Upload
dinis-cruz
View
632
Download
1
Embed Size (px)
Citation preview
A P P S E C A N D S O F T W A R E Q U A L I T Y
V E R S I O N 0 . 5 ( M A Y / 2 0 1 6 )
L O N D O N
@ D I N I S C R U Z
C O U P L E D I S C L A M E R S
• This presentation has 103 slides and is designed to guide the delivery of this presentation and provide background information for offline reading
• I abuse the term ‘Unit Testing’ :
• for me the ‘Unit’ can be anything, from just a method to a full browser automation workflow
• if it can be executed with a Unit Test Framework (NUnit, Mocha, Karma) then it is a Unit Test ( even if it is called an e2e or Integration test)
M E
• Developer for 25 years
• AppSec for 13 years
• Day jobs:
• Leader OWASP O2 Platform project
• Head of Application Security at The Hut Group
• Application Security Training for JBI Training
• AppSec Consultant and Mentor
P E R F O R M E D H U N D R E D S O F S E C U R I T Y R E V I E W S
• Found critical vulnerabilities in high profile applications (impacting millions of users)
• desktop apps, websites, mobile apps, web services, security tools, frameworks, telephony, networks, etc…
• Reported zero days to software vendors (before bug bounties)
• 0wned data centres, networks, apps, databases
D E L I V E R E D T R A I N I N G T O 1 0 0 0 S O F D E V E L O P E R S
• BBC , BSkyB
• BAE Applied Intelligence
• O2, Three
• Alaska Airlines
• Ocado
• Capita (Orbit)
• IG
• Harrods
• Microsoft
• Verifone
• OWASP Conferences
• BlackHat
• TotalJobs
• Cashflows
• RunEscape
• The Hut Group
I ’ M A D E V E L O P E R
• Have shipped code
• Have managed dev teams
• Have written tests (with 100% code coverage)
• Have created CI and CD environments (DevOps)
• Worked on Secure Software Architecture and workflows (SecDevOps)
G R A P H S
• I love Graphs
• Recently I have realised that I have spend most of my life thinking about graphs and coding graphs
• Graphs are great for data analysis and modelling
• … but this is a topic for another presentation
B O O K S
• Published at Leanpub (http://leanpub.com/u/DinisCruz)
• Minimum price: 0 €
This presentation assumes that you already Want to do Application Security
… where you understand the threats
… and are are looking for the How(not the Why)
“I like my code to be elegant and efficient" Bjarne Stroustup, inventor of C++
“Clean code is simple and direct. Clean code reads like well-designed prose”
Grady Booch, author
“Clean code can be read, and enhanced by a developer other than its original author”
”Big” Dave Thomas, founder of OTI
“Clean code always looks like it was written by someone that how cares”
Michael Feathers, author
“You know you are working on clean code when each routine you read turns out to be pretty much what you expected”
Ward Cunningham, inventor of Wiki
a big problem with the previous comments and the Software Craftsmanship concept is
‘How to define Quality?’
Not all Software Quality issues are Application Security issues
But all Application Security issues are
Software Quality issues
S h e r i f M a n s o u r, E x p e d i a
Application Security is all about the
non-functional requirements of software*
* s o f t w a r e = a p p s , w e b s i t e s , w e b s e r v i c e s , a p i s , t o o l s , b u i l d s c r i p t s = c o d e
Application Security is all about understanding
HOW the software works*
* v s h o w s o f t w a r e b e h a v e s
T E C H N I C A L D E B T I S A B A D A N A L O G Y
• The developers are the ones who pays the debt
• Pollution is a much better analogy
• The key is to make the business accept the risk (i.e the debt)
• Which is done using the JIRA RISK Workflows
F I X - A P P S E C G U I D A N C E W O R K F L O W
1. Vulnerability/issue is found (RISK ticket opened)
2. Dev understands the issue, writes test that replicates the issue, opens ticket in his project’s JIRA and tries to figure out the best way to fix it
3. Dev asks for guidance to AppSec team
4. AppSec team points to WIKI page (existing or newly created)
5. Dev uses guidance to fix it (and updates test so that is is now a regression test)
6. Commit(s) are made, RISK ticket is updated with link to commit(s)
7. Dev asks AppSec to review fix
8. AppSec reviews fix, and if all looks ok, close the RISK ticket
K E Y C O N C E P T S O F T H I S W O R K F L O W
• All tests should pass all the time
• Tests that check/confirm vulnerabilities should also pass
• The key to make this work is to: Make business owners understand the risks of their decisions (and click on the ‘accept risk’ button)
http://blog.kj187.de/how-do-i-convince-my-manager-that-unittests-are-important/
How to solve this problem?
