A P P S E C A N D S O F T W A R E Q U A L I T Y

V E R S I O N 0 . 5 ( M A Y / 2 0 1 6 )

L O N D O N

@ D I N I S C R U Z

C O U P L E D I S C L A M E R S

• This presentation has 103 slides and is designed to guide the delivery of this presentation and provide background information for offline reading

• I abuse the term ‘Unit Testing’ :

• for me the ‘Unit’ can be anything, from just a method to a full browser automation workflow

• if it can be executed with a Unit Test Framework (NUnit, Mocha, Karma) then it is a Unit Test ( even if it is called an e2e or Integration test)

M E

• Developer for 25 years

• AppSec for 13 years

• Day jobs:

• Leader OWASP O2 Platform project

• Head of Application Security at The Hut Group

• Application Security Training for JBI Training

• AppSec Consultant and Mentor

P E R F O R M E D H U N D R E D S O F S E C U R I T Y R E V I E W S

• Found critical vulnerabilities in high profile applications (impacting millions of users)

• desktop apps, websites, mobile apps, web services, security tools, frameworks, telephony, networks, etc…

• Reported zero days to software vendors (before bug bounties)

• 0wned data centres, networks, apps, databases

D E L I V E R E D T R A I N I N G T O 1 0 0 0 S O F D E V E L O P E R S

• BBC , BSkyB

• BAE Applied Intelligence

• O2, Three

• Alaska Airlines

• Ocado

• Capita (Orbit)

• IG

• Harrods

• Microsoft

• Verifone

• OWASP Conferences

• BlackHat

• TotalJobs

• Cashflows

• RunEscape

• The Hut Group

I ’ M A D E V E L O P E R

• Have shipped code

• Have managed dev teams

• Have written tests (with 100% code coverage)

• Have created CI and CD environments (DevOps)

• Worked on Secure Software Architecture and workflows (SecDevOps)

G R A P H S

• I love Graphs

• Recently I have realised that I have spend most of my life thinking about graphs and coding graphs

• Graphs are great for data analysis and modelling

• … but this is a topic for another presentation

@ D I N I S C R U Z

B L O G . D I N I S C R U Z . C O M

B O O K S

• Published at Leanpub (http://leanpub.com/u/DinisCruz)

• Minimum price: 0 €

O W A S P O 2 P L AT F O R M

• My brain in a tool

• Very powerful but not easy to start using

This presentation assumes that you already Want to do Application Security

… where you understand the threats

… and are are looking for the How(not the Why)

A P P S E C A N D Q U A L I T Y

Software Craftsmanship is about

Software Quality

“I like my code to be elegant and efficient" Bjarne Stroustup, inventor of C++

“Clean code is simple and direct. Clean code reads like well-designed prose”

Grady Booch, author

“Clean code can be read, and enhanced by a developer other than its original author”

”Big” Dave Thomas, founder of OTI

“Clean code always looks like it was written by someone that how cares”

Michael Feathers, author

“You know you are working on clean code when each routine you read turns out to be pretty much what you expected”

Ward Cunningham, inventor of Wiki

a big problem with the previous comments and the Software Craftsmanship concept is

‘How to define Quality?’

Everybody knows that Quality is key

… but …

‘how to measure Quality?’

My thesis is that

Application Security can be used to define and measure Software Quality

Not all Software Quality issues are Application Security issues

But all Application Security issues are

Software Quality issues

S h e r i f M a n s o u r, E x p e d i a

Application Security is all about the

non-functional requirements of software*

* s o f t w a r e = a p p s , w e b s i t e s , w e b s e r v i c e s , a p i s , t o o l s , b u i l d s c r i p t s = c o d e

Application Security is all about understanding

HOW the software works*

* v s h o w s o f t w a r e b e h a v e s

Using Application Security

We measure the quality of software

T H E P O L L U T I O N A N A L O G Y

T E C H N I C A L D E B T I S A B A D A N A L O G Y

• The developers are the ones who pays the debt

• Pollution is a much better analogy

• The key is to make the business accept the risk (i.e the debt)

• Which is done using the JIRA RISK Workflows

J I R A R I S K W O R K F L O W

http://blog.diniscruz.com/2016/03/updated-jira-risk-workflow-now-with.html

F I X - A P P S E C G U I D A N C E W O R K F L O W

1. Vulnerability/issue is found (RISK ticket opened) 

2. Dev understands the issue, writes test that replicates the issue, opens ticket in his project’s JIRA and tries to figure out the best way to fix it 

3. Dev asks for guidance to AppSec team

4. AppSec team points to WIKI page (existing or newly created)

5. Dev uses guidance to fix it (and updates test so that is is now a regression test)

6. Commit(s) are made, RISK ticket is updated with link to commit(s)

7. Dev asks AppSec to review fix

8. AppSec reviews fix, and if all looks ok, close the RISK ticket

‘ F I X I N G ’ F L O W

`

‘ R I S K A P P R O VA L’ F L O W

M A P P I N G T O I N F O S E C R I S K S

Labels for reporting

and filters

M A P P I N G J I R A T I C K E T S T O T E S T S

J I R A D A S H B O A R D S

W E E K LY E M A I L S W I T H R I S K S TAT U S

K E Y C O N C E P T S O F T H I S W O R K F L O W

• All tests should pass all the time

• Tests that check/confirm vulnerabilities should also pass

• The key to make this work is to: Make business owners understand the risks of their decisions (and click on the ‘accept risk’ button)

You have to make sure that it is your boss that gets fired

… he/she should make sure that it is his/hers boss that gets fired …

… all the way to the CTO

(i.e. Board level responsibility)

T E S T I N G

If you make a change and don’t have a test

You are making random changes

http://blog.kj187.de/how-do-i-convince-my-manager-that-unittests-are-important/

How to solve this problem?

