'

New Farming Methods in the Epistemological Wasteland of Application Security

Понравилась презентация – покажи это...





Слайд 0

Methods arming New F ogical istemol n the Ep i land of Waste ecurity ication S Ap p l - @wickett


Слайд 1

Slides -farming it.ly/rdo b @wickett #ruggeddevops


Слайд 2

James Wickett SR. ENGINEER, SIGNAL SCIENCES AUSTIN, TX HANDS-ON GAUNTLT BOOK DEVOPS DAYS GLOBAL ORGANIZER LASCON ORGANIZER @wickett #ruggeddevops


Слайд 3

Application Security Telemetry and Monitoring Plus Defense! Application Security for the rest of us An approach that integrates with devops organizations doesn't inhibit going fast


Слайд 4

5


Слайд 5

@wickett #ruggeddevops


Слайд 6

mmary Su Software development is a constant experiment in knowing Application Security abdicated runtime responsibility and development responsibility through incoherent philosophical approaches and fostering silo-thinking Security now is where Ops was 7 years ago. Ops found a path to change through devops, security can too There are three ways we can add value: at development, at deploy, at runtime @wickett #ruggeddevops


Слайд 7

actices Pr Bad-Behavior Driven Development Weaponizing your CD Pipeline Application Security Telemetry and Monitoring Continuous Hardening and Audit Have a S-BOM! (Software Bill of Materials) @wickett #ruggeddevops


Слайд 8

e do w e Wher me from co @wickett #ruggeddevops


Слайд 9

how we tudy in As thing in now any k Security ication Ap p l @wickett #ruggeddevops


Слайд 10

Alert: Spoiler don’t ! We @wickett #ruggeddevops


Слайд 11

t im e … e upon a onc @wickett #ruggeddevops


Слайд 12

al l m e an ? hat does it W rney to the A Jou mological Episte f Software Problem o lopment Deve @wickett #ruggeddevops


Слайд 13

umanness ur Innate H In o ze for the We optimi probable @wickett #ruggeddevops


Слайд 14

Testing Unit @wickett #ruggeddevops


Слайд 15

Testing gration Inte @wickett #ruggeddevops


Слайд 16

ppy Path Ha eering Engin @wickett #ruggeddevops


Слайд 17

ptimize e also o W ossible or the p f @wickett #ruggeddevops


Слайд 18

ineering ver Eng O @wickett #ruggeddevops


Слайд 19

g algo e scalin Th ot used… never g that @wickett #ruggeddevops


Слайд 20

here is T choose realm @wickett much to too m in the fro possible of #ruggeddevops


Слайд 21

mize for y, we opti Actuall probable perceived the @wickett #ruggeddevops


Слайд 22

e know ow do w H create? what to @wickett #ruggeddevops


Слайд 23

roblem i s t he p This @wickett #ruggeddevops


Слайд 24

ogical pistemol E oftware lem of S Prob opment Devel @wickett #ruggeddevops


Слайд 25

data and gather We upport oric to s rhet theories our @wickett #ruggeddevops


Слайд 26

major re are 3 The ently in rcs curr a opment re Devel Softwa @wickett #ruggeddevops


Слайд 27

s Civil tarted a We s gineers En @wickett #ruggeddevops


Слайд 28

rst Arc: Fi Agile @wickett #ruggeddevops


Слайд 29

ids the gile avo A roblem p @wickett #ruggeddevops


Слайд 30

nds that i l e re m i Ag what nt know w e do uilding w e a re b @wickett #ruggeddevops


Слайд 31

@wickett #ruggeddevops


Слайд 32

Driven ehavior B opment Devel @wickett #ruggeddevops


Слайд 33

Agile + BDD = edback fe @wickett #ruggeddevops


Слайд 34

Behavior Driven Development is a second-generation, outside–in, pullbased, multiple-stakeholder, multiplescale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009 @wickett #ruggeddevops


Слайд 35

Amplify Feedback Loop @wickett #ruggeddevops


Слайд 36

phasizes Agile em evelopers dback to d fe e ords and heir overl from t ustomers es even c sometim @wickett #ruggeddevops


