Upload
dinis-cruz
View
250
Download
1
Embed Size (px)
Citation preview
Building Application Security Teams
Dinis Cruz, CISO
Me▪ Developer for 25 years ▪ AppSec for 13 years ▪ Day jobs:
▪ Leader OWASP O2 Platform project ▪ Application Security Training ▪ Part of AppSec team of:
▪ The Hut Group ▪ BBC ▪ WorldFirst
▪ AppSec Consultant and Mentor ▪ CISO (soon)
▪ “I build AppSec teams….” ▪ https://twitter.com/DinisCruz ▪ http://blog.diniscruz.com ▪ http://leanpub.com/u/DinisCruz
CISO POINT VIEW
What type of security organisation to create▪ Create an environment and workflow where Security (InfoSec
and AppSec) is an enabler. ▪ Allow the business to ship faster with quality, security and
assurance ▪ InfoSec protects the organisation and operations ▪ AppSec protects the code created, used and bought ▪ Developers code in environments where it is very hard to
create security vulnerabilities ▪ Applications run in environments where security exploits are
contained and visible ▪ Align business risk appetite with reality (using proposed Risk
Workflow to allocate responsibility at the correct level)
How to embed security into the culture▪ Give security teams a mandate to focus on Quality, Testing
and Engineering ▪ Create a network of Security Champions ▪ Become the ‘Department of Yes’ ▪ Measure code pollution using Risk Workflow ▪ Understand that developers are key players and need to be
trusted ▪ Testing and Quality are core business requirements (and what
gives you speed) ▪ Create an central AppSec team (usually there is only an
InfoSec team)
What about security policies?▪ Security policies are the foundation of decisions ▪ They underpin the reason behind actions and risk accepted ▪ But, if not based on reality, most policies will NOT be ▪ read ▪ followed ▪ enforced
▪ For policies to work they need to be customised to its target (for example Secure coding standards for App XYZ)
▪ They also need to be delivered in the target’s environment (for example IDE)
Security magic pixie dust▪ If you don’t:
▪ have an AppSec team ▪ do Threat Models ▪ do weekly code reviews and security assessments ▪ have embedded security automation automation in your SDL pipeline ▪ have secure coding standards, bug-bounties, dependency
management ▪ …. and many other other AppSec activities
▪ There will be massive security vulnerabilities in the applications you use ▪ Because where is security going to come from? ▪ Without these activities:
▪ Your security model is based on the ‘skill level’ and ‘business model’ of your attackers
▪ … and … ’magic security pixie dust’ (which works until attacked)
WHERE IS APPSEC?
You are a software company▪ Even if your company does not hire developers, you are already
a ‘software company’ ▪ You probably don’t view Software Development as a core
competency, and don’t control the Software/Applications that run your business (which is a high risk)
▪ If your company operations, customer experiences and sales are controlled by software that you write, then you ARE A SOFTWARE COMPANY (regardless of industry sector you’re in) ▪ The question is how much does your board and exec team
realises that, and how much priority and focus is given to (secure) Software development
▪ ‘Code’ controls your company ▪ The question is how much do you ‘control’ your code
Quality on the code that runs your business▪ Quality is not something you can sprinkle at the end ▪ Security is just like Quality ▪ Specially Application Security (i.e. secure code) ▪ Key concept: ▪ You can use Security to measure quality ▪ because although ▪ not all quality issues are security issues ▪ all security issues are quality issues
If your not deploying daily/hourly▪ You’re not in the game ▪ Will struggle to innovate ▪ Depend on your competitors being worse than you
https://github.com/blog/1241-deploying-at-
http://joshuaseiden.com/blog/2013/12/amazon-deploys-to-production-
CISO MindMap
http://www.aurorait.com/2016/06/13/one-size-never-fits/
CISO MindMap (Zoomed in)
Top level functions (from CISO MindMap)▪ Business Enablement ▪ Selling InfoSec (Internal) ▪ Governance ▪ Security Operations ▪ Project Delivery Lifecycle ▪ Budget ▪ Security Architecture ▪ Compliance and Audit ▪ Legal and Human Resources ▪ Risk Management ▪ Identity Management
But where is Application Security?
