New Farming Methods in the Epistemological Wasteland of Application Security
65 likes18,355 views
The document discusses the evolution of application security, drawing parallels to the transformation of operational practices through DevOps. It emphasizes the need for better integration of security within development and deployment processes, advocating for methodologies such as Bad-Behavior Driven Development and application security telemetry. The author argues that application security must evolve similarly to Ops, focusing on adding value at development, deployment, and runtime to overcome current challenges.
![@wickett #ruggeddevops
DEVOPS IS THE INEVITABLE RESULT OF NEEDING
TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED
COMPUTING AND CLOUD] ENVIRONMENT.
- TOM LIMONCELLI](https://image.slidesharecdn.com/newfarmingmethods-appsec-151023151356-lva1-app6892/85/New-Farming-Methods-in-the-Epistemological-Wasteland-of-Application-Security-61-320.jpg)
![@wickett #ruggeddevops
“[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY: THAT STRUCTURED
INADEQUACY IS ALMOST AS GOOD AS
ADEQUACY AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS GOOD AS
PROPERLY FUNDED SECURITY WORK”](https://image.slidesharecdn.com/newfarmingmethods-appsec-151023151356-lva1-app6892/85/New-Farming-Methods-in-the-Epistemological-Wasteland-of-Application-Security-80-320.jpg)
New Farming Methods in the Epistemological Wasteland of Application Security
- 1. New Farming Methods in the Epistemological Wasteland of Application Security - @wickett
- 3. @wickett #ruggeddevops James Wickett SR. ENGINEER, SIGNAL SCIENCES AUSTIN, TX HANDS-ON GAUNTLT BOOK DEVOPS DAYS GLOBAL ORGANIZER LASCON ORGANIZER
- 4. Application Security Telemetry and Monitoring Plus Defense! Application Security for the rest of us An approach that integrates with devops organizations doesn't inhibit going fast
- 5. 5
- 7. @wickett #ruggeddevops Software development is a constant experiment in knowing Application Security abdicated runtime responsibility and development responsibility through incoherent philosophical approaches and fostering silo-thinking Security now is where Ops was 7 years ago. Ops found a path to change through devops, security can too There are three ways we can add value: at development, at deploy, at runtime Summary
- 8. @wickett #ruggeddevops Bad-Behavior Driven Development Weaponizing your CD Pipeline Application Security Telemetry and Monitoring Continuous Hardening and Audit Have a S-BOM! (Software Bill of Materials) Practices
- 9. @wickett #ruggeddevops Where do we come from
- 10. @wickett #ruggeddevops A study in how we know anything in Application Security
- 11. @wickett #ruggeddevops Spoiler Alert: We don’t !
- 12. @wickett #ruggeddevops once upon a time…
- 13. @wickett #ruggeddevops What does it all mean? A Journey to the Epistemological Problem of Software Development
- 14. @wickett #ruggeddevops In our Innate Humanness We optimize for the probable
- 18. @wickett #ruggeddevops We also optimize for the possible
- 20. @wickett #ruggeddevops The scaling algo that never got used…
- 21. @wickett #ruggeddevops There is too much to choose from in the realm of possible
- 22. @wickett #ruggeddevops Actually, we optimize for the perceived probable
- 23. @wickett #ruggeddevops How do we know what to create?
- 24. @wickett #ruggeddevops This is the problem
- 25. @wickett #ruggeddevops Epistemological Problem of Software Development
- 26. @wickett #ruggeddevops We gather data and rhetoric to support our theories
- 27. @wickett #ruggeddevops There are 3 major arcs currently in Software Development
- 28. @wickett #ruggeddevops We started as Civil Engineers
- 30. @wickett #ruggeddevops Agile avoids the problem
- 31. @wickett #ruggeddevops Agile reminds that we dont know what we are building
- 34. @wickett #ruggeddevops BDD = Agile + feedback
- 35. @wickett #ruggeddevops Behavior Driven Development is a second-generation, outside–in, pull- based, multiple-stakeholder, multiple- scale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009
- 37. @wickett #ruggeddevops Agile emphasizes feedback to developers from their overlords and sometimes even customers
- 39. @wickett #ruggeddevops Agile is our guiding Light
- 40. @wickett #ruggeddevops The world has changed since Agile
- 41. @wickett #ruggeddevops We don’t sell CD’s anymore
- 42. @wickett #ruggeddevops Software as a Service
- 43. @wickett #ruggeddevops The last fifteen years have brought a complete change in our delivery cadence, distribution mechanisms and revenue models
- 44. @wickett #ruggeddevops Second Arc: DevOps
- 45. @wickett #ruggeddevops DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK
- 49. @wickett #ruggeddevops Less WIP Less technical debt
- 50. @wickett #ruggeddevops Customers actually using the feature while the developer is working on it
- 51. @wickett #ruggeddevops Great side effect: Produces Happy Developers
- 54. @wickett #ruggeddevops Devops realized that ops doesn’t know what devs know and vice versa
- 55. @wickett #ruggeddevops Dev : Ops 10 : 1
- 56. @wickett #ruggeddevops DevOps is an Epistemological breakthrough joining people around a common problem
- 57. @wickett #ruggeddevops Culture is the most important aspect to devops succeeding in the enterprise - Patrick DeBois
- 58. @wickett #ruggeddevops Culture is shaped in part by values
- 60. @wickett #ruggeddevops Mutual Understanding Shared Language Shared Views Collaborative Tooling
- 61. @wickett #ruggeddevops DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED COMPUTING AND CLOUD] ENVIRONMENT. - TOM LIMONCELLI
- 63. @wickett #ruggeddevops TLDR; High-performing IT organizations experience 60X fewer failures and recover from failure 168X faster than their lower-performing peers. They also deploy 30X more frequently with 200X shorter lead times.
- 65. @wickett #ruggeddevops Devops gone wrong
- 66. @wickett #ruggeddevops “THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW BADLY WE NEED A CULTURAL SHIFT” - @PATRICKDEBOIS http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops
- 68. @wickett #ruggeddevops Continuous Delivery is not merely how often you deliver but how little you can deliver at a time
- 70. @wickett #ruggeddevops Batch Size of 1
- 71. @wickett #ruggeddevops Separation of Duties Considered Harmful
- 72. @wickett #ruggeddevops Give power to the Developers to deploy
- 73. @wickett #ruggeddevops Reduce Code Latency Increase Code Velocity
- 75. @wickett #ruggeddevops The next Arc: Security Rugged
- 76. @wickett #ruggeddevops “…Those stupid developers” - Security person
- 77. @wickett #ruggeddevops “Security prefers a system powered off and unplugged” - Developer
- 78. @wickett #ruggeddevops Cultural Unrest with security in most organizations
- 80. @wickett #ruggeddevops “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
- 81. @wickett #ruggeddevops Security is where ops was 7 years ago…
- 82. @wickett #ruggeddevops Dev : Ops : Sec 100 : 10 : 1
- 83. @wickett #ruggeddevops Understaffing means no one thinks security helps the business win
- 84. @wickett #ruggeddevops DevOps changed that for Ops, security can change too
- 85. @wickett #ruggeddevops Netflix demonstrated that people care about resiliency
- 86. @wickett #ruggeddevops Innately, we all care
- 87. @wickett #ruggeddevops Rugged Software Movement
- 91. @wickett #ruggeddevops Security’s way forward is to help developers and help operations
- 93. @wickett #ruggeddevops Let’s review Security’s approach thus far
- 94. @wickett #ruggeddevops BadIdea #1 Applications can’t be defended—Web App Firewalls Suck! lets do developer training
- 97. @wickett #ruggeddevops Awareness campaign OWASP Top Ten
- 98. @wickett #ruggeddevops We abandoned knowing anything useful about the Runtime
- 99. @wickett #ruggeddevops Instead Add Defense based on behaviors
- 100. @wickett #ruggeddevops BadIdea #2 Developers can’t figure it out. lets scan for vulnerabilities instead
- 101. @wickett #ruggeddevops “here is a 400 page PDF of our findings to prove your developers don't get it!” - The Pen tester
- 102. @wickett #ruggeddevops Even with the emphasis on appsec training, in practice we made it a dark art
- 103. @wickett #ruggeddevops Integrated rugged testing should sit inside the pipeline
- 104. @wickett #ruggeddevops BadIdea #3 With the new alignment to vulnerability scanning, there is a tendency to Fix the Low-Hanging Fruit
- 106. @wickett #ruggeddevops we still don't know who is attacking us
- 107. @wickett #ruggeddevops We still don't actually know what they are attacking
- 108. @wickett #ruggeddevops Real Threats go Unknown so Developers fix what the automated tooling detected at a certain point in time
- 109. @wickett #ruggeddevops Add Application Security Telemetry
- 110. @wickett #ruggeddevops badidea #4 Put in tooling that no one outside of security can understand
- 111. @wickett #ruggeddevops usually in the name of compliance
- 112. @wickett #ruggeddevops “Get a Web App Firewall dude!” - PCI-DSS Req 6.6
- 114. @wickett #ruggeddevops Choose your own adventure…
- 115. @wickett #ruggeddevops smallest possible solution you can consider a WAF…
- 116. @wickett #ruggeddevops Our CDN added ModSecurity Ruleset Huzzah!
- 117. @wickett #ruggeddevops An appliance that blocks all the things
- 118. @wickett #ruggeddevops And now you wonder why no one eats lunch with you anymore
- 119. @wickett #ruggeddevops “every aspect of managing WAFs is an ongoing process. This is the antithesis of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required to get and keep the WAF running productively.” - a whitepaper from a WAF vendor
- 121. @wickett #ruggeddevops Ok, Security has to change… How do we add value already?
- 123. @wickett #ruggeddevops Add value to Devs Add value to ops
- 124. @wickett #ruggeddevops Pray that someone notices
- 126. @wickett #ruggeddevops Pro-Tip #1 Bad-Behavior Driven Development (automate those security tools!)
- 127. @wickett #ruggeddevops Start with Adding just one test for XSS on a few pages in your app
- 129. @wickett #ruggeddevops gauntlt is Bad-Behavior Driven Development
- 130. @wickett #ruggeddevops GAUNTLT Open source, MIT License Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr
- 134. @wickett #ruggeddevops Be Mean to Your Code
- 135. @wickett #ruggeddevops Gauntlt Uses Cucumber and its awesome
- 138. @wickett #ruggeddevops here’s an XSS attack Example
- 139. @wickett #ruggeddevops @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni --modules=xss --depth=1 --link-count=10 --auto- redundant=2 <url> """ Then the output should contain "0 issues were detected."
- 144. @wickett #ruggeddevops Pro-tip #2 Put security testing in your continuous integration system
- 148. @wickett #ruggeddevops Pro-Tip #3 Add Application Security telemetry to devs and ops
- 149. @wickett #ruggeddevops Convert App Security Logs into metrics in the systems dev and ops use StatsD
- 150. @wickett #ruggeddevops RunTime Correlation between biz, ops, dev, sec
- 151. @wickett #ruggeddevops SQLi Attempts + HTTP 500’s or login spikes + transaction decrease
- 153. @wickett #ruggeddevops Pro-Tip #4 Get hugs from the auditors and add Hardening and Audit using config management
- 154. @wickett #ruggeddevops Open Source Hardening Framework chef/puppet/ansible http://hardening.io/
- 155. @wickett #ruggeddevops Run Nightly Audits of your Hardening using Config Management (Chef audit mode) https://www.chef.io/blog/2015/04/09/chef-audit-mode-cis-benchmarks/
- 156. @wickett #ruggeddevops OS and Config Management
- 157. @wickett #ruggeddevops reverse the trend Add Value to Devs Add Value to Ops
- 158. @wickett #ruggeddevops Software development is a constant experiment in knowing Application Security abdicated runtime responsibility and development responsibility through incoherent philosophical approaches and fostering silo-thinking Security now is where Ops was 7 years ago. Ops found a path to change through devops, security can too There are three ways we can add value: at development, at deploy, at runtime Summary
- 159. @wickett #ruggeddevops Bad-Behavior Driven Development Weaponizing your CD Pipeline Application Security Telemetry and Monitoring Continuous Hardening and Audit Have a S-BOM! (Software Bill of Materials) Practices