continuous security - thunderplains 2016
TRANSCRIPT
Continuous Security
adam_baldwinevilpacket
Node Security Project
What is Continuous Security?
-Keep Vulnerabilities out of Production
-Don't ignore Production Code
-Shift Security Culture
Keep Vulnerabilities out of Production
productiondevelopment risk
productiondevelopment risk
Design / Threat ModelingTHREAT PROPERTY VIOLATED
Spoofing Authentication
Tampering Integrity
Repudiation Non-Repudiation
Info Disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization
Threat Modeling -Designing for Security, 2014
The 100% Test Coverage MythThinking Beyond Tests
Challenge assumptions
Demo?
Pull Request Reviews- What sources & sinks were added - What new dependencies - What new technologies were added - What new behaviors are introduced / change
Automation
npm i nsp -g cd your-fantastic-project nsp check(+) 1 vulnerability found ┌───────────────┬───────────────────────────────────────────────────────────────────────────┐ │ │ SQL Injection due to unescaped object keys │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Name │ mysql │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Installed │ 2.0.0-alpha3 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Vulnerable │ <=v2.0.0-alpha7 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Patched │ >=v2.0.0-alpha8 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Path │ [email protected] > [email protected] > [email protected] │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ More Info │ https://nodesecurity.io/advisories/66 │ └───────────────┴───────────────────────────────────────────────────────────────────────────┘
Stay in your workflow
Production CodeDevSecOps
Actively engage production code
Monitoring
Monitoring
Tools.
http://pre14.deviantart.net/4b02/th/pre/i/2013/352/6/4/shaving_cream_from_jurassic_park_by_aleg8r-d6yfj5i.png
SSL Labs
securityheaders.io
securityheaders.io
Internal Bug Hunts
Penetration Testing
Penetration Testing
Shifting Security Culturepain & persistance
It usually happens when pain is felt
Improvement Resistance
Threat Modeling Complicated, Time consuming
Deeper Pull Request Reviews Complacency
Automation Cost, Time
Penetration Testing Cost, What if's
???
It has to happen from within *
It has to have
support from the
right people
Top down security
Be patientIt does not happen over over night.
</presentation>adam_baldwinevilpacket