new era of software with modern application security v1.0

N E W E R A O F S O F T W A R E W I T H M O D E R N A P P L I C AT I O N S E C U R I T Y

V E R S I O N 1 . 0 ( 1 9 / M A R / 2 0 1 6 )

C O D E M O T I O N R O M E

@ D I N I S C R U Z

C O U P L E D I S C L A M E R S

• This presentation has 233 slides and is designed to guide the delivery of this presentation and provide background information for offline reading

• I speak really fast (for an English audience)

• I have too much content - even when I deliver three-day courses :)

• I abuse the term ‘Unit Testing’ :

• for me the ‘Unit’ can be anything, from just a method to a full browser automation workflow

• if it can be executed with a Unit Test Framework (NUnit, Mocha, Karma) then it is a Unit Test ( even if it is called an e2e or Integration test)

M E

• Developer for 25 years

• AppSec for 13 years

• Day jobs:

• Leader OWASP O2 Platform project

• Head of Application Security at The Hut Group

• Application Security Training for JBI Training

• AppSec Consultant and Mentor

P E R F O R M E D H U N D R E D S O F S E C U R I T Y R E V I E W S

• Found critical vulnerabilities in high profile applications (impacting millions of users)

• desktop apps, websites, mobile apps, web services, security tools, frameworks, telephony, networks, etc…

• Reported zero days to software vendors (before bug bounties)

• 0wned data centres, networks, apps, databases

D E L I V E R E D T R A I N I N G T O 1 0 0 0 S O F D E V E L O P E R S

• BBC

• BAE Applied Intelligence

• O2

• Alaska Airlines

• Ocado

• Capita (Orbit)

• BSkyB

• Harrods

• Microsoft

• Verifone

• OWASP Conferences

• BlackHat

• TotalJobs

• Cashflows

• RunEscape

• The Hut Group

I ’ M A D E V E L O P E R

• Have shipped code

• Have managed dev teams

• Have written tests (with 100% code coverage)

• Have created CI and CD environments (DevOps)

• Worked on Secure Software Architecture and workflows (SecDevOps)

G R A P H S

• I love Graphs

• Recently I have realised that I have spend most of my life thinking about graphs and coding graphs

• Graphs are great for data analysis and modelling

• … but this is a topic for another presentation

@ D I N I S C R U Z

B L O G . D I N I S C R U Z . C O M

B O O K S

• Published at Leanpub (http://leanpub.com/u/DinisCruz)

• Minimum price: 0 €

O W A S P O 2 P L AT F O R M

• My brain in a tool

• Very powerful but not easy to start using

N E W E R A O F S O F T W A R E W I T H M O D E R N A P P L I C AT I O N S E C U R I T Y

My thesis is that

Application Security can be used to define and measure Software Quality

• TDD with Code Coverage

• Threat Models

• Docker and Containers

• Test Automation

• SAST/DAST/IAST/WAF

M O D E R N A P P L I C AT I O N S E C U R I T Y

• Clever Fuzzing

• JIRA Risk workflows

• Kanban for Quality fixes

• Web Services visualisation

• ELK

J I R A W O R K F L O W

lets start with a view of the problem

S O F T W A R E I S E AT I N G AT TA C K I N G T H E W O R L D

W H O I S AT TA C K I N G Y O U

I F T H E AT TA C K E R T E L L S Y O U A B O U T T H E AT TA C K

Y O U S H O U L D T H A N K T H E M

The dangerous ones are the commercially focused

criminals

It’s all about the money

… to hack you …

Buy botnet for $110

How much it cost to be an ‘internal user’

100% Anti-virus non detection guarantee

But the credit cards were protected

E X A M P L E S O F AT TA C K S

https://www.owasp.org/index.php/OWASP_WASC_Web_Hacking_Incidents_Database_Project

S Q L I N J E C T I O N

S Q L I N J E C T I O N T O O L - H AV I J

XSS

X S S AT TA C K - A PA C H E . O R G

https://blogs.apache.org/infra/entry/apache_org_04_09_2010

X S S W O R M - M Y S PA C E

G E T PAY E D T O F I N D X S S

Man-in-the-middle

T J X ( PA R T O F T X M A X )

