APPSEC IN A CONTAINER WORLDAKASH MAHAJAN - DIRECTOR APPSECCO

WE NOW LIVE IN A CONTAINER WORLD # Container(Camp|Conf|World)

IT/OPS AND DEVS ARE COMING TOGETHER # devops

THERE IS A MAJOR SHIFT IN SECURITY

#SHIFTLEFT

Shannon Lietz (Keynote at DevSecCon Asia 2017)

APPSEC TESTING HAS TO BECOME PART OF THE DEVOPS OR BE LEFT BEHIND

The reality is, Microsoft Security Dev Lifecycle is about 17 Years Old!

CONTAINERS ENABLE SELF-SERVICE

AN IMPORTANT ASPECT OF DEVOPS

CONTINUOUS * PIPELINE MODE ON

CONTAINERS ENABLE INTEGRATION AND DEPLOYMENT ON TAP

From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment

CHECK FOR SECURITY

1

2

3

4

CONTAINERS, APP SEC & OWASP

RELEVANT APPSEC RISKS FROM THE POINT OF VIEW OF CONTAINERS

OWASP Top 10 Issue What is that?

A1 Injection Stuff that harms the server

A2 Broken AuthN Stuff that lets attackers access parts of the application, which allows them to upload stuff

that harms the serverA4 Insecure Direct Object Reference

A5 Security Misconfiguration Stuff that makes the infra supporting the app insecure

A9 Using components with Known Vulnerabilities

Stuff that possibly enables any or all of the above, due to using 3rd party stuff

A5 IS A SOLVED PROBLEM, MAYBE!!

OWASP A5 - SECURITY MISCONFIGURATION

PATCHED

UN-PATCHED

IMMUTABLE INFRASTRUCTURE FTW!!!

Akash Mahajan

THERE IS NO REASON TO HARDEN EVERY TIME, WE JUST START FROM SCRATCH AND TAKE THE LATEST PATCHED VERSION EVERY SINGLE TIME

A9 CAN BE SOLVED WITH PRIVATE REPOS & REGISTRIES MAYBE

OWASP A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES

SO WHAT IS YOUR SECURITY NIGHTMARE, KEEPING YOU AWAKE?

WHAT ABOUT APPLICATION’S SECURITY?

WHAT IS THIS THAT IS GOING TO BURST OUR BUBBLE?

15,000,000 RECORDS FOUND BECAUSE MANAGEMENT HAD WEAK

PASSWORD ON APPLICATION

3000 PASSPORTS AND DRIVER’S LICENSES LEAKED BECAUSE THE

CONTRACTOR DIDN’T RESET THE CEO’S WEAK PASSWORD

ROOT ON RETAIL E-COMMERCE SERVER BECAUSE OUTSOURCED VENDOR ALWAYS

USES COMPANY NAME AS CMS ADMIN PASSWORD

TYPICALLY AT THIS POINT PEOPLE TRY TO SOLVE

SECURITY BY

MONITORING IS NOT SECURITY MONITORING IS NOT SECURITY MONITORING IS NOT SECURITY

WHILE AUTHN AND AUTHZ GO A LONG WAY IN ENSURING SECURITY OF ACCESS

NO AMOUNT OF AUTOMATION CAN SOLVE BIZ LOGIC ISSUES

IF ALL YOUR PROCESS ALLOWS FOR IS A FINAL SECURITY REVIEW, THEN

From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment

CHECK FOR SECURITY

1

2

3

4

AUTOMATED

AUTOMATED

AUTOMATED

NOT-AUTOMATED

WHAT CAN THIS NON-AUTOMATED APPROACH LOOK LIKE?

IS THERE A CHECKLIST WE CAN FOLLOW?

Issues OWASP Top 10

Input based A1, A3, A4, A8, A10

Logic & Design based A2, A5, A6, A7

Access Control A2, A5, A6, A7

Any other A9

API Testing Can span multiple

TAKEAWAY

THAT APPLICATION SECURITY GUY

QUESTIONS@makash | https://linkd.in/webappsecguy | akash@appsecco.com