAnalysisContext context) { […] if (VulnerableSyntaxNodes.All(p => p.Sink.GetLocation() != syntax?.GetLocation())) { VulnerableSyntaxNodes.Push(new VulnerableSyntaxNode(syntax)); } } 55 56 57 58 59 60 61 62 63 64 65 66
  38. 38. • Tell Rosyln what diagnostic to report for this Supported Diagnostic ©2017 – Puma Security, LLC [SupportedDiagnostic( DiagnosticId.SEC0108, DiagnosticSeverity.Warning, DiagnosticCategory.Security)] public class EfExecuteSqlCommandInjectionAnalyzer : ISyntaxAnalyzer { […] } 10 11 12 13 14 15 16 50 51 52
  39. 39. • Add informative diagnostic description • Diagnostic Analyzers reporting method plays nicely with localized strings and resource files. • Uses default Resouces.resx file Supported Diagnostic Descriptors ©2017 – Puma Security, LLC
  40. 40. • Suite is a logical grouping of analyzer • Suite base classes handle the registering of analyzers and reporting of the results • Examples of groupings SQL Injection Cross site scripting Path tampering Open redirects Analyzer Suites ©2017 – Puma Security, LLC
  41. 41. • Add analyzer to the array of analyzers Adding an Analyzer to the Suite ©2017 – Puma Security, LLC [DiagnosticAnalyzer(LanguageNames.CSharp, LanguageNames.VisualBasic)] public class SqlInjectionDiagnosticSuite : BaseSyntaxDiagnosticSuite { public SqlInjectionDiagnosticSuite() { Analyzers = new ISyntaxAnalyzer[]{ new EfExecuteSqlCommandInjectionAnalyzer(), new LinqSqlInjectionAnalyzer(), new SqlCommandInjectionAnalyzer() }.ToImmutableArray(); } } 10 11 12 13 14 15 16 17 18 19 21 22 23 24
  42. 42. • Widget Town Puma scan results: 56 valid issues, 10 false positives Puma Scan Result Summary Category Valid False Positive Cross-Site Scripting 19 3 SQL Injection 2 3 Misconfiguration 16 0 Path Tampering 3 0 Unvalidated Redirect 2 4 Cross-Site Request Forgery 8 0 Poor Password Management 3 0 Certificate Validation Disabled 1 0 ©2017 – Puma Security, LLC
  43. 43. Roadmap • The DevOps Problem • Security Unit / Integration Testing • Static Analysis Options • Pre-Commit • Continuous Integration • Conclusion ©2017 – Puma Security, LLC
  44. 44. Requirements for static scanning in the IDE. q Display vulnerabilities inside the IDE q Provide documentation on how to fix the issue q Allow engineers to suppress false positives IDE Static Analysis Checklist ©2017 – Puma Security, LLC
  45. 45. q Display vulnerabilities inside the IDE IDE Static Analysis Checklist ©2017 – Puma Security, LLC
  46. 46. q Provide documentation on how to fix the issue IDE Static Analysis Checklist ©2017 – Puma Security, LLC
  47. 47. q Allow engineers to suppress false positives IDE Static Analysis Checklist ©2017 – Puma Security, LLC
  48. 48. Roadmap • The DevOps Problem • Security Unit / Integration Testing • Static Analysis Options • Pre-Commit • Continuous Integration • Conclusion ©2017 – Puma Security, LLC
  49. 49. Requirements for static scanning in the CI pipeline: q Pipeline executes accurate static analysis rules q Process and capture results in pipeline q Configure build thresholds to mark builds as unhealthy or failed q Notify security when issues are suppressed by engineers CI Static Analysis Checklist ©2017 – Puma Security, LLC
  50. 50. q Pipeline executes accurate static analysis rules CI Static Analysis Checklist ©2017 – Puma Security, LLC
  51. 51. q Process and capture results in pipeline CI Static Analysis Checklist ©2017 – Puma Security, LLC
  52. 52. q Configure build thresholds to mark builds as unhealthy or failed CI Static Analysis Checklist ©2017 – Puma Security, LLC
  53. 53. Roadmap • The DevOps Problem • Security Unit / Integration Testing • Static Analysis Options • Pre-Commit • Continuous Integration • Conclusion ©2017 – Puma Security, LLC
  54. 54. • Welcoming contributions! • Gather feedback and address edge cases • Continue to build out additional rule categories: Cleartext secrets, insecure XML processing, etc. • Further refine results using data flow analysis to eliminate false positives • Identify rules that can apply suggested code fixes Puma Scan | Future Enhancements ©2017 – Puma Security, LLC
  55. 55. • Scott Sauber - Puma Security Engineer • James Kashevos – CDD Security Engineer • Josh Brown-White - Microsoft • Tom Meschter – Microsoft • Manish Vasani – Microsoft • Gitter Rosyln Channel Acknowledgements ©2017 – Puma Security, LLC
  56. 56. Questions? Contact Us: eric.johnson@pumascan.com @emjohn20 eric.mead@pumascan.com @ericmmead ©2017 – Puma Security, LLC

×