Where is AppSec?
Should AppSec be this low down the priorities?
▪ Of course you need to get the other security functions right (Risk, Networks, SecOps) ▪ But if you don’t write or buy secure code, your assets will
be exposed ▪ In fact with the current move for DevOps, Continuous
Deployment and quick releases ▪ You will create an environment where security
vulnerabilities will be pushed into production in days (or hours)
▪ Application Security (AppSec) needs to be a first class citizen, with strong budget and staff
I like this Security Group Structure▪ Key Areas: ▪ SecOps ▪ SOC ▪ RISK ▪ AppSec ▪ Testing
▪ Also important: ▪ Security
Champions ▪ Knowledge ▪ RND
Example of Security Function Budget and Team
▪ Budget should be 4% of turn-over (same as GDPR max fine) ▪ 26 staff ▪ 4x Management (CISO, Senior Director InfoSec, Project Manager, PA) ▪ 8x SecOps (2x Network & Information Security, 2x End-User-
Computing, 2x DevOps, 2x SysAdmin)
▪ 4x Risk (DPO - Data Protection Officer, 2x Standards, Policy)
▪ 4x SOC (2x SOC SME and 2x SOC Engineer)
▪ 5x AppSec (Senior Architect Manager, 2x Senior Dev 2x Dev)
▪ 1x Testing (1x RedTeam)
▪ Each function has individual budget (for tools and 3rd party consulting services)
AppSec is a first class citizen
AppSec as a top level function
APPSEC FUNCTION
Service driven organisation▪ AppSec and Testing services can be requested by existing
Teams/Squads:
▪ External Pen-Tests ▪ Code Reviews (internal and external) ▪ Threat Modeling ▪ Static and Dynamic scanning of code ▪ AppSec Training ▪ AppSec Advisory Surgery
AppSec Functions Provided▪ Security Champions Network ▪ AppSec Risk Workflow ▪ AppSec knowledge base (Wiki based)
▪ AppSec Policy ▪ Secure Coding Standards (based on JIRA Risk issues and
OWASP ASVS) ▪ SDL (Secure Development Lifecycle) programme owner ▪ Internal and External Bug-Bounty management ▪ Maturity Models mapping (based on OwaspSAMM) ▪ Application Registry and Attack Surface mapping ▪ Visualisation of existing architecture/code and Business
reporting of existing risks
Security tools integration in SDL▪ Evaluate and deploy tools to perform Static (SAST) and
Dynamic (DAST) scans of existing Application and components
▪ Customisation of rules in order to create highly defensible findings
▪ Work with Security Champions on how to fix issues
APPSEC SQUAD
AppSec Squad is an horizontal service/team
focused on Securing Applications and code
AppSec Squad Function ▪ The AppSec Squad is focused on Secure Code and Fixes ▪ It is an horizontal team (vs dev squads/teams which are vertical)
▪ Works independently or directly with devs (on AppSec issues and fixes)
▪ Helps Security Champions in activities or code-fixes that require significant resources
▪ Independent from ‘product’ owners and deadlines ▪ Focus is on making applications/products more secure, resilient
and safe ▪ Made of developers and graduates ▪ Creates next generation of expert Security Champions
▪ 3 months rotation by internal developers/graduates
Security Features != AppSec Squad ▪ Security Features are focused on creating, coding, deploying
and maintaining business features that have a security angle to them ▪ 2FA (two-factor authentication) ▪ Secure file upload ▪ Data encryption ▪ HTTPS support ▪ Authentication/Authorization/RBAC improvements ▪ …other
▪ The AppSec Squad is focused on Secure Code, Security Testing and Visualisation/Documentation
