SlideShare a Scribd company logo

Continuous security: Bringing agility to the secure development lifecycle

Download as PPTX, PDF
Rogue Wave Software
Rogue Wave Software

Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.

Related slideshows

Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open Source
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
 
1 of 31
1© 2017 Rogue Wave Software, Inc. All Rights Reserved. 1 Continuous security: Bringing agility to the secure development lifecycle Rod Cope, CTO Twitter: @RodCope AppSec California 2017
2© 2017 Rogue Wave Software, Inc. All Rights Reserved. 2 Rod Cope, CTO Rogue Wave Software Presenter
3© 2017 Rogue Wave Software, Inc. All Rights Reserved. 3 Agenda • A holistic approach to cybersecurity • Making security agile • Implementing in Jenkins • Vulnerability examples
4© 2017 Rogue Wave Software, Inc. All Rights Reserved. 4 A holistic approach to cybersecurity
5© 2017 Rogue Wave Software, Inc. All Rights Reserved. 5 We’re inundated by security threats
6© 2017 Rogue Wave Software, Inc. All Rights Reserved. 6 We’re inundated by data News Blogs, social media conferences Security standards OWASP, CWE, CERT, etc. NVD, White Hat, Black Hat OEMs, internal Media More and more software running inside your car Standards & legislation Research Developers don’t know security (80% failed security knowledge survey) Requirements Source
7© 2017 Rogue Wave Software, Inc. All Rights Reserved. 7 A holistic approach to cybersecurity Threat Model Internal Threat Metric External Data Action Information overload Develop an adaptive threat model
8© 2017 Rogue Wave Software, Inc. All Rights Reserved. 8  Scanning to discover open Threat modelling identifies, quantifies, and addresses security risks by: 1. Understanding the application & environment 2. Identifying & prioritizing threats 3. Determining mitigation actions Identify Assets System Overview Decompose Application Identify Threats Prioritize Threats Threat model
9© 2017 Rogue Wave Software, Inc. All Rights Reserved. 9 Developing a threat metric Build Score Automated and functional testing Pass fail metrics Penetration testing Number of exploitable paths Static analysis Compiler warnings, defects Open source audits Unknown OSS . . . . . .
10© 2017 Rogue Wave Software, Inc. All Rights Reserved. 10 More on open source • Growth in software complexity leads to more vulnerabilities • Large OSS developer base doesn’t imply constant (or skilled) vigilance • Using risky components in #9 on OWASP Top 10 list On Apache Struts: “It is not noteworthy that an open source project could have a severe vulnerability [it’s] that this flaw went undetected for at least seven years.” • “Over 680 TB of data exposed”1 • Ransomware groups have deleted over 30,000 databases2 • Example loss: 4.5 million patient records3 • 8 other flaws in core packages the first week of 2015 1. ComputerWorld 2. ComputerWorld 3. Reuters: U.S hospital breach biggest yet to exploit Heartbleed bug
11© 2017 Rogue Wave Software, Inc. All Rights Reserved. 11 Open source protection Identify Assets Identify Threats • Deploy a governance and provisioning platform to white list/black list open source packages • Be informed when new vulnerabilities are published through the National Vulnerability Database • Know what is in your source code by scanning for source code snippets that have been copied and pasted
12© 2017 Rogue Wave Software, Inc. All Rights Reserved. 12 Other considerations Isolate code to enforce strict boundaries between the operating system and the processes. Data in transit must be encrypted. Protect data at rest using the underlying filesystem encryption features and employ separate keys. Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Use public key infrastructure (PKI) and sign actions with private keys to prevent denial of authenticity. If you employ cryptography, assume that algorithms will be replaced over time. Keep your code modular for easy replacement and don’t create custom algorithms. Resource exhaustion makes software vulnerable to denial of service (DoS) attacks. Authenticate Authentication should be strong and managed centrally to ensure inputs are from trusted sources.
13© 2017 Rogue Wave Software, Inc. All Rights Reserved. 13 Making security agile
14© 2017 Rogue Wave Software, Inc. All Rights Reserved. 14 Release to Market AcceptSprint 1 Sprint 2 Sprint n Release Change Adjust and Track Feedback Review Next Iteration No! Yes! Integrate and Test Integrate and TestIntegrate and Test Characteristics • Multiple testing points • Rapid feedback required • “Outside” testing does not meet agile needs Agile development – integrate security
15© 2017 Rogue Wave Software, Inc. All Rights Reserved. 15 Understand Needs Invent Solution Develop Build Commit Performance Security Release Deploy Load UAT/ Exploratory Testing Functional Testing Accept Idea Continuous Integration SDLC Step DevOps SDLC
16© 2017 Rogue Wave Software, Inc. All Rights Reserved. 16 Example of build score component Static analysis Compiler warnings, defects • Standards • Rely on tool to maintain updates to the latest security standards • Research • Rely on tool to develop custom rules based on research shared by security analysts • Customization • Rely on tool to allow custom rules for your specific needs
17© 2017 Rogue Wave Software, Inc. All Rights Reserved. 17 Implementing in Jenkins
18© 2017 Rogue Wave Software, Inc. All Rights Reserved. 18 Jenkins CI
19© 2017 Rogue Wave Software, Inc. All Rights Reserved. 19 Example: Enterprise web deployment UI Business logic Connectors Data layer App 1 App 2 Services Admin Workflows MySQL Existing bug > OK New flaw > FAIL Oracle
20© 2017 Rogue Wave Software, Inc. All Rights Reserved. 20 Fast feedback; seeing trends helps identify areas of bad code Free up developer’s time, ensure consistency + repeatability (avoid human error) Automate the discovery of security weaknesses, compliance violations, OSS use Best practices Automate the build process Automate testing Automate reporting
21© 2017 Rogue Wave Software, Inc. All Rights Reserved. 21 Vulnerability example
22© 2017 Rogue Wave Software, Inc. All Rights Reserved. 22 Buffer overflow Security
23© 2017 Rogue Wave Software, Inc. All Rights Reserved. 23 Static analysis report
24© 2017 Rogue Wave Software, Inc. All Rights Reserved. 24 Validate length, commit, build again
25© 2017 Rogue Wave Software, Inc. All Rights Reserved. 25 Real vulnerability: GNU libc CVE-2015-1472 https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html • Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer. • Theoretically, any Linux machine connected to the internet, using this version, is at risk
26© 2017 Rogue Wave Software, Inc. All Rights Reserved. 26 GNU libc example: fail
27© 2017 Rogue Wave Software, Inc. All Rights Reserved. 27 GNU libc example: fix
28© 2017 Rogue Wave Software, Inc. All Rights Reserved. 28 The application security world is fluid Create concrete, actionable strategies (Threat metric, analysis tools) Delivery cycles are short Update regularly with well-defined process (Agile, CI) Conclusions
29© 2017 Rogue Wave Software, Inc. All Rights Reserved. 29 Q&A
30© 2017 Rogue Wave Software, Inc. All Rights Reserved. 30 See us in action: www.roguewave.com
31© 2017 Rogue Wave Software, Inc. All Rights Reserved. 31