• 94 Million customer’s data compromised

• $256 Million USD Settlement with Visa, MasterCard, Customers

• Estimated cost to deal with incident (and improve security): 1 Billion USD

D O N ’ T A C C E P T I T

AT TA C K I N G C A R S

http://www.ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf

D o S

( D e n i a l o f S e r v i c e )

S Y N F L O O D S ( c r a s h i n g t h e f i r e w a l l )

Brute force attacks

L O G I N AT T E M P T S

Attacking the Cloud

https://speakerdeck.com/silvexis/bringing-a-machete-to-the-amazon-blackhat-eu-2014

Google Dorks

Punkspider

Web crawler that performs penetration tests and indexes sites based on the

vulnerabilities they have.

UK sites that have XSS and SQL injection

UK sites that have XSS and SQL injection

Attacking the Internet of Things (IoT)

Cyberwar

Attacking markets

R U S S I A N H A C K E R S M O V E D R U B L E R AT E W I T H M A LW A R E

• http://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency-rate-with-malware-group-ib-says

A G U Y C H A L L E N G E D H A C K E R S AT D E F C O N T O H A C K H I M …

https://www.youtube.com/watch?v=bjYhmX_OUQQ

Attacks coming soon…

1. Mass supermarket failure (no food, milk, water available)

2. Bank or Financial Company collapse

3. Fabricated News

4. Mass loss, sale and exploitation of Individuals Private information

5. Mass Identify Theft!

• Can you prove that YOU are YOU? • What if the ‘Computer says differently’? • What if your picture ‘in the computer’ is modified? • What if your date-of-birth and family name are modified? • What if you are shown as DEAD in the system? • How many databases would it take to kill you digitally • What if there is NO record at ALL that you ever existed?

• in ID database • in Financial database • in Hospital databases • etc...?

6. Medical systems exploitation:

• Wrong medicaments delivered, sold

• Manipulating hospital systems

• Corruption of medial records

• Sale of medial records

7. Car/Plane/Train crashes:

• all lights are made green at the same time

• maintenance records are fiddled or manipulated (Fake parts scam)

• Remote control and manipulation

• Manipulation of traffic guidance systems

8. ID cards/Passport exploits

• Government loses ability to issue new ID cards

• Massive ID Card fraud

9. Companies are selling Fake ID carts with no ability to stop them

10.No Cashpoints

11.New laws introduced in parliament (without formal discussion/approval)

12.Fighter jet fires missile into crowd / building / city

13. Mass hysteria at stadium, where a big message on screen says:

•"...RUN!!!!!! The stadium is going to blow in 2 minutes..."

•"...There is a terrorist in the stadium, here is his picture! Find him and kill him!!..."

14. Water poisoning

15. Manipulation of controls that introduce or remove chemicals in water

16. Attacks on electric grid

17. Mass compromise of online email systems

18. Corruption of Inland Revenue database (if they did not know who owed what and they could not be able to collect money from taxes)

19. Websites massively attack users and users are afraid to go online

20. Localised or global Internet shutdowns

I think you get the idea

for more examples read:

TA L K TA L K

Where is AppSec?

http://www.parliament.uk/business/committees/committees-a-z/commons-select/culture-media-and-

sport-committee/inquiries/parliament-2015/cyber-security-15-16/

“After police & PWC investigation TalkTalk CEO admits firm 'underestimated' cybersecurity and touts change in culture”

“Investigation by PwC shown TalkTalk has been acting like a startup rather than a major company, (new services, innovate, move fast) and they saw security as a technology issue, not a business one and underestimated the challenge.”

…moving on to user’s identities

H AV E Y O U B E E N P W N E D ?

