Defending Your Code Against Cyber-Attacks Forum... · 10/8/2019  · Technical Skill. Agenda – Top Injection Vulnerabilities ... Top is tough to define (should be based on risk

October 8, 2019

Defending Your Code

Against Cyber-Attacks Developing Secure Applications

October 8, 2019 2

Welcome!

Deb SnyderNYS ITS CISO

Secure Coding

Tyler Wrightson

Leet Cyber Security

@tbwrightson

@tbwrightson

Security

Security

Security

Agenda

1. Why secure coding matters

2. Top Injection Vulnerabilities

Know Thyself and...-Sun Tzu

Know thy Enemy!-Sun Tzu

Agenda –

Why Secure Coding Matters

CriminalHacktivist

Script Kiddie

Hacker

CyberCrime Org

Threats

Technical Skill

Agenda –

Top Injection Vulnerabilities

Top is tough to define

(should be based on risk assessment at organization)

Injection is an attacker's attempt to send data to an application in a way that will

change the meaning of commands being sent to an interpreter. For example,

the most common example is SQL injection, where an attacker sends "101 OR

1=1" instead of just "101". When included in a SQL query, this data changes

the meaning to return ALL records instead of just one.

https://www.owasp.org/index.php/Injection_Theory

Injection Attacks

• Injection attacks

– How are they introduced

– How are they exploited

– What can the impact be

Injection Attacks

• Injection Attack Categories

– SQL Injection

– Command Injection

– Random Examples; LDAP, File Paths, HTTP Headers

Injection Attack Mitigations

Context

Context

Thank You

@leetsys

blog.leetsys.com

@tbwrightson

Email: [email protected]

October 8, 2019 39

SQLiand

How to Prevent It

Xianlong Wang

ITS CISO Integrated Risk Management

[email protected]

October 8, 2019 40

SQL Injection Live Demo 40

October 8, 2019 41

Security TestingHow I Learned to Stop Worrying and Love

Web Application Scanning

Kahn Krug

Information Security Analyst

CISO – ISE – Security Testing

[email protected]

518-242-5201

October 8, 2019 42

CISO Information Security and

Engineering (ISE) Security Testing Team

Nicole Treacy

Patrick Kral

Kahn Krug

Contact Information:

E-mail: [email protected]

Phone: 518-242-5200

October 8, 2019 43

Testing

Functional

Usability

Interface

CompatibilityPerformance

Security

Release

October 8, 2019 44

Testing

Functional

Usability

Interface

Compatibility

Performance

Release

October 8, 2019 45

Testing

Functional

Usability

Interface

Compatibility

Performance

ReleaseSecurity

October 8, 2019 46

Testing

Functional

Usability

Interface

Compatibility

Performance

Release

SecuritySecurity

October 8, 2019 47

What Security Testing Provides - Scan

Note: the url

zero.webappsecurity

.com is a test site

provided by

MicroFocus to test

functionality of the

application scanner

October 8, 2019 48

What Security Testing Provides - Reporting

October 8, 2019 49

What Security Testing Provides - Reporting

October 8, 2019 50

What Security Testing Provides - Reporting

October 8, 2019 51

What Security Testing Provides - Reporting

October 8, 2019 52

What’s the difference between Static and

Dynamic Testing?

Static Testing (SAST)• Whitebox testing

• Developers responsibility

Might be cost effective

approach

x May not find all

vulnerabilities

Dynamic Testing (DAST)• Blackbox testing

• Security Testing

responsibility

Can expose a vulnerability

during runtime

x Only finds executed defects

October 8, 2019 53

What tools are available to Development

Teams in NYS?

Static Testing (SAST) Dynamic Testing (DAST)

Fortify Static Code

Analyzer

Deployed to

Development Teams

WebInspect

Enterprise

Used by the

Security Testing Team

October 8, 2019 54

FortifyWebInspect Enterprise

October 8, 2019 55

Process to Request Scans

October 8, 2019 56

Summarize

1) We’re from NYS ITS CISO ISE Security Testing. We’re here to help.