Слайд 37

TLDR; ons Win Iterati R ap i d @wickett #ruggeddevops


Слайд 38

Agile is guiding our Light @wickett #ruggeddevops


Слайд 39

orld has The w e Agile ed sinc chang @wickett #ruggeddevops


Слайд 40

’t sell e don W ymore CD’s an @wickett #ruggeddevops


Слайд 41

are as a Softw Service @wickett #ruggeddevops


Слайд 42

years have last fifteen The change in a complete brought y cadence, our deliver anisms and bution mech distri nue models reve @wickett #ruggeddevops


Слайд 43

: DevOps ond Arc Sec @wickett #ruggeddevops


Слайд 44

DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK @wickett #ruggeddevops


Слайд 45

DEVOPS @wickett #ruggeddevops


Слайд 46

Agile ucture nfrastr I @wickett #ruggeddevops


Слайд 47

http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr @wickett #ruggeddevops


Слайд 48

ss WIP Le l debt technica Less @wickett #ruggeddevops


Слайд 49

ally using mers actu Custo while the e feature th ing on it r is work develope @wickett #ruggeddevops


Слайд 50

e effect: Great sid evelopers e s H ap p y D Produc @wickett #ruggeddevops


Слайд 51

@wickett #ruggeddevops


Слайд 52

@wickett #ruggeddevops


Слайд 53

that ops realized Devops hat devs t know w doesn’ vice versa now and k @wickett #ruggeddevops


Слайд 54

ev : Ops D 10 : 1 @wickett #ruggeddevops


Слайд 55

ological an Epistem DevOps is ing people hrough join breakt on problem nd a comm arou @wickett #ruggeddevops


Слайд 56

the most ulture is C to devops tant aspect impor nterprise g in the e succeedin ck DeBois - Patri @wickett #ruggeddevops


Слайд 57

ture is Cul part by @wickett ap e d i n sh values #ruggeddevops


Слайд 58

@wickett #ruggeddevops


Слайд 59

rstanding ual Unde Mut anguage Shared L ed Views Shar Tooling borative Colla @wickett #ruggeddevops


Слайд 60

DEVOPS IS THE INEVITABLE RESULT OF NEEDING TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED COMPUTING AND CLOUD] ENVIRONMENT. - TOM LIMONCELLI @wickett #ruggeddevops


Слайд 61

https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf @wickett #ruggeddevops


Слайд 62

TLDR; forming IT High-per erience 60X izations exp organ ecover from ilures and r fewer fa r than their e 168X faste failur peers. They performing lowerfrequently y 30X more also deplo lead times. 0X shorter wi t h 2 0 @wickett #ruggeddevops


Слайд 63

ulture C mation Auto rement Measu haring S otchagalupe nedwards, @b - @ dam o @wickett #ruggeddevops


Слайд 64

e wrong vops gon De @wickett #ruggeddevops


Слайд 65

“THAT THE WORD #DEVOPS GETS REDUCED TO TECHNOLOGY IS A MANIFESTATION OF HOW BADLY WE NEED A CULTURAL SHIFT” - @PATRICKDEBOIS http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops @wickett #ruggeddevops


Слайд 66

ird Arc: Th ntinuous Co Delivery @wickett #ruggeddevops


Слайд 67

ivery is not inuous Del Cont often you erely how m ow little liver but h de r at a time can delive you @wickett #ruggeddevops


Слайд 68

Delivery ipelines P are rad! @wickett #ruggeddevops


Слайд 69

ize of 1 Batch S @wickett #ruggeddevops


Слайд 70

f Duties ration o Sepa armful idered H Cons @wickett #ruggeddevops


Слайд 71

r to the ve powe Gi deploy opers to Devel @wickett #ruggeddevops


Слайд 72

Latency ce Code Redu Velocity se Code Increa @wickett #ruggeddevops


Слайд 73

3 Arcs: Agile DevOps Delivery ontinuous C @wickett #ruggeddevops


Слайд 74

xt Arc: The ne Security Rugged @wickett #ruggeddevops


Слайд 75

elopers” stupid dev “…Those ity person - Secur @wickett #ruggeddevops


Слайд 76

s a system rity prefer “Secu plugged” off and un powered eveloper -D @wickett #ruggeddevops


Слайд 77

Unrest ultural C urity in ith sec w zations organi most @wickett #ruggeddevops


Слайд 78

e Driven m p l i an c Co ulture C @wickett #ruggeddevops


Слайд 79

“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” @wickett #ruggeddevops


Слайд 80

ere ops i t y i s wh Secur rs ago… as 7 yea w @wickett #ruggeddevops


Слайд 81

ps : Sec Dev : O : 10 : 1 100 @wickett #ruggeddevops


Слайд 82

g m e an s erstaffin Un d ecurity thinks s no one iness win the bus helps @wickett #ruggeddevops


