kim van wilgen - sdd conference€¦ · automate first • sast • dast • proxy tools •...

63
We came, we saw, we kicked its ass! Kim van Wilgen @kimvanwilgen nl.linkedin.com/kimvanwilgen [email protected] www.kimvanwilgen.com

Upload: others

Post on 09-Jul-2020

7 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

We came, we saw, we kicked its ass!Kim van Wilgen

@kimvanwilgennl.linkedin.com/kimvanwilgen

[email protected]

Page 2: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

About me Kim van WilgenHead of development at ANVA

Former head of IT at Klaverblad

Business background

Managing since 2005

Programming since 2018

@kimvanwilgen

nl.linkedin.com/kimvanwilgen

[email protected]

www.kimvanwilgen.com

Page 3: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

The Continuous Culture

Page 4: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Insurance company

Service provider

Wholesale

Agents

ANVAInsurtech company for the Netherlands

Page 5: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Why focus on security?

Page 6: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Boring, draining, worthless

Page 7: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Why is it boring?

Security roleplay

Page 8: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

With the hypes of agile and continuous delivery focus shiftedto speed…and nothingelse

Page 9: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

GDPRGo away!

Security is not a core competenceof developers

Page 10: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Panels are shifting- Cloud computing- Emergent processes and

tools- New architectures- IAAS- Shifting roles / T shapes- Just enough software

architecture- IoT, AI, machine learning

Page 11: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Hacking 4 dummies

Page 12: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Script kiddiesReady to use scripts for bored teens

Page 13: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Firewalls aren’t keeping you safe

10.6% of passwords

is a top 20 password

Page 14: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

“Geeks are people who love something somuch that all the details matter.”

Marissa Mayer

Page 15: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Security all-in

Page 16: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Continuous Delivery (CD) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Wikipedia, 2017

Page 17: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Continuous Security (CS) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Page 18: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Page 19: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and data protection, and ultimately security, to applications in production.

Page 20: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and data protection, and ultimately security, to applications in production. Continuous security is indispensable for delivering Continuous Delivery.

Page 21: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

DevSecOps 2018

DevSecOps 2021

Page 22: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Technology radar: security is rising

Page 23: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

@kimvanwilgen | www.kimvanwilgen.com

How to start?

Page 24: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Self-organised security

Page 25: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

“We’ll be disclosing personal data of all theDutch through an open cloud SaaS platform. Make it safe to do so.”

Page 26: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Security Satellite team

5 dev(1 architect2 devs2 testers)

3 ops

Page 27: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),
Page 28: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

BSIMM: Build security in maturity model

Page 29: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Security board

Page 30: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Let’s play!

Page 31: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Gartner DevSecOps Top 10Have security championsDon’t eliminate all risk

Driven by DevOps teamsIdentify and remove first

Adapt your SAST, & DASTEliminate known vulnerabilities

Immutable infrastructureDetection of changes

Treat security tests as source code Train for the basics

Page 32: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

#1: Have security champions

Page 33: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

“When designing the software architecture a security expert helps

to do a risk assessment early and mitigate important risks by design”

- Simon Brown -

Page 34: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

#2: Don’t eliminate all risk

Page 35: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Risk and cost based securitySmall tests and risk based

Page 36: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Integration in the pipeline

#3:DevOps driven

Page 37: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

“At Google I’ve never spoken to anyonefrom the security team. They integratedsoftware security solutions in our pipelinesthat were helping delivery instead of frustrating it”Randy Shoup, WeWork

Page 38: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Automate first

• SAST

• DAST

• Proxy tools

• Dependency checks

• Custom scripts

Integration in the pipelines

Page 39: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

SAST: technology analyzes an application's source,

bytecode or binary code for security vulnerabilities typically

at the programming and/or testing software life cycle (SLC)

phases

Leaders: Checkmarx, Veracode, Appscan (IBM), fortify

(Microfocus), PT application inspector, covarity (Synopsys)

+ Find problems early in lifecycle, detailed feedback,

- False positives & false negatives

SAST

Page 40: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

DAST: analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically web-enabled applications and services), analyzes the application's reactions and, thus, determines whether it is vulnerable.

Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7

+ Tests the application at runtime, realistic view

- More complex, harder to track, requires running instance

DAST

Page 41: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

DAST: Zed attack proxy (ZAP)

Page 42: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

#4: Identify and remove: start small

Page 43: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

I’ve added over a 100 security rules in Sonar and sent the top X screwups to the team. Theyare more aware and will solve their own issues.

Dominik, member of ANVA security satellite team

Page 44: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

#5: Adapt your SAST, DAST and security tests

Page 45: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Application Security Verification Standard

Unrelevant / Sast / Dast / RAST / other

Train for risks we can’tautomate

Page 46: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Learn and adapt first before you break the build

Page 47: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

#6: Fix your vulnerabilities

Page 48: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Owasp dependency checkEliminate known vulnerabilities

48

550 vulnerabilities

Page 49: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),
Page 50: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

#7: Immutable infrastructure

Page 51: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

#8: Detection of changes

Page 52: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

#9: Treat security tests as source code

Page 53: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

#10: Train for the basics

Page 54: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Automate security features and scan against bugs andvulnerabilities

Check for logicalflaws manually,

educate andautomate them

Page 55: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Academy sessions

Page 56: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Hack yourself first too

Chaos Engineering is the discipline of experimenting on a distributed

system in order to build confidence in the system’s capability to

withstand turbulent conditions in production.

Page 57: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

“Think as an offender will show the real threats of your application and grow awareness from finding out how easy it is.”

Troy Hunt, MVP for developer

security and creator of ‘Have I

been PWNED”

Page 58: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Hackyourselffirst.troyhunt.com

Page 59: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Evil user stories

As a Malicious Hacker, I want to gain

access to this web application’s Cloud

Hosting account so that I can lock out

the legitimate owners and delete the

servers and their backups, to destroy

their entire business.

Page 60: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

Overview

Continuous Security

Automation

SAST DAST Proxy toolsCustomscripts

Depen-dencychecks

Knowledge

TrainingFeedback

fromdetection

Detection

Hack yourself

Externalpentesting

Page 61: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

Gartner DevSecOps Top 10Have security championsDon’t eliminate all risk

Driven by DevOps teamsIdentify and remove first

Adapt your SAST, & DASTEliminate known vulnerabilities

Immutable infrastructureDetection of changes

Treat security tests as source codeTrain for the basics

Page 62: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

@kimvanwilgen | www.kimvanwilgen.com

References and questions

www.kimvanwilgen.com

kimvanwilgen

[email protected]

Page 63: Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts ... Leaders: Checkmarx, Veracode, Appscan (IBM),

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/

https://cybersecurity.isaca.org/static-assets/documents/State-of-

Cybersecurity-part-2-infographic_res_eng_0517.pdf

https://www.sans.org/reading-room/whitepapers/critical/continuous-security-

implementing-critical-controls-devops-environment-36552

10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017,

IDG00341371

https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb

https://www.thoughtworks.com/radar/techniques

Sources