B U G B O U N T I E S

Bug bounties are a sign of

Application Security

Maturity

If you don’t have one

you are saying

… I’m a good target to attack …

G I T H U B

G O O G L E

L E T ’ S H A C K ( A L I T T L E B I T ) H T T P : / / N E W S . B B C . C O . U K

H T T P : / / M A N I F E S T O . S O F T W A R E C R A F T S M A N S H I P. O R G /

Demo

…..basically…..

…..but…..

D O N T PA N I C

Unless you are directly targeted …

…the probability of you, your company or your apps

being attacked

is still low

… not because you are secure

… but because there are not enough attackers

… and the business model of the current attackers has not evolved to the next level

(where they find a way to make money with your assets)

N E W G E N E R AT I O N O F A P P L I C AT I O N S E C U R I T Y T H I N K I N G

1.TDD with Code Coverage

2.Threat Models

3.Docker and Containers

4.Test Automation

5.SAST/DAST/IAST/WAF

6.Clever Fuzzing

7.JIRA Risk workflows

8.Kanban for Quality fixes

9.Web Services visualisation

10.ELK

These tools/techniques are designed to

A) Improve code Quality

B) Make AppSec possible

1 ) T D D W I T H C O D E C O V E R A G E

• All code changes must have tests

• Code Coverage is key to understand the impact of those changes

• Devs, QA and Security teams should be communicating using tests

2 ) T H R E AT M O D E L S

2 ) T H R E AT M O D E L S

• Are ‘technical briefs’ (i.e. better briefs)

• Should be the ‘source of truth’ in an organisation about their apps and code

• Should be done for:

• Applications

• Components

• Features

3 ) D O C K E R A N D C O N TA I N E R S

3 ) D O C K E R A N D C O N TA I N E R S

• Provide repeatable and destroyable QA environments

• Enable DevOps

• Next paradigm of Secure Applications

• Dramatically improve the quality and resilience of Tests

4 ) S A S T / D A S T / I A S T / W A F

• SAST - Static Application Security Testing

• DAST - Dynamic Application Security Testing

• IAST - Interactive Application Security Testing

• WAF - Web Application Security Firewall

5 ) T E S T A U T O M AT I O N

• Tests must run automatically on all commits of all branches

• AppSec tests must be used to ‘identify changes to attack surface’

• Empower two CI pipelines

• Super fast - push to production

• Pause - needs review

5 ) C L E V E R F U Z Z I N G

6 ) J I R A R I S K W O R K F L O W S

7 ) K A N B A N F O R Q U A L I T Y F I X E S

• SCRUM tends to be more of a Religion than Agile

• Kanban WIP (Work in Progress) is key for Application Security Fixes

8 ) W E B S E R V I C E S V I S U A L I S AT I O N

9 ) E L K

• ElasticSearch + LogStash + Kibana • Use it everywhere and everybody customises it • Also for developers (not just Ops)

Just to say it again ….

These tools/techniques are designed to

A) Improve code Quality

B) Make AppSec possible

Without them you are not really doing

Application Security

… and you have a

Development Problem

not an

Application Security Problem

A P P S E C A N D Q U A L I T Y

Software Craftsmanship is about

Software Quality

“I like my code to be elegant and efficient" Bjarne Stroustup, inventor of C++

“Clean code is simple and direct. Clean code reads like well-designed prose”

Grady Booch, author

“Clean code can be read, and enhanced by a developer other than its original author”

”Big” Dave Thomas, founder of OTI

“Clean code always looks like it was written by someone that how cares”

Michael Feathers, author

“You know you are working on clean code when each routine you read turns out to be pretty much what you expected”

Ward Cunningham, inventor of Wiki

a big problem with the previous comments and the Software Craftsmanship concept is

‘How to define Quality?’

Everybody knows that Quality is key

… but …

‘how to measure Quality?’

