Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1]...
Transcript of Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1]...
![Page 1: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/1.jpg)
1
Das „s“ in DevOps steht für Security
Fallstudie: Sicherheit in agiler Softwareentwicklung
Jan Harrie <[email protected]>
![Page 2: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/2.jpg)
2
#whoami - Jan
o Security Consultant @ERNW GmbH
o Former Security Analyst/Pentester/WebApp-Monkey
o M.Sc. IT-Security TU Darmstadt
o Interests:
o Container, DevOps & Orchestration Solutions
o Gardening
![Page 3: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/3.jpg)
3
Agenda
o Motivation
o Initial Situation
o State of the Issue
o Security in Agile SW Development
o Conclusion
![Page 4: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/4.jpg)
44
Motivation
Integrate security into modern development lifecycles and make security suitable, accessible, and measurable for each
project
![Page 5: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/5.jpg)
55
In other words …
Image source: https://twitter.com/petecheslock/status/595617204273618944t
![Page 6: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/6.jpg)
66
Initial Situation
Traditional SW development approach, no further specified security considerations
o Missing guidanceo Missing technical supporto Limited requirementso Limited defaults
![Page 7: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/7.jpg)
77
Past: Waterfall Model
Diagram source: https://en.wikipedia.org/wiki/Waterfall_model#/media/File:Waterfall_model.svgImage source: https://alln-extcloud-storage.cisco.com/ciscoblogs/5ad679887cc5d.jpg
![Page 8: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/8.jpg)
88
Now: Agile Software Development
Diagram source: https://www.proficientz.com/wp-content/uploads/2018/08/agile-software-development.jpgImage source: https://www.tektutes.com/wp-content/uploads/2018/08/Top-Devops-Tools.png
![Page 9: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/9.jpg)
9
State of the Issue
… a look into the threat landscape
![Page 10: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/10.jpg)
10
o A1 Injection
o A2 Broken Authentication and Session Management
o A3 Cross-Site Scripting (XSS)
o A4 Insecure Direct Object References (IDOR)
o A5 Security Misconfiguration
o A6 Sensitive Data Exposure
o A7 Missing Function Level Access Control
o A8 Cross-Site Request Forgery (CSRF)
o A9 Using Components with Known Vulnerabilities
o A10 Unvalidated Redirects and Forwards
OWASP TOP10 2013initial proposal
[9] OWASP TOP10 2013
![Page 11: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/11.jpg)
11
o A1 Injection
o A2 Broken Authentication
o A3 Sensitive Data Exposure
o A4 XML External Entities
o A5 Broken Access Control
o A6 Security Misconfiguration
o A7 Cross-Site Scripting (XSS)
o A8 Insecure Deserialization
o A9 Using Components with Known Vulnerabilities
o A10 Insufficient Logging & Monitoring
OWASP TOP10 2017re-checked
[3] OWASP TOP10 2017
![Page 12: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/12.jpg)
12
o Cross-Site Scripting (XSS)
o Information Disclosure
o Improper Access Control
o Violation of secure Design Principle
o Improper Authentication
o Cross-Site Request Forgery (CSRF)
o Open Redirect
o Business Logic Errorso Privilege Escalationo Insecure Direct Object
Reference (IDOR)o Server-Side Request Forgery
(SSRF)o Code Injectiono SQL Injectiono Denial of Serviceo Cryptographic
HACKER-POWERED SECURITY REPORT 2019The top 15 vulnerability types platform-wide
[1] HACKER-POWERED SECURITY REPORT 2019
![Page 13: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/13.jpg)
13
o Cross-Site Scripting (XSS)
o Information Disclosure
o Improper Access Control
o Violation of secure Design Principle
o Improper Authentication
o Cross-Site Request Forgery (CSRF)
o Open Redirect
o Business Logic Errorso Privilege Escalationo Insecure Direct Object
Reference (IDOR)o Server-Side Request Forgery
(SSRF)o Code Injectiono SQL Injectiono Denial of Serviceo Cryptographic
THE STATE OF CROWDSOURCED SECURITY IN 2019Top submitted vulnerabilities on web applications
[2] THE STATE OF CROWDSOURCED SECURITY IN 2019
![Page 14: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/14.jpg)
1414
Security in Agile SW Development
![Page 15: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/15.jpg)
1515
Steady Quality Improvement
PDCA as overall quality improvement approach –
applicable to both, security and agile SW development
Image source: https://www.12manage.com/methods_demingcycle_de.html
![Page 16: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/16.jpg)
1616
Thoughts and Sources
o Industry’s Best Practices
o Agile Manifesto
o DevSecOps Maturity Model
o Standards (ISO27000 et. al.)
o Microsoft SDL
o Open Source Security Testing Methodology Manual (OSSTMM)
![Page 17: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/17.jpg)
17
Solution
Central tracking that includes:
o Info, Responsibilities & Deadline
o Risk Assessment
o Status Tracking
Secure Defaults and Templating
Implementation Support
![Page 18: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/18.jpg)
18
Info, Responsibilities & Deadlines
o Basic Application Information
o Project Roles
o Emergency Contacts
o Remediation Plan
o Application Owner Tasks
o Backup Strategy
![Page 19: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/19.jpg)
19
Risk Assessment
o Question Categories:o Accessibility
o User Group
o Authentication
o Information Criticality
o Application Complexity
o Business Criticality
o Base-Score Calculation
o Risk Rating Derivation
Image source: https://commons.wikimedia.org/wiki/File:Viking_rocket_scheme.jpg
![Page 20: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/20.jpg)
20
Risk Aligned Security Guidance
Guidance Categorieso Requirements
o Controls
o Design Decisions
Document o Keep track of decisions made and reasoning
o Opportunity to re-assess decisions and track corresponding evidences
o Visibility of progress
Image source: https://cdn.pixabay.com/photo/2018/10/04/07/41/form-3723114_960_720.jpg
![Page 21: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/21.jpg)
21
Security Requirements
State the hard facts, e.g.:
o Passwords are individual salted and hashed before storage
o HTTPS communication is always enforced
o Input validation is performed on server-side
o etc.