2) Easy to remember email address: [email protected]

3) Static analysis tools are out there for you to use.

4) Thank you

October 8, 2019 57

CISO Vulnerability and Threat Management (VTM)

Kevin Kingsley CISSP, GWAPT, Security+, Network+, A+Ricardo Nash Security+Zachery SchopferSteven CaraballoAustin CrisafulliMatthew JeanPierreMike Corrigan CISSP, GCTI, GPEN, GMON, CCNA, A+

CISO VTM [email protected]

Automated, Client-Focused Vulnerability

Management

October 8, 2019 58

The V in CISO VTM

What we want to do for you … and partnering with you:

1. Employ automated tools … to scan your Internet facing web sites and applications for vulnerabilities.

2. Verify scan results with manual tools and work hard to eliminate false positives.

3. Provide actionable reports to remediators and others stakeholders as well as custom reports where required.

4. Work with development teams by providing assistance, tools, and training in order to help remediate the vulnerabilities found.

CISO [email protected]

October 8, 2019 59

59CISO VTM Remediation Support

Last month

• Scanned 1,094 web sites and apps.

• Generated 275 reports using automated processes

• All findings analyzed before sending notifications and reporting to clients

• 8 security meetings with web development teams.

• Is your team doing a recurring security meeting?

CISO [email protected]

October 8, 2019 60

CISO VTM Remediation Support and Outreach

Chris Catalina - Drupal Architect, Developer for WebNY Platform Services

• Collaborative effort between the CISO VTM team and the WebNY team. • WebNY supports over 170+ public websites

o 70+ Drupal websites’o 100+ HTML websites

60

October 8, 2019 61

CISO VTM Remediation Support and Outreach61

Drupal Security Update Process

October 8, 2019 62

CISO VTM Remediation Support and Outreach62

Public Website Security Scan

Update Process

October 8, 2019 63

CISO VTM Remediation Support and Outreach63

Formatted Security Scan Emails and Vulnerability Findings Spreadsheet:

- Vulnerability Summary: Vulnerability severity level, how many were discovered, and how old they are.

- Vulnerability Details: Severity Level, vulnerability name, finding URL, first time detected, and how many times its been detected since the first scan.

- Recommended Remediation: Lists the open vulnerability and provides a remediation solution for the developer.

CISO VTM and WebNY team collaborative efforts to fine tune our process:

October 8, 2019 64

CISO VTM Remediation Support and Outreach64

Weekly Security meeting – WebNY goes over the vulnerabilities emailed to our team every week to ensure every vulnerability has been discussed before we assign them to the appropriate developer.

Microsoft Teams – One place to provide all security information for the WebNYteam: Wiki page, Vulnerability remediation solutions, and a walkthrough of what to do if you are assigned to detected vulnerability on a site that you support.

CISO VTM team and WebNY team collaborative efforts to fine tune our process:

October 8, 2019 65

CISO VTM Remediation Support and Outreach

Security Vulnerabilities Remediated since we started our process working with the CISO VTM team:

65

Severity 5's (Urgent) • Cross-Site Scripting (XSS), Path-Based, Reflected and Browser Specific• SQL Injection

Severity 4's (Critical) • DOM-Based Cross-Site Scripting (XSS)• HTTP Response Header Injection

Severity 3's (High) • Use of JavaScript Library with Known Vulnerability• Clickjacking - Framable Page• Information Disclosure and Impersonation Vulnerabilities

October 8, 2019 66

CISO VTM Remediation Support and Outreach

1. Work with the CISO VTM team to fine tune a process that works for you.

2. Perform weekly scans on the projects you support that are public facing.

3. Keep your internal teams and developers informed.

4. Keep your code updated

66

What WebNY learned and our 4 simple rules:

Micro Focus Software FactoryLessons Learned Building Enterprise Services for DevOps

David WrayPublic Sector Chief Technology Officer

Industry leadingNPS

2,000+dedicated resources

3,000+patents

5,800+software engineers

Challenge: Implement “Enterprise” Software Factory (DevSecOps) Capability Across a Multi-Billion Dollar International Organization