More Related Content

Continuous security: Bringing agility to the secure development lifecycle

  • 1. 1© 2017 Rogue Wave Software, Inc. All Rights Reserved. 1 Continuous security: Bringing agility to the secure development lifecycle Rod Cope, CTO Twitter: @RodCope AppSec California 2017
  • 2. 2© 2017 Rogue Wave Software, Inc. All Rights Reserved. 2 Rod Cope, CTO Rogue Wave Software Presenter
  • 3. 3© 2017 Rogue Wave Software, Inc. All Rights Reserved. 3 Agenda • A holistic approach to cybersecurity • Making security agile • Implementing in Jenkins • Vulnerability examples
  • 4. 4© 2017 Rogue Wave Software, Inc. All Rights Reserved. 4 A holistic approach to cybersecurity
  • 5. 5© 2017 Rogue Wave Software, Inc. All Rights Reserved. 5 We’re inundated by security threats
  • 6. 6© 2017 Rogue Wave Software, Inc. All Rights Reserved. 6 We’re inundated by data News Blogs, social media conferences Security standards OWASP, CWE, CERT, etc. NVD, White Hat, Black Hat OEMs, internal Media More and more software running inside your car Standards & legislation Research Developers don’t know security (80% failed security knowledge survey) Requirements Source
  • 7. 7© 2017 Rogue Wave Software, Inc. All Rights Reserved. 7 A holistic approach to cybersecurity Threat Model Internal Threat Metric External Data Action Information overload Develop an adaptive threat model
  • 8. 8© 2017 Rogue Wave Software, Inc. All Rights Reserved. 8  Scanning to discover open Threat modelling identifies, quantifies, and addresses security risks by: 1. Understanding the application & environment 2. Identifying & prioritizing threats 3. Determining mitigation actions Identify Assets System Overview Decompose Application Identify Threats Prioritize Threats Threat model
  • 9. 9© 2017 Rogue Wave Software, Inc. All Rights Reserved. 9 Developing a threat metric Build Score Automated and functional testing Pass fail metrics Penetration testing Number of exploitable paths Static analysis Compiler warnings, defects Open source audits Unknown OSS . . . . . .
  • 10. 10© 2017 Rogue Wave Software, Inc. All Rights Reserved. 10 More on open source • Growth in software complexity leads to more vulnerabilities • Large OSS developer base doesn’t imply constant (or skilled) vigilance • Using risky components in #9 on OWASP Top 10 list On Apache Struts: “It is not noteworthy that an open source project could have a severe vulnerability [it’s] that this flaw went undetected for at least seven years.” • “Over 680 TB of data exposed”1 • Ransomware groups have deleted over 30,000 databases2 • Example loss: 4.5 million patient records3 • 8 other flaws in core packages the first week of 2015 1. ComputerWorld 2. ComputerWorld 3. Reuters: U.S hospital breach biggest yet to exploit Heartbleed bug
  • 11. 11© 2017 Rogue Wave Software, Inc. All Rights Reserved. 11 Open source protection Identify Assets Identify Threats • Deploy a governance and provisioning platform to white list/black list open source packages • Be informed when new vulnerabilities are published through the National Vulnerability Database • Know what is in your source code by scanning for source code snippets that have been copied and pasted
  • 12. 12© 2017 Rogue Wave Software, Inc. All Rights Reserved. 12 Other considerations Isolate code to enforce strict boundaries between the operating system and the processes. Data in transit must be encrypted. Protect data at rest using the underlying filesystem encryption features and employ separate keys. Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Use public key infrastructure (PKI) and sign actions with private keys to prevent denial of authenticity. If you employ cryptography, assume that algorithms will be replaced over time. Keep your code modular for easy replacement and don’t create custom algorithms. Resource exhaustion makes software vulnerable to denial of service (DoS) attacks. Authenticate Authentication should be strong and managed centrally to ensure inputs are from trusted sources.
