be mean to your code: rugged development & you
DESCRIPTION
Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application. This talk brings some advice/tools of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system. You will learn pragmatic approaches and tooling that will affect your development processes, delivery pipelines and even the operational runtime. You will walk away with solutions you can put into practice right away and you will also be armed with rugged anti-patterns to help you identify what to change.TRANSCRIPT
BE MEAN TO YOUR CODE RUGGED DEVELOPMENT & YOU
MATT JOHANSEN JAMES WICKETT
@mattjay
The Beard of Destiny
Gauntlt Cheerleader
Head of WhiteHat Threat Research
Center
BlackHat, DEFCON, RSA, SXSW, more++
@wickett
Gauntlt Project Lead
Founder of LASCON
Sr. Engineer at Signal Sciences
#RUGGEDCODE
AUDIENCE SURVEY
Cloud or Metal?
DevOps? Agile? Flavors?
How does code get to production?
How often do you do code changes?
Do you do security testing in the build/deploy pipeline?
#RUGGEDCODE
PRINCIPLES FOR A MODERN SECURITY
TEAM
#RUGGEDCODE
OSSM
On Demand
Scalable
Self-Service
Measured
Source: Dave Neilsen
#RUGGEDCODE
OLD DECISION MATRIXFunction
Features
Gartner Magic Quadrant
Trial Eval
TCO
#RUGGEDCODE
NEW DECISION MATRIX
API and Integrations
Service Billing
Half Decent?
#RUGGEDCODE
PLAY NICE AND INTEGRATE WITH
OTHERS
PRINCIPLE #1
#RUGGEDCODE
PEOPLE PROCESS
TECHNOLOGY
#RUGGEDCODE
INFLUENCE THE PEOPLE
PRINCIPLE #2
#RUGGEDCODE
DEVOPS
#RUGGEDCODE
CAMSCulture
Lean*
Automation
Measurement
Sharing
Source: @botchagalupe @damonedwards
#RUGGEDCODE
#RUGGEDCODE
WHAT WE VALUE IS DETERMINED BY OUR
CULTURE
PRINCIPLE #3
#RUGGEDCODE
#RUGGEDCODE
CONTINUOUS DELIVERY IS KING
PRINCIPLE #4
#RUGGEDCODE
THERE ARE TWO PATHS TO WINNING FOR
SECURITY
#RUGGEDCODE
THE DEVELOPMENT AND BUILD PIPELINE
#RUGGEDCODE
OPERATIONAL RUNTIME STATE AND
MONITORING
#RUGGEDCODE
WE ARE FOCUSING ON DEV/BUILD PIPELINE IN
THIS PRESENTATION
#RUGGEDCODE
DETECT AND FIX IN DEVELOPMENT
#RUGGEDCODE
WHY DOES THIS MATTER?
VULNERABLE CODE IS EVERYWHERE
#RUGGEDCODE
#RUGGEDCODE
HOW DO I FIX XSS?
#RUGGEDCODE
GOOD: INPUT SANITIZATION
[XSS]
#RUGGEDCODE
BLACKLIST :( [XSS]
#RUGGEDCODE
WHITELIST :) [XSS]
#RUGGEDCODE
BETTER: OUTPUT ENCODING
[XSS]
#RUGGEDCODE
< > BECOME < > [XSS]
#RUGGEDCODE
SQL INJECTION [SQLi]
#RUGGEDCODE
#RUGGEDCODE
#RUGGEDCODE
CREDIT: XKCD
#RUGGEDCODE
HOW DO I FIX IT? [SQLi]
#RUGGEDCODE
PARAMETERIZED QUERIES
[SQLi]
#RUGGEDCODE
PARAMETERIZED QUERIES (PHP) [SQLi]
#RUGGEDCODE
PARAMETERIZED QUERIES (JAVA) [SQLi]
#RUGGEDCODE
CROSS SITE REQUEST FORGERY
[CSRF]
#RUGGEDCODE
#RUGGEDCODE
#RUGGEDCODE
HOW DO I FIX IT? [CSRF]
#RUGGEDCODE
#RUGGEDCODE
TOKENS! [CSRF]
#RUGGEDCODE IMAGE CREDIT: DOTNETBIPS.COM
#RUGGEDCODE
AGAIN… VULNERABLE CODE IS EVERYWHERE
#RUGGEDCODE
GETS FIXED SLOWLY
#RUGGEDCODE GETS FIXED SLOWLY
#RUGGEDCODE
…IF EVER
#RUGGEDCODE
OWASP TOP 10
#RUGGEDCODE
#RUGGEDCODE
YOU HAVE A BUILD PIPELINE
TELL ME MORE ABOUT HOW SPECIAL YOU ARE
#RUGGEDCODE
GAUNTLT
#RUGGEDCODE
BUILT ON CUCUMBER
#RUGGEDCODE
GAUNTLT PRINCIPLES AND PHILOSOPHY
Gauntlt comes with pre-canned steps that hook security testing toolsGauntlt does not install toolsGauntlt can be part of the CI/CD pipelineBe a good citizen of exit status and stdout/stderrMIT Open Source License
#RUGGEDCODE
#RUGGEDCODE
GAUNTLT RESOURCES
• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki• Twitter > @gauntlt• IRC > #gauntlt on freenode• Issue tracking > http://github.com/gauntlt/
gauntlt
#RUGGEDCODE
#RUGGEDCODE
./velocity/lab_3/.travis.yml
#RUGGEDCODE
./velocity/lab_3/.travis.yml
#RUGGEDCODE
./Rakefile
#RUGGEDCODE
./test/attacks/email_leakage.attack
#RUGGEDCODE
./test/attacks/email_leakage.attack
#RUGGEDCODE
./test/attacks/backdoors.attack
#RUGGEDCODE
./test/attacks/sql_injection.attack
#RUGGEDCODE
DEMO
#RUGGEDCODE
@MATTJAY @WICKETT