secdevops: development tools for security pros
TRANSCRIPT
© 2015 Denim Group – All Rights Reserved
SecDevOps:Development Tools for Security Pros
This presentation contains information about DHS-funded research:Topic Number: H-SB013.1-002 - Hybrid Analysis Mapping (HAM) Proposal Number: HSHQDC-13-R-00009-H-SB013.1-002-0003-I
© 2015 Denim Group – All Rights Reserved
My Background
• Dan Cornell, founder and CTO of Denim Group
• Software developer by background (Java, .NET, etc)
• OWASP San Antonio
2
© 2015 Denim Group – All Rights Reserved
Denim Group Background
• Secure software services and products company• Builds secure software• Helps organizations assess and mitigate risk of in-house developed and third party software
• Provides classroom training and e-Learning so clients can build software securely
• Software-centric view of application security• Application security experts are practicing developers• Development pedigree translates to rapport with development managers • Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution• Develops open source tools to help clients mature their software security programs
• Remediation Resource Center, ThreadFix• OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI• World class alliance partners accelerate innovation to solve client problems
3
© 2015 Denim Group – All Rights Reserved
An InfoSec Perspective on Developers
“If these developers would just stop writing such sh*tty code, all our lives would be a lot better”-Some Security Curmudgeon, BSides Austin, 2011
© 2015 Denim Group – All Rights Reserved
The Curmudgeon
© 2015 Denim Group – All Rights Reserved
Don’t Be a Jerk;; Perhaps Try Some Empathy
© 2015 Denim Group – All Rights Reserved
Developers And Overzealous InfoSec Folks
7
© 2015 Denim Group – All Rights Reserved
Get Your Mind Right
“My true religion is Kindness”-Kindness, Clarity and Insight, 1984
“I feel that the essence of spiritual practice is your attitude toward others”-Catherine Ingram interview, 1988
8
© 2015 Denim Group – All Rights Reserved
Get Your Mind Right
• What are the true risks to your business?• Physical, financial, strategic• Not just information assets
• How well are developers’ activities aligned with the business• Features, functions, timelines
9
© 2015 Denim Group – All Rights Reserved
Empathy and Compassion
“I believe all suffering is caused by ignorance”-Nobel acceptance speech, 1989
“Compassion and tolerance are not a sign of weakness, but a sign of strength”-Words of Wisdom, 2001
10
© 2015 Denim Group – All Rights Reserved
Empathy and Compassion
• What are your developers actually doing?• Why are they doing it?• How can you support them and advance your goals?
11
© 2015 Denim Group – All Rights Reserved
If His Holiness the Dalai Lama Isn’t Tough Enough
© 2015 Denim Group – All Rights Reserved
Understand Developer Tools
• Workload tracking (Defect trackers, change management)• Coding (IDE)• Automation and orchestration (Continuous integration)• Testing (Unit tests, acceptance tests)• Metrics
13
© 2015 Denim Group – All Rights Reserved
14
ThreadFixAccelerate Software Remediation
ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.
© 2015 Denim Group – All Rights Reserved
• Open source vulnerability management and aggregation platform:• Allows software security teams to reduce the time to remediate software vulnerabilities• Enables managers to speak intelligently about the status / trends of software security within their organization.
• Features/Benefits:• Imports dynamic, static and manual testing results into a centralized platform• Removes duplicate findings across testing platforms to provide a prioritized list of security faults• Eases communication across development, security and QA teams• Exports prioritized list into defect tracker of choice to streamline software remediation efforts • Auto generates web application firewall rules to protect data during vulnerability remediation• Empowers managers with vulnerability trending reports to pinpoint issues and illustrate application security progress• Benchmark security practice improvement against industry standards
• Freely available under the Mozilla Public License (MPL) 2.0• Download available at: www.denimgroup.com/threadfix
15
© 2015 Denim Group – All Rights Reserved
What Can We Do With ThreadFix?
• Create a consolidated view of your applications and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are already using
16
© 2015 Denim Group – All Rights Reserved
Application Portfolio Tracking
• Track multiple “Teams”• Arbitrary distinction – geography, line of business, common tools and practices
• Track multiple “Applications” per “Team”• Unit of scanning or testing
• Track Application metadata• Criticality, hosted URL, source code location
• Reporting can be done at the organization, Team or Application level
17
© 2015 Denim Group – All Rights Reserved
Demo: Application Portfolio Tracking
18
© 2015 Denim Group – All Rights Reserved
Fill ThreadFix Up With Vulnerability Data
• Manual file upload
• REST API• https://github.com/denimgroup/threadfix/wiki/Threadfix-REST-Interface
• Command Line Interface (CLI)• https://github.com/denimgroup/threadfix/wiki/Command-Line-Interface• JAR can also be used as a Java REST client library
• Jenkins plugin• Contributed from the ThreadFix community (yeah!)• https://github.com/automationdomination/threadfix-plugin
19
© 2015 Denim Group – All Rights Reserved
What Does ThreadFix Do With Scan Results
• Diff against previous scans with same technology• What vulnerabilities are new?• What vulnerabilities went away?• What vulnerabilities resurfaced?