You don’t

You sack your manager

As a developer you need to have pressure from management to deliver code that is:

Solid Secure

Testable Provable Readable

Maintainable

Basically, deliver Quality Code

9 9 % C O D E C O V E R A G E

…is not the destination

…it is ‘base camp’

With 99% code coverage you are here

Without 99% code coverage

you have not solved really hard problems in the testability of your

code

Import note:

If 99% code coverage is just an ‘management requirement’

… and is being gamed by devs

… and you have LOTS of stupid ‘Unit tests’

i.e. 99 x 1% code coverage or999 x 0.1 % code coverage

then you also need to sack your manager

You manager’s job is to help you to deliver:

Solid Secure

Testable Provable Readable

Maintainable

Code

To make testing effective …

…testing (from Unit Testing to Integration tests) needs to done in

the IDE with real-time execution and Code coverage

Q A , R E G R E S S I O N A N D S E C U R I T Y T E S T S

Wallaby’s realtime Unit test Execution

and Code Coverage

M I S S I N G T E S T S ( a n d 1 0 0 % c o d e c o v e r a g e )

R E A L W O R L D M U TAT I O N T E S T I N G

• http://pitest.org/

S E C U R I T Y C H A M P I O N S

Every team needs a Security Champion

Horizontal across all teams

Managed and empowered by AppSec

If you have a Heartbeat and work for the company … you Qualify

1 day a week to focus on AppSec tasks

N E W G E N E R AT I O N O F A P P L I C AT I O N S E C U R I T Y T H I N K I N G

1.TDD with Code Coverage

2.Threat Models

3.Docker and Containers

4.Test Automation

5.SAST/DAST/IAST/WAF

6.Clever Fuzzing

7.JIRA Risk workflows

8.Kanban for Quality fixes

9.Web Services visualisation

10.ELK

Important, these tools/techniques are designed to:

A) Improve code Quality

B) Make AppSec possible

1 ) T D D W I T H C O D E C O V E R A G E

• All code changes must have tests

• Code Coverage is key to understand the impact of those changes

• Devs, QA and Security teams should be communicating using tests

2 ) T H R E AT M O D E L S

2 ) T H R E AT M O D E L S

• Are ‘technical briefs’ (i.e. better briefs)

• Should be the ‘source of truth’ in an organisation about their apps and code

• Should be done for:

• Applications

• Components

• Features

3 ) D O C K E R A N D C O N TA I N E R S

3 ) D O C K E R A N D C O N TA I N E R S

• Provide repeatable and destroyable QA environments

• Enable DevOps

• Next paradigm of Secure Applications

• Dramatically improve the quality and resilience of Tests

4 ) S A S T / D A S T / I A S T / W A F

• SAST - Static Application Security Testing

• DAST - Dynamic Application Security Testing

• IAST - Interactive Application Security Testing

• WAF - Web Application Security Firewall

5 ) T E S T A U T O M AT I O N

• Tests must run automatically on all commits of all branches

• AppSec tests must be used to ‘identify changes to attack surface’

• Empower two CI pipelines

• Super fast - push to production

• Pause - needs review

5 ) C L E V E R F U Z Z I N G

6 ) J I R A R I S K W O R K F L O W S

7 ) K A N B A N F O R Q U A L I T Y F I X E S

• SCRUM tends to be more of a Religion than Agile

• Kanban WIP (Work in Progress) is key for Application Security Fixes

8 ) W E B S E R V I C E S V I S U A L I S AT I O N

9 ) E L K

• ElasticSearch + LogStash + Kibana • Use it everywhere and everybody customises it • Also for developers (not just Ops)

Just to say it again ….

These tools/techniques are designed to

A) Improve code Quality

B) Make AppSec possible

Without them you are not really doing

Application Security

… and you have a

Development Problem

not an

Application Security Problem

W E H AV E S O L U T I O N S

O W A S P ! ! ! !

G R E AT P R E S E N TAT I O N O N S E C D E V O P S

https://www.youtube.com/watch?v=jQblKuMuS0Y

B S I M M ( B u i l d i n g S e c u r i t y i n M a t u r i t y M o d e l )

O p e n S A M M ( S e c u r i t y A s s u r a n c e S e c u r i t y M o d e l )

https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

S E C U R I T Y D E V E L O P M E N T L I F E C Y C L E

https://www.microsoft.com/en-us/sdl/process/design.aspx

T I P S F O R B U I L D I N G A M O D E R N S E C U R I T Y E N G I N E E R I N G O R G A N I S AT I O N

https://georgianpartners.com/tips-for-building-a-modern-security-engineering-organization

H O W T O B U I L D S E C U R E W E B A P P L I C AT I O N

http://blog.knoldus.com/2016/02/03/how-to-build-secure-web-application/

N E W S E C U R I T Y S E R V I C E S - 2 FA

D E P L O Y, D E P L O Y, D E P L O Y

• Push to production and refactor without fear

• Be like GitHub and use CI/CD to deploy 175 times in one day and 12,602 times in one year

https://github.com/blog/1241-deploying-at-github

• https://labs.spotify.com/2014/03/27/spotify-engineering-culture-part-1/

• https://labs.spotify.com/2014/09/20/spotify-engineering-culture-part-2/

F I N A L T H O U G H T S

U N W R I T T E N R U L E S O F A P I S

“Every API is destined to be connected to the internet”

U N W R I T T E N R U L E S O F A P I S

“All API data wants to be exposed in a Web Page”

“Would you fly in a plane that has the code quality of your APIs”

Application Security

can be used to

define and measure

Software Quality

Thanks, any questions?