appssec in a devops world
TRANSCRIPT
![Page 1: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/1.jpg)
Application Security in a DevOps WorldThree Methods for Shifting Left
![Page 2: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/2.jpg)
One weak spot is all it takes
![Page 3: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/3.jpg)
Software Security Defined“Software security is the idea of engineering software so that it continues to function correctly under malicious attack.”
“Although the notion of protecting software is an important one, it’s just plain easier to protect something that is defect-free than something riddled with vulnerabilities.”
(Gary McGraw, Cigital)
https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security
![Page 4: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/4.jpg)
Agenda
DevOps and DevSecOps or is it DevOpsSec
Pen-testing
Static analysis & Prevention
Hybrid testing
![Page 5: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/5.jpg)
Risk management – OWASP style
Prevalence Detectability Exploitability Impact
![Page 6: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/6.jpg)
Real Business Impacts
![Page 7: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/7.jpg)
Penetration Testing
• Verify that security policy is working
• Tests from the outside in
• Variety of scenarios such as– Parameter fuzzing
– Unexpected packets on the BUS
– XML Bombs
– Unauthorized Bluetooth
– Unexpected TPMS
![Page 8: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/8.jpg)
IoT specifics
• Multi-layered systems
• Disparate technologies
• Functionality
spanning across many
layers
![Page 9: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/9.jpg)
Effectiveness of Pen-testing
• Labor intensive
• Difficult to automate
• Difficult to start early
• Requires inter-team synchronization
• Difficult to test error handlers
• Failed tests do not provide precise information about failure points
![Page 10: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/10.jpg)
Static Analysis
Pattern
•Low false positives
•Fast
•Prevention Focus
Flow
•Real bugs
•Complex issues
•Mirror real use
•Fix focus
![Page 11: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/11.jpg)
Fix or Prevent
![Page 12: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/12.jpg)
Purpose of Coding Standards• “Proven programming practices leading to safe,
reliable, testable, and maintainable code”
• “Address potentially unsafe language features, and provide programming rules to avoid those pitfalls”
• “By providing “safer” alternatives to “unsafe” facilities, known problems … are avoided. In essence, programs are written in a “safer” subset of a superset.”
![Page 13: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/13.jpg)
Simple Prevention Process – an example
Detect the error
•Load testing shows leaking connections to the database
Find the cause
•Open connections aren’t being closed, causing resource leaks
Locate the point in production that caused the error
•Developer has forgotten to close db connections upon client termination
Implement preventative process
•Use a coding standard to ensure each open connection is closed before exit
Monitor the process
•Use static analysis to enforce the standard
Add regression test
•Add a test to see the problem was fixed and doesn’t return
![Page 14: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/14.jpg)
Coding Defensively: Validating inputs
9 paths through the code
3 entry points
The Solution = validate inputs upon entry
4 potential vulnerabilities
Validate Validate
Validate
![Page 15: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/15.jpg)
Preventing SQL InjectionString username = request.getParameter("USER");
String password = request.getParameter("PASSWORD");
String query = “SELECT * FROM Users WHERE username=‘” +
username + "' AND password='" + password + "'";
Statement.execute(query);
An attacker passes "' or 1=1" for username creating:
SELECT * FROM Users WHERE username='' or 1=1 AND password='foo'
Prevention: wrap input in validation:
String username = validate(request.getParameter("USER"));
String password = validate(request.getParameter("PASSWORD”));
![Page 16: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/16.jpg)
Selecting Static Analysis
• Severity levels
• Suppressions
• Code based on age
Handling of
Integration with SCM
Integration with BugTracking (internal & field)
Integration with Peer review
Analytics
![Page 17: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/17.jpg)
Hybrid Security Analysis - IAST• Penetration testing to automatically generate
and run penetration attack scenarios
• Runtime error detection to monitor the back-end during test execution to determine whether security is actually compromised
• Correlates each runtime error with the functional test being run—allowing you to trace each reported error to the specific use case
![Page 18: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/18.jpg)
Hybrid Security Analysis
![Page 19: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/19.jpg)
How to do it better?• Use stubs, mocks and service virtualization to
improve testing automation
– Isolate at the message layer
– Simulate functional scenarios and performance conditions
![Page 20: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/20.jpg)
Divide & Conquer with Service Virtualization
Separate critical
components
Move testing earlier
Isolate attack surfaces
Run functional tests vs. security
scenarios
![Page 21: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/21.jpg)
Security Cases with Service Virtualization
Virtual Services
SSL CertificatesAcceptable/Unacceptable
System Under Test
Dependent Application
Accounts Database
Mainframe
![Page 22: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/22.jpg)
SQL Injection
System Under Test
Virtual Services
Security Cases with Service Virtualization
![Page 23: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/23.jpg)
SQL Injection
Malicious Response
System Under Test
Security Cases with Service Virtualization
Virtual Services
![Page 24: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/24.jpg)
Conclusion• Standards and static analysis applied properly
prevent errors
• Integrated results provides control, measurement, and traceability
• Cost of solid prevention methodology is less than the cost of dealing with bad software
![Page 25: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/25.jpg)
Security Resources
CWE – Common Weakness Enumeration
• http://cwe.mitre.org
CERT - Secure Coding Guidelines
• https://www.securecoding.cert.org
Build Security In – Collaborative security effort
• https://buildsecurityin.us-cert.gov
Parasoft
• http://www.parasoft.com
![Page 26: AppsSec In a DevOps World](https://reader033.vdocuments.mx/reader033/viewer/2022052514/58729dc01a28ab07208b50fb/html5/thumbnails/26.jpg)
• Web– http://www.parasoft.com
• IoT Hall-of-Shame – http://bit.ly/iotshame
• Blog– http://alm.parasoft.com– http://codecurmudgeon.com
•Social–Facebook: https://www.facebook.com/parasoftcorporation
–Twitter: @Parasoft @CodeCurmudgeon
–LinkedIn: http://www.linkedin.com/company/parasoft