Post on 09-Apr-2017
Bear ProofApplicationsUsing Continuous Security to
Mitigate ThreatsWendy Istvanick -
wendyi@thoughtworks.com
What I Will Cover
Attack VolumesRecent AttacksTaking an Agile ApproachProject OverviewTool SurveyWrap Up
Attack Volumes
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
High Profile Attacks
Target (Nov-Dec 2013)
Unnecessarily Exposed Vendor ListPhishing AttackInadequate Network
SegmentationOut of Date SoftwareIn Memory DataMissed Internal AlertsDefault Username/Password
40 million cards
70 million
Customers
2000
Stores
Stolen Vendors CredentialsImproper ConfigurationsImportant Anti-Virus Feature Turned OffPOS Systems Running on Windows XPUnencrypted Data In Transit
Improper Segmentation between Corporate and POS NetworksInadequate Monitoring
Home Depot (Apr-Sep 2014)
56 million cards
53 million
addresses
2200 Stores
Sally Beauty (Mar 2014)
Credentials Taped to LaptopNetwork Admin Credentials
in VB ScriptsInstalled Malware on Cash
Registers
2600
Stores
260,000 cards
An Agile Approach
Testing
Unit Tests
Service Tests
UI Tests
Continuous Delivery
Code
Code
Code
Config
Build Test
Package
Integration
Staging
Production
Env1
Env2
Env3
Testing Environments
Build Test & Release
How Can We Apply This to Security?
Project Overview
Tool Survey
If checking for vulnerable components
is good,
we will do so every time we commit code.
Objenesis
Vulnerable Components
GuavaMyBatis JUnit Hamcrest
Hamcrest Hamcrest
Mockito
#9
Vulnerable Components
http://www.aspectsecurity.com/research-presentations/the-unfortunate-reality-of-insecure-libraries
We studied the 31 most popular Java frameworks and security libraries downloaded from the [maven central]
and discovered that 26% of these have known vulnerabilities.
More than half of the Global 500 use software built using components
with vulnerable code.
Spring Remote
Code Execution
RubyGemsHostnameValidation
Allowed a request without an identity token to
gain full permissions to any
web service.
Vulnerable Components - Examples
https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities
Apache CXF Authentication Bypass
(Not Apache App Server)
Checkmarx CxSAST
(Formerly CxSuite)
Allowed execution of arbitrary code via expression
language.
Could be used to take over a server.
Allowed remote unauthenticated users to bypass
sandbox protection
mechanism.
Could be used to execute arbitrary
C# code.
Hostname not validated when fetching gems.
Could be used to execute a “DNS hijack attack”.
Vulnerable Components - The Tools
CSharpSafeNuGet - MSBuild TaskOWASP Dependency Check
JavaOWASP Dependency Check
RubyBundler AuditDawnscanner
CSharpSafeNuGet - MSBuild TaskOWASP Dependency Check
JavaOWASP Dependency Check
CSharpSafeNuGet - MSBuild TaskOWASP Dependency Check
Vulnerable Components - Tool Integration
If updating our dependencies
is desired,
we will run canary builds
regularly to tell us when we can
update.
Objenesis
Upgrading Dependencies
GuavaMyBatis JUnit Hamcrest
Hamcrest Hamcrest
MockitoMockito
Hamcrest
Objenesis
Upgrading Dependencies - The Tools

Code
Code
Code
Config
Build Test
Package
Integration
Staging
Production
Env1
Env2
Env3
Testing Environments
If not exposing secrets is important,
we will ensure they are never committed
to our version control system.
Exposing Secrets
A talisman is an object which is believed to contain
certain magical or sacramental properties which would provide good luck for the possessor or possibly offer protection
from evil or harm.
Exposing Secrets - The Tools
https://en.wikipedia.org/wiki/Talisman
Exposing Secrets - Tool Integration
Exposing Secrets - Tool Integration
19:54:42.329 :findSecrets FAILED19:54:42.336 19:54:42.336 BUILD FAILED19:54:42.336 19:54:42.336 Total time: 3.085 secs19:54:42.339 19:54:42.339 FAILURE: Build failed with an exception.19:54:42.339 19:54:42.339 * What went wrong:19:54:42.339 Execution failed for task ':findSecrets'.
java/build.gradlejava/gradle/wrapper/gradle-wrapper.jarjava/gradle/wrapper/gradle-wrapper.propertiesjava/gradlewjava/gradlew.batjava/notReallyAn._rsa…java/src/vulnerableCheckSuppression.xmlThe following errors were detected in java/notReallyAn._rsa
The file name "java/notReallyAn._rsa" failed checks against the pattern ^.+_rsa$
If searching forpossible attack vectors
for our web sitesis good,
we willautomate this search.to our version control
system.
Finding Vulnerabilities
Finding Vulnerabilities - The Tools
HTML
Ajax
ExtensionsPort ScanningFuzzingLDAP InjectionSession Fixation
OWASP ZAP
OWASP ZAP
OWASP ZAP
OWASP ZAP
Finding Vulnerabilities - Tool Integration
PluginsJenkins (https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin)
Maven (https://github.com/pdsoftplan/zap-maven-plugin)
Grails (https://grails.org/plugin/zap-security-tests)
Command Line Interface
Wrap Up
Java Source
Ruby Source
Current Pipelines
C# Source
Java Secrets
C# Build
C# Test
Java Build
Java Test
Ruby Build
Ruby Test
Java Comps
C# Comps
Ruby Comps
JS Source
C-Sharp Pipeline
Ruby Pipeline
Java Pipeline
All Pipelines
JS Deploy
Java Deploy
C# Deploy
Ruby Deploy
Java Source
Ruby Source
JS Source
Targeted Pipelines
C# Source
JS Secrets
C# Secrets
Java Secrets
Ruby Secrets
C# Build
C# Test
Java Build
Java Test
Ruby Build
Ruby Test
JS Comps
Java Comps
C# Comps
Ruby Comps
OWASPZAP
Potential Downsides
False PositivesLonger Running BuildsWon’t Catch EverythingNew Things Everyday
Attack Tie Backs - Target
ZAP testing might have highlighted vulnerability in vendor portalUp to date credit card
system could have eliminated in memory credit card data
Attack Tie Backs - Home Depot
Up to date POS OS may have eliminated vulnerabilities
Attack Tie Backs - Sally Beauty
Secrets may not have been discovered$
Application Code: https://github.com/wendyi/continuousSecurity*
* = Csharp | Java | Ruby | Web
Pipelines: https://github.com/wendyi/continuousSecurityCi
Slides:http://www.slideshare.net/WendyIstvanick
Links
Next Steps
Finish Wiring Up Existing ChecksContribute Talisman ChangesFinish End to End CodeWire Up ZAPSet Up Canary BuildsFind Other Tools to Include
Thank You Questions?