  • 13. 13© 2017 Rogue Wave Software, Inc. All Rights Reserved. 13 Making security agile
  • 14. 14© 2017 Rogue Wave Software, Inc. All Rights Reserved. 14 Release to Market AcceptSprint 1 Sprint 2 Sprint n Release Change Adjust and Track Feedback Review Next Iteration No! Yes! Integrate and Test Integrate and TestIntegrate and Test Characteristics • Multiple testing points • Rapid feedback required • “Outside” testing does not meet agile needs Agile development – integrate security
  • 15. 15© 2017 Rogue Wave Software, Inc. All Rights Reserved. 15 Understand Needs Invent Solution Develop Build Commit Performance Security Release Deploy Load UAT/ Exploratory Testing Functional Testing Accept Idea Continuous Integration SDLC Step DevOps SDLC
  • 16. 16© 2017 Rogue Wave Software, Inc. All Rights Reserved. 16 Example of build score component Static analysis Compiler warnings, defects • Standards • Rely on tool to maintain updates to the latest security standards • Research • Rely on tool to develop custom rules based on research shared by security analysts • Customization • Rely on tool to allow custom rules for your specific needs
  • 17. 17© 2017 Rogue Wave Software, Inc. All Rights Reserved. 17 Implementing in Jenkins
  • 18. 18© 2017 Rogue Wave Software, Inc. All Rights Reserved. 18 Jenkins CI
  • 19. 19© 2017 Rogue Wave Software, Inc. All Rights Reserved. 19 Example: Enterprise web deployment UI Business logic Connectors Data layer App 1 App 2 Services Admin Workflows MySQL Existing bug > OK New flaw > FAIL Oracle
  • 20. 20© 2017 Rogue Wave Software, Inc. All Rights Reserved. 20 Fast feedback; seeing trends helps identify areas of bad code Free up developer’s time, ensure consistency + repeatability (avoid human error) Automate the discovery of security weaknesses, compliance violations, OSS use Best practices Automate the build process Automate testing Automate reporting
  • 21. 21© 2017 Rogue Wave Software, Inc. All Rights Reserved. 21 Vulnerability example
  • 22. 22© 2017 Rogue Wave Software, Inc. All Rights Reserved. 22 Buffer overflow Security
  • 23. 23© 2017 Rogue Wave Software, Inc. All Rights Reserved. 23 Static analysis report
  • 24. 24© 2017 Rogue Wave Software, Inc. All Rights Reserved. 24 Validate length, commit, build again
  • 25. 25© 2017 Rogue Wave Software, Inc. All Rights Reserved. 25 Real vulnerability: GNU libc CVE-2015-1472 https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html • Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer. • Theoretically, any Linux machine connected to the internet, using this version, is at risk
  • 26. 26© 2017 Rogue Wave Software, Inc. All Rights Reserved. 26 GNU libc example: fail
  • 27. 27© 2017 Rogue Wave Software, Inc. All Rights Reserved. 27 GNU libc example: fix
  • 28. 28© 2017 Rogue Wave Software, Inc. All Rights Reserved. 28 The application security world is fluid Create concrete, actionable strategies (Threat metric, analysis tools) Delivery cycles are short Update regularly with well-defined process (Agile, CI) Conclusions
  • 29. 29© 2017 Rogue Wave Software, Inc. All Rights Reserved. 29 Q&A
  • 30. 30© 2017 Rogue Wave Software, Inc. All Rights Reserved. 30 See us in action: www.roguewave.com
  • 31. 31© 2017 Rogue Wave Software, Inc. All Rights Reserved. 31