As a developer you need to have pressure from management to deliver code that is:
Solid Secure
Testable Provable Readable
Maintainable
Basically, deliver Quality Code
Import note:
If 99% code coverage is just an ‘management requirement’
… and is being gamed by devs
… and you have LOTS of stupid ‘Unit tests’
i.e. 99 x 1% code coverage or999 x 0.1 % code coverage
You manager’s job is to help you to deliver:
Solid Secure
Testable Provable Readable
Maintainable
Code
To make testing effective …
…testing (from Unit Testing to Integration tests) needs to done in
the IDE with real-time execution and Code coverage
Every team needs a Security Champion
Horizontal across all teams
Managed and empowered by AppSec
If you have a Heartbeat and work for the company … you Qualify
1 day a week to focus on AppSec tasks
1.TDD with Code Coverage
2.Threat Models
3.Docker and Containers
4.Test Automation
5.SAST/DAST/IAST/WAF
6.Clever Fuzzing
7.JIRA Risk workflows
8.Kanban for Quality fixes
9.Web Services visualisation
10.ELK
1 ) T D D W I T H C O D E C O V E R A G E
• All code changes must have tests
• Code Coverage is key to understand the impact of those changes
• Devs, QA and Security teams should be communicating using tests
2 ) T H R E AT M O D E L S
• Are ‘technical briefs’ (i.e. better briefs)
• Should be the ‘source of truth’ in an organisation about their apps and code
• Should be done for:
• Applications
• Components
• Features
3 ) D O C K E R A N D C O N TA I N E R S
• Provide repeatable and destroyable QA environments
• Enable DevOps
• Next paradigm of Secure Applications
• Dramatically improve the quality and resilience of Tests
4 ) S A S T / D A S T / I A S T / W A F
• SAST - Static Application Security Testing
• DAST - Dynamic Application Security Testing
• IAST - Interactive Application Security Testing
• WAF - Web Application Security Firewall
5 ) T E S T A U T O M AT I O N
• Tests must run automatically on all commits of all branches
• AppSec tests must be used to ‘identify changes to attack surface’
• Empower two CI pipelines
• Super fast - push to production
• Pause - needs review
7 ) K A N B A N F O R Q U A L I T Y F I X E S
• SCRUM tends to be more of a Religion than Agile
• Kanban WIP (Work in Progress) is key for Application Security Fixes
9 ) E L K
• ElasticSearch + LogStash + Kibana • Use it everywhere and everybody customises it • Also for developers (not just Ops)
Just to say it again ….
These tools/techniques are designed to
A) Improve code Quality
B) Make AppSec possible
G R E AT P R E S E N TAT I O N O N S E C D E V O P S
https://www.youtube.com/watch?v=jQblKuMuS0Y
O p e n S A M M ( S e c u r i t y A s s u r a n c e S e c u r i t y M o d e l )
https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
S E C U R I T Y D E V E L O P M E N T L I F E C Y C L E
https://www.microsoft.com/en-us/sdl/process/design.aspx
T I P S F O R B U I L D I N G A M O D E R N S E C U R I T Y E N G I N E E R I N G O R G A N I S AT I O N
https://georgianpartners.com/tips-for-building-a-modern-security-engineering-organization
H O W T O B U I L D S E C U R E W E B A P P L I C AT I O N
http://blog.knoldus.com/2016/02/03/how-to-build-secure-web-application/
D E P L O Y, D E P L O Y, D E P L O Y
• Push to production and refactor without fear
• Be like GitHub and use CI/CD to deploy 175 times in one day and 12,602 times in one year
https://github.com/blog/1241-deploying-at-github