Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
0 likes148 views
The document discusses the importance of integrating security into modern application development through a DevSecOps approach, emphasizing that security should be an integral part of the development pipeline. It highlights the risks associated with data breaches, the need for continuous monitoring, and the importance of selecting appropriate tools and frameworks to ensure secure software development. Additionally, it outlines strategies for measuring security initiatives and addressing security gaps while accelerating product release cycles.
![© 2019 Synopsys, Inc.20
Web services API usage
API Lifecycle
• Twitter API shutdown August 2018
• Google+ shutdown April 2019
• Salesforce API versioning
Data usage and control
• GDPR data processor vs data controller
• Data sovereignty and jurisdiction
• Data mashups and inference scenarios
Data and privacy breaches
• Facebook API tokens
• [24]7.io and Delta, Kmart, Sears
• Third-party data bleeds
• Phone home tracking
• CVE-2018-1002105 in Kubernetes API](https://image.slidesharecdn.com/timmackeyappsectoolchain-190722170053/85/Webinar-Creating-a-Modern-AppSec-Toolchain-to-Quantify-Service-Risks-20-320.jpg)
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
- 1. © 2019 Synopsys, Inc.1 Creating a Modern AppSec Toolchain to Quantify Service Risks Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center
- 2. © 2019 Synopsys, Inc.2 Modern Application Development and Risk It’s not just about the applications…think process
- 3. © 2019 Synopsys, Inc.3 Being a security target is costly Average cost of data breach: $3.86 Million Lost business: $4.20 Million Average time to identify and contain a breach: 266 days Source: 2018 Cost of Data Breach Study (US Data) – Ponemon Institute
- 4. © 2019 Synopsys, Inc.4 Certifications and regulations guide current processes On-Prem Infrastructure Policies • DISA STIG, OVAL Definitions and XCCDF • Managed via Chef, Puppet, Ansible, Raw SSH tooling • Private cloud adopts similar policies Public Cloud Infrastructure Policies • Provider responsible for infrastructure security • Tenant remains responsible for VM security Some operational risk transferred to provider Focus for Certifications and Regulations • PCI, PII and PHI • Process centric and often not technology aware • Developers assume compliance and no feedback loop • NIST 800-137 focused on process • Continuous monitoring isn’t prescriptive NIST 800-137
- 5. © 2019 Synopsys, Inc.5 Equifax breach focused attention on open source
- 6. © 2019 Synopsys, Inc.6 Modern application = Proprietary Code + Open Source Components + API Usage + Application Behavior and Configuration
- 7. © 2019 Synopsys, Inc.7 Gartner definition of DevSecOps Information security architects must • Integrate security at multiple points and • Preserve teamwork, agility and speed in dev environments Security activities must be an integral part of the DevSecOps pipeline. DevOps teams have to own security the same way they own development and operations. Sec
- 8. © 2019 Synopsys, Inc.8 Ouch – Not so good!
- 9. © 2019 Synopsys, Inc.9 Sec By 2021, DevSecOps practices will be embedded in 80% of rapid development teams Source: Gartner, Integrating Security Into the DevSecOps Toolchain Nov. 16, 2017. Higher speed Reduced friction Continuous feedback Lower cost $
- 10. © 2019 Synopsys, Inc.10 The toolchain starts with process i.e. define security targets and build toolchain from that
- 11. © 2019 Synopsys, Inc.11 DevSecOps Pipeline: Agile quality and security checks Build Test Prod Ops Deploy Dev IDE Feedback • Functional tests • Load test • Performance test • DAST/IAST • Penetration test •Risk assessment •Threat model •Lightweight SAST •Local unit tests •Network scanning •Continuous monitoring •Env/Config validation •Threat intelligence •CVE reports •Regulatory changes •Static analysis •SCA •Unit tests •Config tests •Hardening check
- 12. © 2019 Synopsys, Inc.12 Example: IoT takes over the world • Limited CPU resources • Limited RAM for features • C/C++ typical • MQTT common protocol • Responsive application • View device data • View historical information Web UI 4 4 • Lightweight protocol • High volume • Pub/Sub interface MQTT Broker Encrypted data published via MQTT2 IoT Device • iOS/Android application • Configure device • View device data • Receive notifications Mobile Interface1 Configure via Bluetooth represents constraints in the system 3 Data stored for analysis Analysis Engine Authentication and Authorization Analysis Engine MQTT WebSocket Core Data • Avoid MITM • Certification of image OTA
- 13. © 2019 Synopsys, Inc.13 The risks we control
- 14. © 2019 Synopsys, Inc.14 Identify security targets from platform requirements Goal: Select an IoT toolchain meeting product and cost requirements Role: Security Architect with CISO and Product Owner guidance Tasks and requirements: 1. Select platform supporting desired protocols • Protocol implementations must be resilient 2. Select candidate vendor or open source stack 3. Validate protocols against cost and stability • Define protocol fuzzing framework 4. Report on security targets during development
- 15. © 2019 Synopsys, Inc.15 Select development frameworks and environment Role: Development Lead with Product Owner guidance Goal: Select frameworks capable of meeting time to market and security targets Tasks and requirements 1. Select languages based on security 2. Define build environment 3. Identify commercial and open source frameworks and libraries • Define governance for security updates 4. Enable IDE security plugins 5. Enable build time CI analysis
- 16. © 2019 Synopsys, Inc.16 Perform continuous security assessments Role: Developer with Development Lead guidance Goal: Identify security governance issues prior to commits Tasks: 1. Transparent security review during coding • No disruption to existing workflows 2. Remediation and contextual guidance • Lower defect costs by shifting left 3. Developer reviews results before merging
