making security agile
Post on 25-Jan-2017
754 Views
Preview:
TRANSCRIPT
MAKING SECURITY AGILE
Getting security up to speed (with CI/CD)
Oleg Gryb, Sanjay Tambe – Samsung SSIC
Retrospective – Waterfall
2
http://brentmailphotography.com
Making Security Agile
3
DREAD
• Damage potential: How great is the damage if the vulnerability is exploited?
• Reproducibility: How easy it is to reproduce the attack?
• Exploitability: How easy it is to successfully exploit this condition?
• Affected users: As a rough percentage, how many users are affected?
• Discoverability: How easy it is to find the vulnerability?
Making Security Agile
4
STRIDE
• Spoofing• Tampering• Repudiation• Information disclosure• Denial of service• Elevation of privileges
Making Security Agile
Old AppSec Summary We’ve generated huge *doc and *xls with
Threat Models and pen test results. We wrote nice exec summaries and we
presented details to Dev/OPS/DB teams We had a cool heat map to visualize the risk
allocation for execs. Then we worked on remediation with
developers – informal name “nagging” We supported a security dashboard and
reported/escalated to CTO weekly
5Making Security Agile
DevOps + Agile = Big Bang for Security
6Making Security Agile
What is SAMI Our core product is an API based
service running in a cloud that supports IoT devices in real time
They also include web applications built on top of that.
All of that runs in an agile mode, because competition is too high and losing is not an option
More details: www.samsungsami.io
7Making Security Agile
We had no choice
8
http://www.octopus.euhttp://brentmailphotography.com
Making Security Agile
New Agile Reality aka Reqs No 2-4 weeks for security purposes Nobody cares about (or understand) formalities
such as STRIDE, DREAD or heat maps Forget about 2 full days of interviews, not
possible Nobody gives Environment for 2-3 weeks solely
for pen testing. Need to share. Need to do security as Dev process goes and in
parallel Need to be integrated better with the DevOps and
QA teams
9Making Security Agile
Other Challenges for API products You *can* pass an API URL to a scanner
and tell “do automatic scanning” , but it’s not going to crawl. No Spidering is available.
You can manually call each and every API while on a scan proxy and then do scanning, but if you have too many ever changing API’s, you’ll die doing that
Sanjay will talk about our approach in details
10Making Security Agile
Aggravating factor – security testing is not exactly QA QA test are deterministic, AppSec tests are
anything but You can’t dump all app scanner’s
“findings” to a bug tracking system You usually need to triage each finding
and verify a severity before submitting it to a bug tracking system
In many cases you still need to explain your finding and remediation to developers
11Making Security Agile
Coming to a Solution Since Security does require a manual
review, our hypothesis was that we need a dashboard with a broad import/export capabilities
Import from scanners, export to bug tracking systems
All scanners should be automated to run regression
Should also allow manual testing and import for new features and products
12Making Security Agile
Making Security Agile 13
Scheduled Job
Scheduled Job
Manual testing
Custom Tools
Security Artists
DevOps Team
Notifications
Step-by-step instructions to configure security automation
Demo of Security Automation Install open source software Configure scans for Web applications Configure security testing using QA
regression
14Making Security Agile
INSTALL OPEN SOURCE
SOFTWARE
15Making Security Agile
A. Install ThreadFix (in AWS or VM) Download ThreadFix from
http://www.threadfix.org/download/ Follow instructions to start ThreadFix
https://github.com/denimgroup/threadfix/wiki/Getting-Started
Enable port 8080 for external access. Once ThreadFix is up and running, go to
http://xxx.xxx.xxx.xxx:8080/threadfix in a web browser and accept warning from browser.Username: userPassword: password
16Making Security Agile
B. Add users in Security team into ThreadFix
17Making Security Agile
C: Add Team in ThreadFix
18Making Security Agile
D. Add application Payments under Accounts team in Threadfix
19Making Security Agile
E. Application Payments under team Accounts
20Making Security Agile
F. Configure Defect tracker in Threadfix
21Making Security Agile
G. Visit application in ThreadFix and note application #
Note: Application Id is shown as 31 for Payments app in URL in snapshot below. We will use this later when we upload findings in XML format from command line.
22Making Security Agile
H. Set Defect tracker for application in ThreadFix
23Making Security Agile
I. Enter login for Defect tracker
24Making Security Agile
J. Install ZAP Download and Install open source ZAP
(Zed Attack Proxy) on AWS/VM using following https://github.com/zaproxy/zaproxy/wiki/Downloads?tm=2
We will be using ZAP on the AWS or VM in an headless mode (without UI).
Install ZAP on your laptop or Mac using above link. We will be using the UI to create sessions for web applications.