• Findings marked as false positive are remembered across scans• Hopefully saving analyst time
• Normalize and merge with other scanners’ findings• SAST to SAST• DAST to DAST• SAST to DAST via Hybrid Analysis Mapping (HAM)
20
© 2015 Denim Group – All Rights Reserved
Demo: Vulnerability Merge
21
© 2015 Denim Group – All Rights Reserved
Hybrid Analysis Mapping (HAM)
• Initial research funded by the US Department of Homeland Security (DHS) Science and Technology (S&T) Directorate via a Phase 1 and (now) Phase 2 Small Business Innovation Research (SBIR) contract• Acronyms!
• Initial goal: SAST to DAST merging• Results: That, plus other stuff
22
© 2015 Denim Group – All Rights Reserved
Demo: Merging Static and Dynamic Scanner Results
23
© 2015 Denim Group – All Rights Reserved
Demo: De-Duplicate Dynamic RESTful Scanner Results
24
© 2015 Denim Group – All Rights Reserved
Translate vulnerabilities to developers in the tools they are already
using
25
© 2015 Denim Group – All Rights Reserved
How Do Developers Manage Their Workload?
Hint: Not With These…
© 2015 Denim Group – All Rights Reserved
How Do Developers Manage Their Workload?
Actually With These
© 2015 Denim Group – All Rights Reserved
Mapping Vulnerabilities to Defects
• 1:1 mapping is (usually) a horrible idea– 500 XSS turned into 500 defects?– If it takes longer to administer the bug than it does to fix the code…
• Cluster like vulnerabilities– Using the same libraries / functions– Cut-and-paste remediation code– Be careful about context-specific encoding
• Combine by severity– Especially if they are cause for an out-of-cycle release
• Which developer “owns” the code?
28
© 2015 Denim Group – All Rights Reserved
Defect Tracker Integration
• Bundle multiple vulnerabilities into a defect• Using standard filtering criteria
• ThreadFix periodically updates defect status from the tracker
29
© 2015 Denim Group – All Rights Reserved
Demo: Defect Tracker Integration
30
© 2015 Denim Group – All Rights Reserved
Where Do Developers Actually Spend Their Time?
© 2015 Denim Group – All Rights Reserved
Where Do Developers Actually Spend Their Time?
© 2015 Denim Group – All Rights Reserved
IDE Plug Ins
• Import vulnerability data to integrated development environments (IDEs)
• Static (SAST) scanners• Easy
• Dynamic (DAST) scanners• Possible using Hybrid Analysis Mapping (HAM)
33
© 2015 Denim Group – All Rights Reserved
Map Dynamic Scan Results to LoC in IDE
34
© 2015 Denim Group – All Rights Reserved
How Do Developers Know Their Software Works?
© 2015 Denim Group – All Rights Reserved
How Do Developers Know Their Software Works?
© 2015 Denim Group – All Rights Reserved
Get Security Testing Included In Builds
• Developers and QA are already running tools (hopefully)• Embrace what they are doing and expand to include security
• Why?• Reduce Mean Time To Identify (MTTI)• Difference between when vulnerability is introduced and when it is found• Reduce Mean Time To Fix (MTTF)• Easier to fix vulnerabilities in code that is top-of-mind
© 2015 Denim Group – All Rights Reserved
ThreadFix Jenkins Plugin
https://wiki.jenkins-ci.org/display/JENKINS/ThreadFix+Plugin
© 2015 Denim Group – All Rights Reserved
Taking Advantage of Selenium Tests
• Use them to seed dynamic scanning• Improve your crawl, get better coverage
• Great opportunity to interact with development teams
https://community.rapid7.com/community/appspider/blog/2015/07/07/fix-security-defects-earlier-with-appspider-and-selenium-integration
http://www.continuumsecurity.net/bdd-intro.html
© 2015 Denim Group – All Rights Reserved
SecDevOps with ThreadFix
What does your pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu
http://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
© 2015 Denim Group – All Rights Reserved
What Metrics Do Developers Track?
• Usually focused on Quality• Defect density: defects per kilo-line-of-code (KLoC)
• Make the security backlog show up alongside the actual backlog
© 2015 Denim Group – All Rights Reserved
SonarQube Integration
• Pull security vulnerabilities into the backlog being tracked in SonarQube
• Can be used:• Via ThreadFix server• Analyzing local files (no need for ThreadFix server installation)
• Essentially a universal security tool plugin for SonarQube
© 2015 Denim Group – All Rights Reserved
SonarQube Integration
© 2015 Denim Group – All Rights Reserved
So What?
• Don’t be a jerk;; empathize• Also remember that you’re outnumbered and probably outgunned
• Be like the Dalai Lama (or a Green Beret)• Get to know developers, their tools, and their processes• Look for opportunities to influence the conversation
• How can you use these tools to further security goals:• Frame what you want (“fix vulnerabilities” “write secure code”) in their terms• Check with your security vendors – do they integrate with developer tools?
© 2015 Denim Group – All Rights Reserved
Important Links
• Main ThreadFix website: www.threadfix.org• General information, downloads
• ThreadFix GitHub site: www.github.com/denimgroup/threadfix• Code, issue tracking
• ThreadFix GitHub wiki: https://github.com/denimgroup/threadfix/wiki• Project documentation
• ThreadFix Google Group: https://groups.google.com/forum/?fromgroups#!forum/threadfix• Community support, general discussion
45
© 2015 Denim Group – All Rights Reserved
Questions / Contact Information
Dan CornellPrincipal and [email protected] @danielcornell
(844) 572-4400www.denimgroup.comwww.threadfix.org