- 17. © 2019 Synopsys, Inc.17 Catch complex security issues during build Role: Release Engineer with guidance from QA and Product Owner Goal: Ensure release meets security and functional targets Tasks and requirements: 1. Build triggered from merge/pull request 2. Detailed scans run parallel to build process 3. Optionally fail builds based on security targets/exceptions 4. Analysis summaries fed back to IDE plugins 5. Centralized security progress tracking
- 18. © 2019 Synopsys, Inc.18 Confirm governance and security target progress Role: Security Architect Goal: Ensure release meets security and functional targets Tasks: 1. Centralized view of security results 2. Review by common taxonomy • (OWASP Top 10, SANS Top 25) 3. Triage issue status via defect workflows 4. Measure progress against governance targets 5. Define security targets for future releases
- 19. © 2019 Synopsys, Inc.19 The risks controlling us
- 20. © 2019 Synopsys, Inc.20 Web services API usage API Lifecycle • Twitter API shutdown August 2018 • Google+ shutdown April 2019 • Salesforce API versioning Data usage and control • GDPR data processor vs data controller • Data sovereignty and jurisdiction • Data mashups and inference scenarios Data and privacy breaches • Facebook API tokens • [24]7.io and Delta, Kmart, Sears • Third-party data bleeds • Phone home tracking • CVE-2018-1002105 in Kubernetes API
- 21. © 2019 Synopsys, Inc.21 External factors impacting risk – ah dependencies! • Explicit open source usage –Component origin, security and update process –How is the component linked in the application –Versioning semantics • Implicit open source usage –Component embedded in binary library –Vendor support statements –Vendor data management • Impact of “Point in Time” Decisions –Who tracks and updates cached components? –Community engagement –Development directions
- 22. © 2019 Synopsys, Inc.22 Threat landscape controlled by actors not defenders Threat Agents • Scan networks for weakness using toolkits • Success is a numbers game – zero knowledge of target • Perimeter Defenses can be false positives • Utilize multi-factors for attack reconnaissance Infiltration • Occurs through at least one vector • Creates beachheads supporting infection, C&C and lateral movement • Exploits latent vulnerabilities and misconfigurations Mitigation powered by information flow • Can’t exploit what doesn’t exist • Focus attention on unpatched services • Open source originates from multiple channels and patches must match • Recognizes that attack landscape evolves Global IP Space Managed Systems Accessible Systems Vulnerability Present
- 23. © 2019 Synopsys, Inc.23 Bringing it all together to keep pace
- 24. © 2019 Synopsys, Inc.24 Keeping up requires a strategic security initiative (SSI) Security tools CI/CD DevOps Vulnerabilities Regulatory requirements Product release acceleration Vendors and supply chains Languages, frameworks, architectures Attackers and attacksAgile Open Source Containers
- 25. © 2019 Synopsys, Inc.25 Strategy and planning Measure your SSI to highlight efforts and gaps Maturity Action Plan (MAP) Building Security In Maturity Model (BSIMM)
- 26. © 2019 Synopsys, Inc.26 Addressing AppSec gaps: Outsource Security Ninjas Internal resource capacity Internal resources Outsourced Security Testing Company acquisition Security breach Product release Compliance audit TRIGGERING EVENTS Resource demand
- 27. © 2019 Synopsys, Inc.27 Sec plan code build test release deploy monitoroperate
- 28. © 2019 Synopsys, Inc.28 plan code build test release deploy monitoroperate Central Server Build and Test Environment Integrated Analysis Engines Centralized Management Consolidated Reporting Alerting & Workflow CI/CD and DevOps Integration SaaS/Private Cloud Deployment Code Sight Developer Environment Integrated Local + Central Analysis IDE Plugin IntelliJ, Eclipse, Visual Studio Context-Sensitive eLearning
- 29. © 2019 Synopsys, Inc.29 Security Toolchain – Synopsys Polaris with Code Sight Code Sight IDE Plugins 3 • Invoke analysis • Perform capture and send to platform CI/CD Integration 2 • Run analysis on the platform • Central issue triage and management • Centralized reporting 56 1 • Support all popular IDEs • Incremental, high-fidelity analysis • Local issue triage and management • Check in to SCM and trigger central builds • Complement central scans Polaris Central Server in the Public/Private Cloud Alert and notifications 4
- 30. © 2019 Synopsys, Inc.30 Policies & Standards ARA Software Security Group, Model, and Initiatives Security Training/eLearning Outsource Security Ninjas SCA SAST IAST DAST & Pen Testing plan code build test release deploy monitoroperate Threat Modeling Red Teaming & Pen Testing WAF/RASP
- 31. © 2019 Synopsys, Inc.31 Key takeaways Measure progress against targets and changes in direction • Identify opportunities to reduce business risk with new technologies • Design update mechanisms for resiliency against MITM attacks • Legacy best practices may increase risk when applied to new paradigms Reduce risks of non-compliance • Implement continuous monitoring of all deployed apps, complete with dependency inventory • Reassess point in time decisions and impact of new regulations • Proactively compare running infrastructure against configured infrastructure for deltas Define security targets when selecting components and toolchains • Ensure criteria is understood in Ops, Development and Procurement • Train all development and operations teams to identify changes in risk • Document decisions impacting risk acceptance at all points in the SDLC
- 32. © 2019 Synopsys, Inc.32 Build Secure, High-Quality Software Faster
- 33. © 2019 Synopsys, Inc.33 Embedding security targets within your toolchain Developer Build Test Deploy Production Feedback and Security Monitoring