Example of AppSec Squad driven projects* ▪ Mass fixing ‘systemic’ security vulnerability ▪ Create targeted and global SAST rules (scale security knowledge) ▪ Create Attack Surface mapping tool ▪ Web Services Visualisation tool ▪ Standard Schemas and validation across the company ▪ Application registry (and app-to-app connections) ▪ Security focused (unit/integration) tests ▪ Performance and DoS testing/visualisation ▪ Add reaction and mitigation capabilities (to app, not network)
RBAC visualisation and testing ▪ Apps containerisation and instrumentation *Security Champions to be involved in these projects
Team▪ Project Manager: 1x ▪ AppSec Specialist: 1x ▪ AppSec Developers: 2x to 4x ▪ AppSec Graduates: 2x to 4x
AppSec Developers (2 to 4) ▪ Activities:
▪ Fix Security issues ▪ Improve QA environments ▪ Write tests ▪ Harden Dev environment (creating secure-by-default APIs and
runtimes) ▪ Improve apps logging capabilities and visualisation ▪ Create data-flow and architecture diagrams from code (used by
Threat models) ▪ Skills:
▪ experts in language(s) used in company ▪ Interested in AppSec and Security ▪ Able to write code fixes and tests with confidence and speed Able to
find innovative solutions for improving the Test and QA environments
AppSec Graduates: 2 to 4 ▪ Activities: ▪ Simple/known security code fixes ▪ Support AppSec Function activities ▪ Support Security Champion’s activities ▪ Help with JIRA tickets maintenance ▪ Help with Threat Model diagrams
▪ Skills: ▪ Developers ▪ Passion for AppSec and Security
SECURITY CHAMPIONS
SCs Roles and Responsibilities▪ Allocated to each Squad ▪ SME for all AppSec issues related to allocated tribe ▪ Maintain JIRA tickets for allocated code-base (projects and
components) ▪ Write Security Focused tests and embed SDL practices into CI
pipeline ▪ Triage AppSec Findings and Fix relevant issues
More expanded definition
If you don’t have an SC, get a Mug
JIRA RISK WORKFLOW
JIRA RISK Workflow
Key for AppSec JIRA workflow is this button
PATH #1 - Fix issue
PATH #2 - Accept and Approve RISK
PATH #2 - Variation when risk not approved
JIRA Risk workflow▪ Open JIRA issues for all AppSec issues ▪ Write passing tests for issues reported ▪ Manage using AppSec RISK workflow ▪ Fix Path: Open, Allocated for Fix, Fix, Test Fix, Close ▪ Accept Risk Path: Open, Accept Risk, Approve Risk,
(Expire Risk) ▪ Automatically report RISK’s status
Separate JIRA project▪ This is a separate JIRA repo from the one used by devs
▪ I like to call that project ‘RISK’ ▪ This avoids project ‘issue creation’ politics and ‘safe harbour for:
▪ known issues ▪ ’shadow of a vulnerability’ issues ▪ ‘this could be an problem…’ issues ▪ ‘app is still in development’ issues
▪ When deciding to fix an issue: ▪ that is the moment to create an issue in the target project
JIRA (or whatever bug tracking system they used) ▪ When issue is fixed (and closed on target project JIRA):
▪ AppSec confirms fix and closes RISK
Always moving until fix or acceptance▪ Key is to understand that issues need to be moving on one of
two paths: ▪ Fix ▪ Risk Accepted (and approved) ▪ Risks (i.e. issues) are never in ‘Backlog’ ▪ If an issue is stuck in ‘allocated for fix’, then it will be
moved into the ‘Awaiting Risk Acceptance’ stage
You need volume▪ If you don’t have 350+ issues on your JIRA RISK Project, you
are not playing (and don’t have enough visibility into what is really going on)
▪ Allow team A to see what team B had (and scale due due to issue description reuse)
▪ Problem is not teams with 50 issues, prob is team with 5 issues
▪ This is perfect for Gamification and to provide visibility into who to reward (and promote)
Threat model▪ All issues identified in Threat Models are added to the JIRA
RISK project ▪ Create Threat models by ▪ layer ▪ feature ▪ bug
▪ … that is a topic for another talk
JIRA AppSec Dashboards
