October 8, 2019 Defending Your Code Against Cyber - Attacks Developing Secure Applications
October 8, 2019
Defending Your Code
Against Cyber-Attacks Developing Secure Applications
October 8, 2019 2
Welcome!
Deb SnyderNYS ITS CISO
Secure Coding
Tyler Wrightson
Leet Cyber Security
@tbwrightson
@tbwrightson
Security
Security
Security
Agenda
1. Why secure coding matters
2. Top Injection Vulnerabilities
Know Thyself and...-Sun Tzu
Know thy Enemy!-Sun Tzu
Agenda –
Why Secure Coding Matters
CriminalHacktivist
Script Kiddie
Hacker
CyberCrime Org
Threats
Technical Skill
Agenda –
Top Injection Vulnerabilities
Top is tough to define
(should be based on risk assessment at organization)
Injection is an attacker's attempt to send data to an application in a way that will
change the meaning of commands being sent to an interpreter. For example,
the most common example is SQL injection, where an attacker sends "101 OR
1=1" instead of just "101". When included in a SQL query, this data changes
the meaning to return ALL records instead of just one.
https://www.owasp.org/index.php/Injection_Theory
Injection Attacks
• Injection attacks
– How are they introduced
– How are they exploited
– What can the impact be
Injection Attacks
• Injection Attack Categories
– SQL Injection
– Command Injection
– Random Examples; LDAP, File Paths, HTTP Headers
Injection Attack Mitigations
Context
Context
October 8, 2019 39
SQLiand
How to Prevent It
Xianlong Wang
ITS CISO Integrated Risk Management
October 8, 2019 40
SQL Injection Live Demo 40
October 8, 2019 41
Security TestingHow I Learned to Stop Worrying and Love
Web Application Scanning
Kahn Krug
Information Security Analyst
CISO – ISE – Security Testing
518-242-5201
October 8, 2019 42
CISO Information Security and
Engineering (ISE) Security Testing Team
Nicole Treacy
Patrick Kral
Kahn Krug
Contact Information:
E-mail: [email protected]
Phone: 518-242-5200
October 8, 2019 43
Testing
Functional
Usability
Interface
CompatibilityPerformance
Security
Release
October 8, 2019 44
Testing
Functional
Usability
Interface
Compatibility
Performance
Release
October 8, 2019 45
Testing
Functional
Usability
Interface
Compatibility
Performance
ReleaseSecurity
October 8, 2019 46
Testing
Functional
Usability
Interface
Compatibility
Performance
Release
SecuritySecurity
October 8, 2019 47
What Security Testing Provides - Scan
Note: the url
zero.webappsecurity
.com is a test site
provided by
MicroFocus to test
functionality of the
application scanner
October 8, 2019 48
What Security Testing Provides - Reporting
October 8, 2019 49
What Security Testing Provides - Reporting
October 8, 2019 50
What Security Testing Provides - Reporting
October 8, 2019 51
What Security Testing Provides - Reporting
October 8, 2019 52
What’s the difference between Static and
Dynamic Testing?
Static Testing (SAST)• Whitebox testing
• Developers responsibility
Might be cost effective
approach
x May not find all
vulnerabilities
Dynamic Testing (DAST)• Blackbox testing
• Security Testing
responsibility
Can expose a vulnerability
during runtime
x Only finds executed defects
October 8, 2019 53
What tools are available to Development
Teams in NYS?
Static Testing (SAST) Dynamic Testing (DAST)
Fortify Static Code
Analyzer
Deployed to
Development Teams
WebInspect
Enterprise
Used by the
Security Testing Team
October 8, 2019 54
FortifyWebInspect Enterprise
October 8, 2019 55
Process to Request Scans
October 8, 2019 56
Summarize
1) We’re from NYS ITS CISO ISE Security Testing. We’re here to help.
2) Easy to remember email address: [email protected]
3) Static analysis tools are out there for you to use.