Слайд 83

ed that ps chang DevO rity can ps, secu for O nge too cha @wickett #ruggeddevops


Слайд 84

Netflix nstrated demo at people th care about esiliency r @wickett #ruggeddevops


Слайд 85

ll care ly, we a Innate @wickett #ruggeddevops


Слайд 86

Movement d Software Rugge @wickett #ruggeddevops


Слайд 87

ddevops #rugge @wickett #ruggeddevops


Слайд 88

https://vimeo.com/54250716 @wickett #ruggeddevops


Слайд 89

http://www.youtube.com/watch?v=jQblKuMuS0Y @wickett #ruggeddevops


Слайд 90

rward is to ity’s way fo Secur s and help developer help operations @wickett #ruggeddevops


Слайд 91

t there Star @wickett #ruggeddevops


Слайд 92

curity’s e v i e w Se Let’s r thus far pproach a @wickett #ruggeddevops


Слайд 93

dIdea #1 Ba s can’t be pplication A Web App defended— ls Suck! Firewal t ra i n i n g developer l e t s do @wickett #ruggeddevops


Слайд 94

@wickett #ruggeddevops


Слайд 95

@wickett #ruggeddevops


Слайд 96

mpaign eness ca Awar op Ten WASP T O @wickett #ruggeddevops


Слайд 97

knowing bandoned We a ul about hing usef an y t Runtime the @wickett #ruggeddevops


Слайд 98

efense ad Add D Inste aviors d on beh base @wickett #ruggeddevops


Слайд 99

adIdea #2 B e it out. an’t figur elopers c Dev abilities r vulner ts scan fo le instead @wickett #ruggeddevops


Слайд 100

e PDF of a 400 pag “here is prove your indings to our f 't get it!” lopers don deve n tester - The Pe @wickett #ruggeddevops


Слайд 101

mphasis ith the e Even w ai n i n g , i n appsec tr on made it a ctice we pra ark art d @wickett #ruggeddevops


Слайд 102

rugged egrated Int uld sit sting sho te p i p e li n e side the in @wickett #ruggeddevops


Слайд 103

dIdea #3 Ba ign m e n t he n e w a l Wi t h t canning, rability s to vulne ncy to Fix is a tende there ng Fruit ow-Hangi the L @wickett #ruggeddevops


Слайд 104

@wickett #ruggeddevops


Слайд 105

t know ill don' we st king us is attac who @wickett #ruggeddevops


Слайд 106

ll don't We sti w what lly kno actua ttacking hey are a t @wickett #ruggeddevops


Слайд 107

o Unknown Threats g R e al what the lopers fix so Deve detected ed tooling automat int in time certain po at a @wickett #ruggeddevops


Слайд 108

ication dd Appl A emetry ri t y T e l Secu @wickett #ruggeddevops


Слайд 109

didea #4 ba that no tooling Put in security tside of one ou erstand can und @wickett #ruggeddevops


Слайд 110

e n am e ly in th usual pliance of com @wickett #ruggeddevops


Слайд 111

Firewall We b Ap p “ Ge t a dude!” DSS Req 6.6 - PCI- @wickett #ruggeddevops


Слайд 112

@wickett #ruggeddevops


Слайд 113

ur own oose yo Ch enture… adv @wickett #ruggeddevops


Слайд 114

ossible allest p sm you can olution s a WAF… onsider c @wickett #ruggeddevops


Слайд 115

N added Our CD Ruleset ecurity ModS Huzzah! @wickett #ruggeddevops


Слайд 116

ce that ap p l i an An e things s al l t h block @wickett #ruggeddevops


Слайд 117

wonder ow you An d n s lunch one eat why no anymore ith you w @wickett #ruggeddevops


Слайд 118

“every aspect of managing WAFs is an ongoing process. This is the antithesis of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required to get and keep the WAF running productively.” - a whitepaper from a WAF vendor @wickett #ruggeddevops


Слайд 119

@wickett #ruggeddevops


Слайд 120

change… ty has to k, Securi O d value do w e ad How already? @wickett #ruggeddevops