Weekly emails with Risk status
Full details on “SecDevOps Risk Workflow” book
▪ Get it for free at https://leanpub.com/secdevops
GDPR
GDPR (for Apps)▪ All this applies to GDPR ▪ If you trade with EU customers you will need to do it ▪ GDPR should be easy if you have an ▪ SOC ▪ Effective RISK team (with DPO) ▪ SecOps team ▪ AppSec team
▪ See great presentation at https://www.owasp.org/images/c/c8/2017-01-25,GDPR_Readiness-Handout.pdf (some screenshots shown in next slide)
7 Key principles enshrined in the EU GDPR
Twelve steps towards GDPR Readiness (1/2)
https://www.owasp.org/images/c/c8/2017-01-25,GDPR_Readiness-Handout.pdf
Twelve steps towards GDPR Readiness (2/2)
MATURITY MODELS
OwaspSAMM and BSIMM
https://www.owasp.org/index.php/OWASP_SAMM_Project
https://www.bsimm.com/
OWASP Maturity-Models project▪ Tool to help collect and visualise maturity models date ▪ Open source https://github.com/owasp/maturity-models ▪ All data stored as Json using Git as data store ▪ Supports both OwaspSAMM and BSIMM schemas ▪ REST API to consume data ▪ Easy to deploy using docker image ▪ 97% to 100% code coverage ▪ Try it out on QA server http://138.68.145.52
BUILDING APPSEC TEAMS
You can’t hire AppSec specialists▪ AppSec specialists will cost £120k+ (UK/US) and even then, they
might not be aligned with your values, technologies or focus ▪ Best to hire (internally) developers
▪ from £50k to £80k ▪ invest %25 of salary in Education/Knowledge (£12,5k to £20k)
▪ OWASP conferences (US or EU + regional) ▪ OWASP Summits ▪ BlackHat, DefCon, HITBSecConf, Shmoocon , DevSecCon
conferences ▪ Classroom based training sessions with security experts ▪ Web based learning tools (massive innovation in this area) ▪ Books, books, books, books
▪ 20% of their time allocated to learning and RnD (1 day a week)
Build your AppSec team from inside▪ Ideal path is:
▪ Company hires Developers ▪ passes internal quality control, culture and skill’s requirements
▪ Developer applies to become a Security Champion ▪ Developer likes being a Security Champion and applies to an
open position in the AppSec Team (or other Security Function) ▪ Another option is:
▪ Hire specific individuals from 3rd-party ‘Application Security focused’ or ‘Quality development focused’ companies
▪ Give them a job :) (with full transparency and support from 3rd party company)
▪ ‘Worse case scenario’ ▪ Hire developers from outside (via recruiters or directly)
OWASP
Epicentre of Application Security▪ Best (dedicated) AppSec conferences of the year ▪ 100s of chapters around the world ▪ 100s of research projects on AppSec ▪ All released under OpenSource and Creative Common
licenses ▪ Best concentration of AppSec talent in the world ▪ Please join, collaborate, participate
Conferences
Chapters
Projects - Flagship
Projects - Labs
Projects - Incubator
OWASP Summits▪ Imagine a place where (some of) the best Application Security and
OWASP minds come together to collaborate and work ▪ … a meeting of minds focused on solving hard problems that we
all have everyday ▪ … a place where security experts, developers, users, government
agencies and vendors work together on shared goals ▪ … a place where you will find like minded individuals that care
deeply about what you are passionate about ▪ … an environment designed for maximum geek-time, synergies
and collaboration ▪ … basically it’s AppSec from 8am till 2 am (next day)
▪ This place is something that only OWASP can create ▪ This place is an OWASP Summit
Summit - 2008
Summit 2011
OWASP Summit 2017 (June 12,16)▪ http://owaspsummit.org/
Industry working together on hard problems
THANKSAny questions?