4) Thank you
October 8, 2019 57
CISO Vulnerability and Threat Management (VTM)
Kevin Kingsley CISSP, GWAPT, Security+, Network+, A+Ricardo Nash Security+Zachery SchopferSteven CaraballoAustin CrisafulliMatthew JeanPierreMike Corrigan CISSP, GCTI, GPEN, GMON, CCNA, A+
CISO VTM [email protected]
Automated, Client-Focused Vulnerability
Management
October 8, 2019 58
The V in CISO VTM
What we want to do for you … and partnering with you:
1. Employ automated tools … to scan your Internet facing web sites and applications for vulnerabilities.
2. Verify scan results with manual tools and work hard to eliminate false positives.
3. Provide actionable reports to remediators and others stakeholders as well as custom reports where required.
4. Work with development teams by providing assistance, tools, and training in order to help remediate the vulnerabilities found.
CISO [email protected]
October 8, 2019 59
59CISO VTM Remediation Support
Last month
• Scanned 1,094 web sites and apps.
• Generated 275 reports using automated processes
• All findings analyzed before sending notifications and reporting to clients
• 8 security meetings with web development teams.
• Is your team doing a recurring security meeting?
CISO [email protected]
October 8, 2019 60
CISO VTM Remediation Support and Outreach
Chris Catalina - Drupal Architect, Developer for WebNY Platform Services
• Collaborative effort between the CISO VTM team and the WebNY team. • WebNY supports over 170+ public websites
o 70+ Drupal websites’o 100+ HTML websites
60
October 8, 2019 61
CISO VTM Remediation Support and Outreach61
Drupal Security Update Process
October 8, 2019 62
CISO VTM Remediation Support and Outreach62
Public Website Security Scan
Update Process
October 8, 2019 63
CISO VTM Remediation Support and Outreach63
Formatted Security Scan Emails and Vulnerability Findings Spreadsheet:
- Vulnerability Summary: Vulnerability severity level, how many were discovered, and how old they are.
- Vulnerability Details: Severity Level, vulnerability name, finding URL, first time detected, and how many times its been detected since the first scan.
- Recommended Remediation: Lists the open vulnerability and provides a remediation solution for the developer.
CISO VTM and WebNY team collaborative efforts to fine tune our process:
October 8, 2019 64
CISO VTM Remediation Support and Outreach64
Weekly Security meeting – WebNY goes over the vulnerabilities emailed to our team every week to ensure every vulnerability has been discussed before we assign them to the appropriate developer.
Microsoft Teams – One place to provide all security information for the WebNYteam: Wiki page, Vulnerability remediation solutions, and a walkthrough of what to do if you are assigned to detected vulnerability on a site that you support.
CISO VTM team and WebNY team collaborative efforts to fine tune our process:
October 8, 2019 65
CISO VTM Remediation Support and Outreach
Security Vulnerabilities Remediated since we started our process working with the CISO VTM team:
65
Severity 5's (Urgent) • Cross-Site Scripting (XSS), Path-Based, Reflected and Browser Specific• SQL Injection
Severity 4's (Critical) • DOM-Based Cross-Site Scripting (XSS)• HTTP Response Header Injection
Severity 3's (High) • Use of JavaScript Library with Known Vulnerability• Clickjacking - Framable Page• Information Disclosure and Impersonation Vulnerabilities
October 8, 2019 66
CISO VTM Remediation Support and Outreach
1. Work with the CISO VTM team to fine tune a process that works for you.
2. Perform weekly scans on the projects you support that are public facing.
3. Keep your internal teams and developers informed.
4. Keep your code updated
66
What WebNY learned and our 4 simple rules:
Micro Focus Software FactoryLessons Learned Building Enterprise Services for DevOps
David WrayPublic Sector Chief Technology Officer
Industry leadingNPS
2,000+dedicated resources
3,000+patents
5,800+software engineers
Challenge: Implement “Enterprise” Software Factory (DevSecOps) Capability Across a Multi-Billion Dollar International Organization
BUILD SUPPORT
Worldwide team of over 500 SaFE teams in 200 product groupsOver 2000 releases a year with both SaaS and standard consumption models Industry leading Product Support – 24/7 in 15 languages, multiple global delivery centers
69
Software Factory – Guiding PrinciplesObjective: Provide cost effective common engineering tools & services to build & deliver high quality products faster
• Agile delivery with continuous feedback and evolution based on demand and learning
• Minimum Viable Platform (MVP)
• Deliver End to End value streams based on the IT4IT Reference Architecture
• Use our own solutions first and provide feedback for continuous improvement
• Service broker operating model with clear roles and responsibility for service owner and service delivery
In-house Traditional
Azure AWS Google Cloud
Private cloud SaaS70
19K Servers113PB Storage 156K VMs
10M-20M code lines scanned for security daily
~100K builds annually
~10M test runs annually
~180K support tickets created annually
Waterfall Iterative Agile DevOps
41K Devices
Oracle Cloud
8K Engineering staff 24X7 operations
~6K patches managed annually
The Micro Focus engineering environment
Starting PointSummary of where we started – Vertical Toolchains
• Tool redundancy and sprawl generates expensive and complex engineering toolchains
• Multiple providers adds confusion and delays into product development (External Partners, Global Support, IT, Product Groups, etc.)
• Lack of visibility to data – can’t get consistent answers to basic questions
• Complex and conflicting product technologies – limited reuse, disparate tech stacks
• Inconsistent deployment results and rework required, security and testing capabilities were not enterprise based or early in the life-cycle
Strategic Outcomes
Sustained Benefits
Rapid ROI Benefits
Quick Value Benefits
Journey to Value – We Started with Very Low Maturity
D2C
R2F
R2D
S2P
Predictive service operations
Auto remediation
Change control/CMS
Service level management
Request rationalization
Shopping cart
Chargeback and usage
Sourcing management
Release management
Consistent QA mgmt.
Agile project mgmt. and dev.
Auto. cont. delivery tool chain
Service design
Investment portfolio mgmt.
Best practice PMO
Asset management
Continuous assessment
Proposal management
Cont. performance monitoring
Auto remediation
Change control/CMS
Service level management
Automated service fulfillment
Service catalog aggregation
Chargeback and usage
Multi-supplier
Release management
Consistent QA mgmt.
Agile project mgmt. and dev.
Automated release and deploy
Service design
Service portfolio mgmt.
Enterprise PMO
Asset management
Continuous assessment
Asset management
Enterprise PMO
Application portfolio mgmt.
Automated build and test
Agile project mgmt. and dev.
Consistent QA mgmt.
Release management
Service catalog
Automated service fulfillment
Service impact
Change impact
Problem management
Cross domain monitoring
Department PMO
Demand pipeline
Consistent project mgmt.
Consistent QA mgmt.
Requirements mgmt.
Service request mgmt.
Service discovery
Change management
Problem management
Application monitoring
Ad-hoc PMO
Ad-hoc demand
Quality Assurance
Defect oriented
Ad-hoc request management
Incident management
Domain centric monitoring
Business PartnerService-alignedProactiveCommittedAware
matureadvancedbasicMaturity
Cap
abilities
Start
Finish
73
Starting Point Analysis
ALM
Portfolio/
P2M
Test
SaaS Service
Service Support
Build FactoryDesign Release Mgmt.
Service Portal
Defect
Mgmt.
Requirement
Mgtmt.
Project Mgmt. Test Mgmt.
SCM
Binary Repo
Hybrid Infrastructure
Service Catalog Collaboration Reports & KPIs
Product Development Process
Redundant, outdated and broken value streams. Well over 150 products and processes discovered
12
16
86
31
Our Enterprise DevSecOps GoalsSummary of the criteria we defined for success
• Establish a Single enterprise DevSecOps capability for collaboration and sharing
• Extend our Agile development concepts (SAFe) out to the full loop of continuous exploration, development, integration, deployment and feedback
• Leverage existing open standards for IT Management and the Open Group Reference Architecture (IT4IT)
• Rationalize upwards of 100 tools within our DevSecOps Tool chain down to less than a dozen products that together form a functional tool chain for enterprise-scale SAFe
• Measure results and document improved governance, security, cost, quality, speed of innovation and team collaboration across the software supply chain.
• Improve predictability – Provide leadership with consistent measurable metrics across all R&D cost, quality and speed vectors for continuous improvement
Getting Started – Leverage Open Standards and select the best products available that align with standards
Vision: Leverage Open Standard Framework, Value Streams, Metrics and Measurements to Assure Value to our Customers
Driving alignment across the Four Focus Areas
Focus Area
Products
DeliveryStrategy
Master Use Cases
Shared Services
Common Foundation
ADM ITOM SEC IMG AMC BDP
Mission
Common technical point of view defined through use cases and high level architecture with contribution from all PG, Field and customers
Efficiently delivered across Product Groups through the use of:
• Common Reference Architecture that ensure every solution across all Focus areas makes up a consistent IT landscape
• Shared technology & components across solutions ensuring lower TCO, minimize cost, and ensure ease of reuse
PoV and use cases are delivered by combining the best and most relevant products across our Product Families
Common set of shared services for development and delivery of products to ensure efficiency and alignment
Customer Centric
Innovation
Shared Architecture
Foundation Tech Stack
EnterpriseDevOps
Hybrid ITMgmt
Security,Risk &
Governance
PredictiveAnalytics
& ML
1 2 3 n
77
Plan (Strategy to Portfolio)
Build (Requirement to Deliver)
Run(Detect to Correct)
Deliver(Request to Fulfill)
In-house Traditional
Azure AWSPrivate cloud SaaS
Development Lifecycle
Portfolio
Fulfilment
Service Portal
Operations
Support
BuildDesign
Security & Compliance
Release
ConsumptionQuality
Oracle Cloud
Google Cloud
Enterprise DevOps use case
1
2
Continuous Release: Service System Deployment3
6
Forward to Backlog
78
Plan (Strategy to Portfolio)
Build (Requirement to Deliver)
Run(Detect to Correct)
Deliver(Request to Fulfill)
In-house Traditional
Azure AWSPrivate cloud SaaS
Development Lifecycle
Portfolio
Fulfilment
Service Portal
Operations
Support
BuildDesign
Security & Compliance
Release
ConsumptionQuality
Oracle Cloud
Google Cloud
Many open source products augment the toolchain
Micro Focus Product
Micro Focus Product
Micro Focus Product
Micro Focus Product
Micro Focus
Micro Focus Product
Micro Focus
Micro Focus
How Did IT4IT help us with DevOps Tool Chain RationalizationDrinking our own Champaign
• We selected less than 12 products for the Enterprise DevSecOps tool chain. Several of our own products along with several open-source options. In all cases we have used IT4IT as the template for standardized integrations between functions
• The dominant software component is top-level project control and orchestration software, which we used to control sprints, user stories, defect management, backlogs, sprint plans, epics, test status, security scan results, and so on
• Around this core set of products we added other tools as needed and published model office which is a prescriptive implementation of enterprise DevSecOps
• The model office has been used with several large customers to help refine the target tool landscape as we look at what to transform and what to keep
Details on the Journey to Value
81
Software Factory – Phase 1Objective: Set a cost effective common engineering tools & services to deliver in high speed & quality at scale
• CLIP – Closed Loop Incident Process
• ALM
• SCM
• Binary Repository
Plan (S2P) Build (R2D) D2C
R2F
ALM
Portfolio/P2M
Test
SaaS Service
Service Support
Build FactoryDesign Release Mgmt.
Service Portal
Defect
Mgmt.
Requirement
Mgtmt.
Project Mgmt. Test Mgmt.
SCMGitHub
Binary Repo Artifactory
Black text = CapabilitiesPurple text = AvailableGreen text = PlannedBlue text = Interfacing SystemsDashed line = SW Factory scope
Security Testing
Performance Testing
CLIP
Hybrid Infrastructure
Service Catalog Collaboration Reports & KPIs
Code Signing
CLIP
82
Software Factory – Phase 2Objective: Set a cost effective common engineering tools & services to deliver in high speed & quality at scale
• P2M interlock
• Performance Testing
• Code Signing
• Collaboration – Wiki
Plan (S2P) Build (R2D) D2C
R2F
Portfolio/P2M
Test
SaaS Service
Service Support
Build FactoryDesign Release Mgmt.
Product Portfolio
Value Stream
Governance
&
Management
E2E Life Cycle Management
E2E Release
Measurements
Service Portal
Defect
Mgmt.
Requirement
Mgtmt.
Project Mgmt. Test Mgmt.
SCMGitHub
Binary Repo Artifactory
Black text = CapabilitiesPurple text = AvailableGreen text = PlannedBlue text = Interfacing SystemsDashed line = SW Factory scope
Security Testing
Dynamic and Static
Performance Testing
Testing as a Service
CLIP
Help Desk &
Problem/Incident
Management
Service Monitoring
Predictive Monitoring
Hybrid Infrastructure
Service Catalog Collaboration
Wiki
Reports & KPIs
Code SigningAujas
83
Software Factory – Phase 3Objective: Set a cost effective common engineering tools & services to deliver in high speed & quality at scale
• Service Portal / Catalog
• Reports / KPIs
• ChatOps
• Hybrid Infrastructure
Plan (S2P) Build (R2D) D2C
R2F
ALM
Portfolio/P2M
Test
SaaS Service
Service Support
Build FactoryDesign Release Mgmt.
Product Portfolio
Value Stream
Governance
&
Management
E2E Life Cycle Management
E2E Measurements
Hybrid Cloud Management
Service Portal
Defect
Mgmt.
Requirement
Mgtmt.
Project Mgmt. Test Mgmt.
SCMGitHub
Binary Repo Artifactory
Black text = CapabilitiesPurple text = AvailableGreen text = PlannedBlue text = Interfacing SystemsDashed line = SW Factory scope
Security TestingDynamic and Static
Performance Testing
Testing as a Service
CLIP
Help Desk &
Problem/Incident
Management
Service Monitoring
Predictive Monitoring
Hybrid InfrastructureHCM
Service CatalogCollaboration
Wiki, MS Teams
Reports & KPIs
Tableau/Vertica
Code SigningAujas
Security Governance
Security in Engineering Lifecycle SolutionRepositories Integration
…IDE
Specific
Scanner
OWASP
Dep
Checker
Web
Content
Scanning
Static
Code
Analysis
Repos
ScannersContaine
r
Scanner
Image
Scanner
Github ArtifactoryDockerhu
b …
Findings
Sec Tools Integration
Simple Service Consumption
Apply Sec Policy
Risks Normalized View
Sec AnalyticsKnowledge
Sharing
Precision Guided Alerts
DevOps
End to
End
Toolchai
n
Software Security Scanning Center
Success MetricsContinuing to improve overtime
• It is quit possible that we are the worlds largest global SAFe implementation
• Our standardized tool chain is now in use all our 500+ global teams, and the architecture is delivering value for customers as well
• We are the largest world wide customer of our own products with an average of 10 million lines scanned per day and have automated performance and functional testing
• 6 Scanners in use, ~20,000 True findings and a 70% False Positive Accuracy
• Over 2,000+ Change Request and 2,000+ Hot fixes delivered annually
• Goals of teams and the organizations are linked to the overall goals of the end-to-end DevSecOps value chain
• Consistent enterprise performance metrics and analytics have enabled us to find and resolve issues that improve quality, security and speed our innovation cycle.
Lessons LearnedDriving adoption with standards is all about providing value 1st
1. Automation across tools is essential for SAFe and DevSecOps to be efficient
2. IT4IT provides a best-practice tools architecture, including functionality and data flows, to guide and prescribe how to integrate and automate the tool chain
3. Successful adoption of an enterprise solution requires focusing on providing value, not enforcement and compliance
4. As we learned to implement SAFe at scale, we began to worry less about some tools (i.e. The IDE). As long as developers check in source to Git and follow their pipeline tasks in the Kanban, things work well.
5. Agile frameworks other than SAFe are OK, the tool chain still works very well. The real value is unifying reporting, metrics and portfolio management
Lessons Learned for Security & Testing AutomationSecurity is not an island and must be centralized and automated to improve the velocity of innovation
• Agile – integration to build systems, quality management solution, AGM tools, DevOps tools and service layers
• Scalability – Make sure the solution is scalable to the size of your organization• One-stop shop – Keep all scanners in one place• Efficiency – Plan for major reductions to the cost to run security test automation
throughout the Engineering Lifecycle• Leverage Smart Analytics to reduces number of false positives• Must established a supporting governance structure to monitor adoption and
stop vulnerable code from going to production• Consistent risk determination requires an enterprise risk management
framework (NIST RMF for example)
Software Factory live on quarterly release cycles
88
Technology is easy Change is about people mindsets and willingness to learn …
Stay with it Create a vision and an enduring strategy end to end …
Spearhead the change Leverage centers of excellence …
Measure outcomes Find the right partners (internal and external) …
Fail fast Deliver solutions and iterate as frequently as possible …
Make bets Have the courage to go against the grain …
Celebrate success You can never over–communicate …
89
Summary of learnings …
October 8, 2019 90
Any Questions?