Application Security in a Container World - Akash Mahajan - BCC 2017
-
Upload
bangalore-container-conference-2017 -
Category
Software
-
view
277 -
download
2
Transcript of Application Security in a Container World - Akash Mahajan - BCC 2017
APPSEC TESTING HAS TO BECOME PART OF THE DEVOPS OR BE LEFT BEHIND
The reality is, Microsoft Security Dev Lifecycle is about 17 Years Old!
From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment
CHECK FOR SECURITY
1
2
3
4
RELEVANT APPSEC RISKS FROM THE POINT OF VIEW OF CONTAINERS
OWASP Top 10 Issue What is that?
A1 Injection Stuff that harms the server
A2 Broken AuthN Stuff that lets attackers access parts of the application, which allows them to upload stuff
that harms the serverA4 Insecure Direct Object Reference
A5 Security Misconfiguration Stuff that makes the infra supporting the app insecure
A9 Using components with Known Vulnerabilities
Stuff that possibly enables any or all of the above, due to using 3rd party stuff
IMMUTABLE INFRASTRUCTURE FTW!!!
Akash Mahajan
THERE IS NO REASON TO HARDEN EVERY TIME, WE JUST START FROM SCRATCH AND TAKE THE LATEST PATCHED VERSION EVERY SINGLE TIME
A9 CAN BE SOLVED WITH PRIVATE REPOS & REGISTRIES MAYBE
OWASP A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES
WHAT IS THIS THAT IS GOING TO BURST OUR BUBBLE?
15,000,000 RECORDS FOUND BECAUSE MANAGEMENT HAD WEAK
PASSWORD ON APPLICATION
3000 PASSPORTS AND DRIVER’S LICENSES LEAKED BECAUSE THE
CONTRACTOR DIDN’T RESET THE CEO’S WEAK PASSWORD
ROOT ON RETAIL E-COMMERCE SERVER BECAUSE OUTSOURCED VENDOR ALWAYS
USES COMPANY NAME AS CMS ADMIN PASSWORD
From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment
CHECK FOR SECURITY
1
2
3
4
AUTOMATED
AUTOMATED
AUTOMATED
NOT-AUTOMATED
Issues OWASP Top 10
Input based A1, A3, A4, A8, A10
Logic & Design based A2, A5, A6, A7
Access Control A2, A5, A6, A7
Any other A9
API Testing Can span multiple
TAKEAWAY
QUESTIONS@makash | https://linkd.in/webappsecguy | [email protected]