Слайд 121

o ways! Tw @wickett #ruggeddevops


Слайд 122

to Devs d value Ad to ops dd value A @wickett #ruggeddevops


Слайд 123

someone ay that Pr otices n @wickett #ruggeddevops


Слайд 124

@wickett #ruggeddevops


Слайд 125

Pro-Tip #1 velopment ior Driven De Bad-Behav rity tools!) te those secu (automa @wickett #ruggeddevops


Слайд 126

g just one with Addin Start ew pages XSS on a f test for in your app @wickett #ruggeddevops


Слайд 127

@wickett #ruggeddevops


Слайд 128

Behavior t is Badgauntl elopment riven Dev D @wickett #ruggeddevops


Слайд 129

GAUNTLT Open source, MIT License Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/stderr @wickett #ruggeddevops


Слайд 130

@wickett #ruggeddevops


Слайд 131

@wickett #ruggeddevops


Слайд 132

@wickett #ruggeddevops


Слайд 133

to Your e Mean B Code @wickett #ruggeddevops


Слайд 134

ucumber lt Uses C Gaunt awesome and its @wickett #ruggeddevops


Слайд 135

@wickett #ruggeddevops


Слайд 136

@wickett #ruggeddevops


Слайд 137

attack an XSS here’s xample E @wickett #ruggeddevops


Слайд 138

@slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | url | http://localhost:8008 When I launch an "arachni" attack with: """ arachni --modules=xss --depth=1 --link-count=10 --autoredundant=2 <url> """ Then the output should contain "0 issues were detected." @wickett | | #ruggeddevops


Слайд 139

http://theagileadmin.com/2015/06/09/pragmatic-security-andrugged-devops/ @wickett #ruggeddevops


Слайд 140

github.com/gauntlt/gauntlt-demo @wickett #ruggeddevops


Слайд 141

github.com/gauntlt/gauntlt-starter-kit @wickett #ruggeddevops


Слайд 142

Gauntlt nds-on Ha Book leanpub.com/hands-on-gauntlt @wickett #ruggeddevops


Слайд 143

ro-tip #2 P esting in security t Put ntinuous your co tion system integra @wickett #ruggeddevops


Слайд 144

@wickett #ruggeddevops


Слайд 145

@wickett #ruggeddevops


Слайд 146

https://speakerdeck.com/garethr/battle-tested-code-without-the-battle @wickett #ruggeddevops


Слайд 147

- T i p #3 Pro Security plication Add Ap s and ops try to dev teleme @wickett #ruggeddevops


Слайд 148

Security nvert App Co ics in the into metr Logs d ops use ms dev an syste StatsD @wickett #ruggeddevops


Слайд 149

rrelation n T im e Co Ru s, dev, sec en biz, op betwe @wickett #ruggeddevops


Слайд 150

TP 500’s empts + HT SQLi Att or ransaction spikes + t login decrease @wickett #ruggeddevops


Слайд 151

untime R ion for umentat Instr ecurity ication S Ap p l @wickett #ruggeddevops


Слайд 152

ro-Tip #4 P from the Get hugs rs and add audito dit using ng and Au Hardeni agement config man @wickett #ruggeddevops


Слайд 153

n Source Ope mework ning Fra Harde ansible f/puppet/ che http://hardening.io/ @wickett #ruggeddevops


Слайд 154

udits of ightly A Run N ing using r Harden you gement fig Mana Con mode) hef audit (C https://www.chef.io/blog/2015/04/09/chef-audit-mode-cis-benchmarks/ @wickett #ruggeddevops


Слайд 155

Config OS and ement Manag @wickett #ruggeddevops


Слайд 156

the trend reverse e to Devs Add Valu e to Ops Add Valu @wickett #ruggeddevops


Слайд 157

mmary Su Software development is a constant experiment in knowing Application Security abdicated runtime responsibility and development responsibility through incoherent philosophical approaches and fostering silo-thinking Security now is where Ops was 7 years ago. Ops found a path to change through devops, security can too There are three ways we can add value: at development, at deploy, at runtime @wickett #ruggeddevops


Слайд 158

actices Pr Bad-Behavior Driven Development Weaponizing your CD Pipeline Application Security Telemetry and Monitoring Continuous Hardening and Audit Have a S-BOM! (Software Bill of Materials) @wickett #ruggeddevops


Слайд 159


×

HTML:





Ссылка: