Contenu connexe Similaire à TWISummit 2019 - Build Security In (20) Plus de Thoughtworks (20) TWISummit 2019 - Build Security In2. The Security Sandwich
}
Security discussions
Secure Infrastructure
Penetration testing
A lot of changes
Who is taking care of security?
©ThoughtWorks 2019Reference: https://speakerdeck.com/shirishp/building-a-continuous-secure-delivery-pipeline
4. “The idea of a perimeter defense isn’t necessarily
wrong, it’s just not enough.”
- Dave Elliman
https://www.thoughtworks.com/insights/blog/lean-model-security-and-security-practices
©ThoughtWorks 2019
5. Defense in depth
Reference: https://www.gannett-cdn.com/-mm-
/9bb83c731e5249c4c7a85922094689d746a603a1/c=0-0-580-435/local/-
/media/2016/10/04/Rochester/wp-ROC-RocNext-10744-Security-is-like-an-
onion1.jpg ©ThoughtWorks 2019
8. Cost of fixing a defect
Cost
When defect was found
©ThoughtWorks 2019
9. It is an evolutionary world, always
©ThoughtWorks 2019
12. BSI - BUILD SECURITY IN (PRACTICES)
Planning Requirement Design
Security training
● For stakeholders
● For
development
team
● Business level
threat modeling
● Security Acceptance
criteria
● Evil/Abuse stories
● Application threat
modeling with
delivery team
● Architecture review
● Security defaults
● SAST
● Dependency check
● Secrets scan
● Security unit test run
Automated security
checks and access
controls
● Security framework,
API
● Security code
● review
● Security Driven
Development
● Security scan
● Automated
● Scanning
● DAST
● Security functional
testing
● Continuous pen-
testing
Build
Code Testing
Deploy
● Penetration testing,
certification
● Automated checks
● Access Controls
● Server side DOS
prevention
● Server & data
hardening
● Monitoring and
auditing
Deploy and
Release
● Ensuring Secure
Containerisation
● Privilege
Management
● Automated
Container
Assessment
©ThoughtWorks 2019
15. ● Make it easy to write secure code and difficult to make mistakes
● Build on top of secure libraries and frameworks
● Build security in upfront and try to make it seamless
● Define a security low bar which all projects need to meet, such as,
○ All passwords must be hashed
○ Host, networks are hardened
○ Whitelist access
● Provide tools which identify if an insecure dependency is introduced
Securing Defaults
©ThoughtWorks 2019
20. SAST - Checkmarx (commercial)
https://www.checkmarx.com/products/static-application-security-testing/
©ThoughtWorks 2019
23. Designed to scan web
applications, normally
from the outside
Great to catch low
hanging fruits
eg. missing CORS
headers
Can’t validate logic flaw
automatically
DAST: Dynamic Application Security Testing (DAST)
AutomationSecurity Testing/Pen-Testing
Holistic behaviour analysis testing
Catches Many relevant and
logical flaws in app
Requires both Manual and
Automated testing
Can find critical flaws such as
business logic, session issues,
authZ and AuthN ...
©ThoughtWorks 2019
24. DAST - Burp Suite(commercial)
https://portswigger.net/burp
©ThoughtWorks 2019
28. Infrastructure as Code
● Must have to fix security problems at one place propagate everywhere
● Compliance using code
● Manage Security Baseline for Org
● Can write security tests for
○ unnecessary services are disabled
○ ports that do not need to be open are indeed not open
○ Review permissions on sensitive files and directories
©ThoughtWorks 2019
36. Equifax breach
• Apache Struts 2, CVE-2017-5638
• Patch released in March 7, 2017
• 148 million US,15.2 million UK
customers records compromised
• $1.4 B losses till now for clean up,
Overhauling InfoSec Program
Source: imperva.com
Apache Struts 2
©ThoughtWorks 2019
38. Heartbleed
• TLS Heartbleed(OpenSSL 1.0.1)
• CVE-20140-0160
• TLS ‘heartbeat’ Extension
• Missing Bounds Check before a
memcpy() call
• Community Health Systems
• Personal data of about 4.5 million
patients stolen
https://www.chsinc.com/
©ThoughtWorks 2019