25Making Security Agile
K. ZAP UI
26Making Security Agile
L. Install web based job scheduler e.g. Juicebox Install any Open source Cron job
scheduler on AWS/VM.
Configure scan
Start scan
27Making Security Agile
BScan – burp automation and more
Making Security Agile 28
• Automates burp using Ruby extensions• Allows adding custom tests to the same scan• Can be run as simple as:
jruby –S bscan –c config• Will generate report automatically when completed• Can work in auto proxy mode• Configurable – can overwrite any Burp and custom settings• Version 3.0 is coming, stay tuned !
CONFIGURE SCANS FOR WEB
APPLICATIONS
29Making Security Agile
Configure ThreadFix jarUse following commands in terminal mode on AWS/VM where ThreadFix is installed (obtain your API key from Threadfix)
java -jar /home/user/tfcli.jar --set key 5fPO07kc8xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxy
java -jar /home/user/tfcli.jar --set url https://127.0.0.1/threadfix/rest
30Making Security Agile
Create Shell scripts to scan each application
Note: Following is Payment.sh script to scan Payment web app. We use app id # 31 found earlier.
31Making Security Agile
Configure JuiceBox to schedule daily scan for Payment web app
32Making Security Agile
CONFIGURE SECURITY TESTING
USING QA REGRESSION
33Making Security Agile
Why use QA regression Over the years, QA team has built
hundreds or even thousands of functional test scripts. They continue to add new scripts everyday.
Security team can reuse the work done by QA team to do security testing.
They can use a proxy such as BURP or ZAP to analyze requests & responses to find any security vulnerabilities.
34Making Security Agile
Create separate application for QA regression
35Making Security Agile
Start ZAP Proxy Use command such as following to start
ZAP in headless mode on port 8085:
java -Xmx2048m -jar /home/user/zap/ZAP_2.4.2/zap-2.4.2.jar -cmd -daemon -installdir /home/user/zap/ZAP_2.4.2 -config api.key=12345 -port 8085
Making Security Agile 36
Configure and start QA regression Configure QA regression properties to
use proxy running on port 8085. Use command such as following to start
QA regression (will vary depending on scripts used for your QA regression)
mvn clean test -Dcategory=api -Dtarget.environment=qa -DexcludedGroups=in-progress,sdr,email,logs,cleanup -DuseProxy=true -DlocalProxy=true
37Making Security Agile
Save security findings from regression in XML form At the end of regression, save findings in XML form:
curl "http://localhost:8085/OTHER/core/other/xmlreport/?apikey=12345" > /home/user/temp/newpaymentregression.xml
Upload the findings to Threadfix using (app id for regression # 32 found earlier)
java -jar /home/user/tfcli.jar --upload 32 /home/user/temp/newpaymentregression.xml
Note: Above commands are part of automated script.
38Making Security Agile
REVIEW SECURITY FINDINGS AND
CREATE TICKETS
39Making Security Agile
Review results in ThreadFix
40Making Security Agile
Review Findings
41Making Security Agile
Create defect
42Making Security Agile
Create defect in Issue Repository
43Making Security Agile
ThreadFix supports these scanners
Making Security Agile 44
Security Transformation Cheat Sheet
45
From TOTwo full days TM meetings with many people involved
Participating in arch/design discussions through Confluence or other collab tools
Very formal, “scientific” TM with DREAD, STRIDE residual risks, etc.
Recommendations in JIRA coming from arch/design discussions
DREAD, residual risks, etc. HML (High, Medium, Low)
STRIDE CVE (usually automatically assigned by a tool)
Manual pen testing for everything Selective pen testing for new features and products
Expensive commercial scanners To OWASP ZAP, Burp, custom tools
Docs and PDF reports, manual export to Dev bug tracking systems
Exporting tickets directly to JIRA from Threadfix
Running/uploading scans manually Automated batch jobs w auto-upload to Threadfix
Making Security Agile
Conclusion You cannot do security as you did it 5-10
years ago. Security must work in parallel w Dev.
Automate security testing by using scheduled jobs, auto-uploading “findings” to a dashboard
Use Security professionals to review findings Make sure that findings are triaged before
they are submitted to a bug tracking system Don’t feed false positives to Dev or you’ll
completely lose your credibility
46Making Security Agile
All of that can be formulated even shorter:
STOP wiring buttons that nobody will ever push © Lean Startup Conference - 2013
STOP creating new buzz words: security as code, security as service, DevSecOps, etc.
START DOING REAL JOB CALLED SECURITY AUTOMATION
Don’t forget about Security Artists, because security is just as politics – an art of possibilities and tools are very much useless without us
47Making Security Agile
THANKS FOR COMING!
Sanjay Tambe – Security Architect @ SSIC
Oleg Gryb – Sr. Manager, Security Engineering @ SSIC
Twitter: @oleggryb
48Making Security Agile
top related