My thesis is that

Application Security can be used to define and measure Software Quality

Not all Software Quality issues are Application Security issues

But all Application Security issues are

Software Quality issues

S h e r i f M a n s o u r, E x p e d i a

Application Security is all about the

non-functional requirements of software*

* s o f t w a r e = a p p s , w e b s i t e s , w e b s e r v i c e s , a p i s , t o o l s , b u i l d s c r i p t s = c o d e

Application Security is all about understanding

HOW the software works*

* v s h o w s o f t w a r e b e h a v e s

Using Application Security

I can measure the quality of software

Because Application Security

measures the unintended side effects of coding

T H E P O L L U T I O N A N A L O G Y

T E C H N I C A L D E B T I S A B A D A N A L O G Y

• The developers are the ones who pays the debt

• Pollution is a much better analogy

• The key is to make the business accept the risk (i.e the debt)

• Which is done using the JIRA RISK Workflows

W R I T I N G S E C U R E C O D E M Y T H

“If only software developers had security knowledge they would be able write secure code”

This is a myth because secure code has little to do with developer’s skills and craftsmanship

Software security (or insecurity) is a consequence of the Software development environment

(namely the business and managers focus)

And I know that this is a myth because

I cannot write ‘secure code’

when I’m programming

J I R A R I S K W O R K F L O W

http://blog.diniscruz.com/2016/03/updated-jira-risk-workflow-now-with.html

‘ F I X I N G ’ F L O W

`

‘ R I S K A P P R O VA L’ F L O W

F U L L W O R K F L O W ( f r o m D e v p o i n t o f v i e w )

1. Vulnerability/issue is found (RISK ticket opened) 

2. Dev understands the issue, writes test that replicates the issue, opens ticket in his project’s JIRA and tries to figure out the best way to fix it 

3. Dev asks for guidance to AppSec team

4. AppSec team points to WIKI page (existing or newly created)

5. Dev uses guidance to fix it (and updates test so that is is now a regression test)

6. Commit(s) are made, RISK ticket is updated with link to commit(s)

7. Dev asks AppSec to review fix

8. AppSec reviews fix, and if all looks ok, close the RISK ticket

M A P P I N G T O I N F O S E C R I S K S

Labels for reporting

and filters

M A P P I N G J I R A T I C K E T S T O T E S T S

J I R A D A S H B O A R D S

W E E K LY E M A I L S W I T H R I S K S TAT U S

K E Y C O N C E P T S O F T H I S W O R K F L O W

• All tests should pass all the time

• Tests that check/confirm vulnerabilities should also pass

• The key to make this work is to: Make business owners understand the risks of their decisions (and click on the ‘accept risk’ button)

You have to make sure that it is your boss that gets fired

… he/she should make sure that it is his/hers boss that gets fired …

… all the way to the CTO

(i.e. Board level responsibility)

T E S T I N G

If you make a change and don’t have a test

You are making random changes

http://blog.kj187.de/how-do-i-convince-my-manager-that-unittests-are-important/

How to solve this problem?

You don’t

You sack your manager

As a developer you need to have pressure from management to deliver code that is:

Solid Secure

Testable Provable Readable

Maintainable

Basically, deliver Quality Code

9 9 % C O D E C O V E R A G E

…is not the destination

…it is ‘base camp’

With 99% code coverage you are here

Without 99% code coverage

you have not solved really hard problems in the testability of your

code

Import note:

If 99% code coverage is just an ‘management requirement’

… and is being gamed by devs

… and you have LOTS of stupid ‘Unit tests’

i.e. 99 x 1% code coverage or999 x 0.1 % code coverage

then you also need to sack your manager

You manager’s job is to help you to deliver:

Solid Secure

Testable Provable Readable

Maintainable

Code

To make testing effective …

…testing (from Unit Testing to Integration tests) needs to done in

the IDE with real-time execution and Code coverage

Q A , R E G R E S S I O N A N D S E C U R I T Y T E S T S

Wallaby’s realtime Unit test Execution

and Code Coverage

M I S S I N G T E S T S ( a n d 1 0 0 % c o d e c o v e r a g e )

R E A L W O R L D M U TAT I O N T E S T I N G

• http://pitest.org/

W H Y D O A P P L I C AT I O N S E C U R I T Y ?