Re-check justification for not implemented requirements
![Page 22: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/22.jpg)
22
Security Controls
![Page 23: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/23.jpg)
23
Security Control Categories
Low Medium High
![Page 24: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/24.jpg)
24
Security Controls: Low
Low Medium High
Automatable
o Central Code Repositorieso Automated Buildso Unified Deploymentso Secure Scaffoldingo CI Pipelineo Centralized Infrastructureo Scans for External Libso Hardened Base Images
o Ticket System Integrationo Code Scanningo Central Application Log
Collectiono Automated Vulnerability
Scans
Manual
o Audit Log Generationo Technical Documentationo Mandatory SDL Trainingo Architecture Diagram o Attack Surface Analysiso Access Control Matrix
![Page 25: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/25.jpg)
25
Secure Scaffolding
o Template for the project with secure defaults
o Standardization of integrated components, i.e., user management, session management
o Raise the bar
Automated Vulnerability Scans
o Establish automated system scans
o Integrate results in centralized system
o Track history and check for differences
Security Controls: Low
![Page 26: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/26.jpg)
26
Audit Log Generation
o Create log output for application usage
o Focus on secure-critical functions
o Aggregate events in flows
Attack Surface Analysis
o Collect exposed interfaces
o Identify possible targets
o Get in to the perspective of an attacker
Security Controls: Low
![Page 27: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/27.jpg)
27
Security Controls: Medium
Low Medium High
Automatable
o Continuous Delivery Pipelineo Application Security Scanso Security Testso Regression Testso Robustness Testso Log Output Visualizationo Audit Log Alerting
Manual
o Code Reviewo Data Flow Diagramo Rule Definitiono Pair Programmingo Continuous Threat Modelling
![Page 28: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/28.jpg)
28
Continuous Delivery Pipeline
o Deploy automatically to DEV/QS, manual to PROD
o Full access to DEV, limited Access to QS
o No PROD access et al., only to log sink
Continuous Threat Modelling
o Continuously feature delivery leads to continuously feature extension
o Identify new threats
o Document identified attack vectors, track them, and define mitigations
Security Controls: Medium
![Page 29: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/29.jpg)
29
Security Controls: High
Low Medium High
Automatable
o Performance Testso Regression Tests for Security Issueso Visualize Security Testing Results
Manual
o Write Abuse Storieso External Code Reviewo Mandatory Penetration Testo Data Format Definitiono Decommissioning Concepto Minion Penetration Tester
![Page 30: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/30.jpg)
30
Regression Tests for Security Issueso Establish regression tests for
identified and resolved security issues
o Perform and monitor regression tests on regular base
o Track which modifications lead to unintended behaviors
Mandatory Penetration Test
o Establish process for external security verification
o Impersonate a real threat actor
o Track results and assign responsibilities
Security Controls: High
![Page 31: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/31.jpg)
31
Security Controls: High
Minion Penetration Tester
o Parallel with sprints
o Tests all new implemented features
o Sparring partner for security considerations
Video source: https://9gag.com/gag/aGZOemw/s
![Page 32: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/32.jpg)
32
o Minimize the Attack Surface Area
o Establish Secure Defaults
o Least Privilege
o Defense in Depth
o Fail Securely
o Don’t Trust other Assets
o Separation of Duties
o Avoid Security by Obscurity
o Keep System-Architecture Simple
o Fix Security Issues Correctly
Security Design Principles
![Page 33: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/33.jpg)
3333
Bring it all together
o Why stands the “s” in DevOps for security?
![Page 34: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/34.jpg)
34
Conclusion
o Individual implementation leads to individual issues
o Standardization and secure defaults raise the bar
o High rate of automation leverages direct and indirect benefits by transparency, speed, and reproducibility
o Early establishment of security leads to long-term cost reduction
![Page 35: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/35.jpg)
35
www.ernw.de
www.insinuator.net
Thank you for your Attention
Questions?
@NodyTweet
@WEareTROOPERS
![Page 36: Das „s“ in DevOps steht für Security€¦ · The top 15 vulnerability types platform-wide [1] HACKER-POWERED SECURITY REPORT 2019. 13 o Cross-Site Scripting ... o Open Source](https://reader034.fdocuments.us/reader034/viewer/2022042411/5f2981d0b7393009b716847e/html5/thumbnails/36.jpg)
36
Sources
[1] HACKER-POWERED SECURITY REPORT 2019 https://www.hackerone.com/sites/default/files/2019-08/hacker-powered-security-report-2019.pdf[2] THE STATE OF CROWDSOURCED SECURITY IN 2019 https://www.bugcrowd.com/resources/reports/priority-one-report/[3] OWASP TOP10 2017 https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010-2017%20(en).pdf[4] Manifesto https://agilemanifesto.org/[5] DevSecOps MM https://www.owasp.org/index.php/OWASP_DevSecOps_Maturity_Model[6] MS SDL https://www.microsoft.com/en-us/securityengineering/sdl/[7] OSSTMM http://www.isecom.org/research/[8] ISO https://www.iso.org/isoiec-27001-information-security.html[9]OWASP TP10 2013 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2013_Project