© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES1 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

Maginot LineCommon AppSec Anti-Patterns

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 @PeteChestna

Who am I?

• 27+ Years Software Development Experience

• 12+ Years Application Security Experience

• Certified Agile Product Owner and Scrum Master

• At current employer since 2006• From Waterfall to Agile to DevOps• From Monolith to MicroService• Consultant on DevSecOps best practices

• Fun Fact: I love whiskey!• Tell me where to drink local whiskey

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES3 @PeteChestna

Agenda

• InfoSec vs. AppSec maturity

• Common anti-patterns

• Practical solutions

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

InfoSec vs. AppSec

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5 @PeteChestna

InfoSec

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES6 @PeteChestna

AppSec

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

AppSec Anti-Patterns

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES8 @PeteChestna

AP: The Goal?

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9 @PeteChestna

AP: The Goal?

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9 @PeteChestna

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES10 @PeteChestna

AP: The Goal?

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES11 @PeteChestna

AP: The Goal?

Find TrackDevelop Fix Re-test

Develop

Bug

NoBug Develop Develop Develop

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12 @PeteChestna

AP: The Goal?

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13 @PeteChestna

Measurement is Key

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14 @PeteChestna

Training and Awareness

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15 @PeteChestna

Train Yourself on the Process

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES16 @PeteChestna

Help them fix what they find

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17 @PeteChestna

AP: Security Mandate

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18 @PeteChestna

AP: Security Mandate

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES19 @PeteChestna

Relationships

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES20 @PeteChestna

Mutual Accountability

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES26 @PeteChestna

AP: What Open Source?

Healthcare Provider

How: Targeted a flaw in OpenSSL, CVE-2014-0160, better known as Heartbleed

Result: The theft of Social Security Numbers and other personal data belonging to 4.5 million patients

Financial Institution

How: Hackers exploited a known vulnerability in an open source component

Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs.

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES27 @PeteChestna

Built Mostly from Components

80% to 95% of modern apps consist of assembled components.

Proprietary Code

Open Source

Open Source

Open Source

Open Source

Open Source

Open Source

Open Source

Open Source

Open Source

Open Source

Open Source

Open Source

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES28 @PeteChestna

Open Source – More or Less Secure?

• Defect rate in open source is no better or worse than first party code

• The difference is that developers never revisit

• Integrated and abandoned

• It’s not a problem until a vulnerability is discovered

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES29 @PeteChestna

Integrated and Abandoned Explicitly -Struts

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES30 @PeteChestna

Integrated and Abandoned Implicitly –Apache Commons Collections

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES31 @PeteChestna

Component Family Tree –Apache Commons Collection (ACC) 3.2.1

Apache Commons Collections 3.2.1

(1290)

Apache Commons BeanUtils (1348)

Spring Web (1779)

Spring Framework (501)

...

Core Hibernate ORM Functionality (1185)

Spring TestContextFramework (3007)

Spring Web MVC (1314)

...

Apache Commons Configuration (803)

Hadoop Core (399)

SonarQube Plugin API (262)

...

Apache Velocity (748)

Spring Context Support (916)

SnakeYAM (519)

...

Within 5 generations, 80,323components contain ACC 3.2.1

The components are then used in millions of software applications

>26% of software applications had ACC 3.2.1

50.3% of software applications had some vulnerable version of ACC

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES32 @PeteChestna

AP: What Open Source?Strategy: Security Champions

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES33 @PeteChestna

AP: What Open Source?Strategy: Assess MTTR

• How quickly can you ship a code change?

• For each application:– Methodology– Test automation– Time to deploy– CI/CD?– Minutes/Hours/Days/Weeks?

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES34 @PeteChestna

AP: What Open Source?Strategy: OSS Incident Response Plan

• Monitor for new CVEs

• Triage CVE based on:– Database of applications– CVSS score– Known exploit

• Disseminate to champions– Vulnerability assessment– Remediation plan– Notification of remediation or

mitigation

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES46 @PeteChestna

Conclusions

© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES47 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

Thank you