Because you care about:

your usersgood engineering your application your company

You have been lucky so far due to lack of commercially focused

attackers

This has been a

Blessing and Curse

You are making an

Hedged bet

the

Security of your code vs

Skill and motivation of attacks

will not change in next 2 years

Your hedge bet is that :

Most of you are creating the perfect storm ….

User personalisation +

Digital Payments +

APIs

How insecure is your code?

How many risks/vulnerabilities are you aware of?

And have Accepted?

How long does it take you to

Fix Security/Quality

issues?

E X T E R N A L S I G N S O F L A C K O F F O C U S & L A C K O F A P P S E C P O W E R

• Not 100% SSL (with HSTS and Secure Cookies)

• No consolidation of Javascripts, which implies No CI (Continuous Integration)

• Cookie Salad (caused by lack of State Service in back end)

• Easy DoS by normal business activities

• “We’re hiring for AppSec” jobs posts

• Easy-to-find vulnerabilities (low-hanging-fruit)

• No public bug bounty

D O E S Y O U R C O M PA N Y / T E A M H AV E :

• AppSec team/person

• Security Champion

• Secure coding standards

• Threat Models

• OWASP contributors

• Secure code reviews

If your answer was not YES to all of them...

then

Your Application WILL have a high number of Security Vulnerabilities

And you need to invest in Application Security

Which if done correctly will improve the Quality of your code

M A N A G E R S A N D B U S I N E S S O W N E R S

S E N I O R M A N A G E M E N T O V E R S I G H T

• ‘Security Memo’ (from God)

• Incident response plans

• Emergency response exercises (can you detect them?)

• Cyber Insurance

• Enterprise Cyber Risk management

• Which C-level executive will get fired?

6 M O N T H A P P S E C I N V E S T M E N T

What Description Cost

Head Of Appsec 1 x person £100K

Senior Developers 2 x persons £120K

Appsec Ops 2 x persons £80K

External Security Company 100 x days £100K

Security ToolsStatic, Dynamic, Interactive

Scanners£100K

Dev App Sec ToolsCI , Collaboration, Cloud,

IDE plugins £50K

EducationTraining, Conferences, Bug

Bounties, £50K

Total £600K

W E H AV E S O L U T I O N S

O W A S P ! ! ! !

G R E AT P R E S E N TAT I O N O N S E C D E V O P S

https://www.youtube.com/watch?v=jQblKuMuS0Y

O p e n S A M M ( S e c u r i t y A s s u r a n c e S e c u r i t y M o d e l )

https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

B S I M M ( B u i l d i n g S e c u r i t y i n M a t u r i t y M o d e l )

S E C U R I T Y D E V E L O P M E N T L I F E C Y C L E

https://www.microsoft.com/en-us/sdl/process/design.aspx

T I P S F O R B U I L D I N G A M O D E R N S E C U R I T Y E N G I N E E R I N G O R G A N I S AT I O N

https://georgianpartners.com/tips-for-building-a-modern-security-engineering-organization

H O W T O B U I L D S E C U R E W E B A P P L I C AT I O N

http://blog.knoldus.com/2016/02/03/how-to-build-secure-web-application/

N E W S E C U R I T Y S E R V I C E S - 2 FA

D E P L O Y, D E P L O Y, D E P L O Y

• Push to production and refactor without fear

• Be like GitHub and use CI/CD to deploy 175 times in one day and 12,602 times in one year

https://github.com/blog/1241-deploying-at-github

• https://labs.spotify.com/2014/03/27/spotify-engineering-culture-part-1/

• https://labs.spotify.com/2014/09/20/spotify-engineering-culture-part-2/

F I N A L T H O U G H T S

U N W R I T T E N R U L E S O F A P I S

“Every API is destined to be connected to the internet”

U N W R I T T E N R U L E S O F A P I S

“All API data wants to be exposed in a Web Page”

“Would you fly in a plane that has the code quality of your APIs”

Application Security

can be used to

define and measure

Software Quality

Thanks, any questions?