BUILD SUPPORT

Worldwide team of over 500 SaFE teams in 200 product groupsOver 2000 releases a year with both SaaS and standard consumption models Industry leading Product Support – 24/7 in 15 languages, multiple global delivery centers

69

Software Factory – Guiding PrinciplesObjective: Provide cost effective common engineering tools & services to build & deliver high quality products faster

• Agile delivery with continuous feedback and evolution based on demand and learning

• Minimum Viable Platform (MVP)

• Deliver End to End value streams based on the IT4IT Reference Architecture

• Use our own solutions first and provide feedback for continuous improvement

• Service broker operating model with clear roles and responsibility for service owner and service delivery

In-house Traditional

Azure AWS Google Cloud

Private cloud SaaS70

19K Servers113PB Storage 156K VMs

10M-20M code lines scanned for security daily

~100K builds annually

~10M test runs annually

~180K support tickets created annually

Waterfall Iterative Agile DevOps

41K Devices

Oracle Cloud

8K Engineering staff 24X7 operations

~6K patches managed annually

The Micro Focus engineering environment

Starting PointSummary of where we started – Vertical Toolchains

• Tool redundancy and sprawl generates expensive and complex engineering toolchains

• Multiple providers adds confusion and delays into product development (External Partners, Global Support, IT, Product Groups, etc.)

• Lack of visibility to data – can’t get consistent answers to basic questions

• Complex and conflicting product technologies – limited reuse, disparate tech stacks

• Inconsistent deployment results and rework required, security and testing capabilities were not enterprise based or early in the life-cycle

Strategic Outcomes

Sustained Benefits

Rapid ROI Benefits

Quick Value Benefits

Journey to Value – We Started with Very Low Maturity

D2C

R2F

R2D

S2P

Predictive service operations

Auto remediation

Change control/CMS

Service level management

Request rationalization

Shopping cart

Chargeback and usage

Sourcing management

Release management

Consistent QA mgmt.

Agile project mgmt. and dev.

Auto. cont. delivery tool chain

Service design

Investment portfolio mgmt.

Best practice PMO

Asset management

Continuous assessment

Proposal management

Cont. performance monitoring

Auto remediation

Change control/CMS

Service level management

Automated service fulfillment

Service catalog aggregation

Chargeback and usage

Multi-supplier

Release management

Consistent QA mgmt.

Agile project mgmt. and dev.

Automated release and deploy

Service design

Service portfolio mgmt.

Enterprise PMO

Asset management

Continuous assessment

Asset management

Enterprise PMO

Application portfolio mgmt.

Automated build and test

Agile project mgmt. and dev.

Consistent QA mgmt.

Release management

Service catalog

Automated service fulfillment

Service impact

Change impact

Problem management

Cross domain monitoring

Department PMO

Demand pipeline

Consistent project mgmt.

Consistent QA mgmt.

Requirements mgmt.

Service request mgmt.

Service discovery

Change management

Problem management

Application monitoring

Ad-hoc PMO

Ad-hoc demand

Quality Assurance

Defect oriented

Ad-hoc request management

Incident management

Domain centric monitoring

Business PartnerService-alignedProactiveCommittedAware

matureadvancedbasicMaturity

Cap

abilities

Start

Finish

73

Starting Point Analysis

ALM

Portfolio/

P2M

Test

SaaS Service

Service Support

Build FactoryDesign Release Mgmt.

Service Portal

Defect

Mgmt.

Requirement

Mgtmt.

Project Mgmt. Test Mgmt.

SCM

Binary Repo

Hybrid Infrastructure

Service Catalog Collaboration Reports & KPIs

Product Development Process

Redundant, outdated and broken value streams. Well over 150 products and processes discovered

12

16

86

31

Our Enterprise DevSecOps GoalsSummary of the criteria we defined for success

• Establish a Single enterprise DevSecOps capability for collaboration and sharing

• Extend our Agile development concepts (SAFe) out to the full loop of continuous exploration, development, integration, deployment and feedback

• Leverage existing open standards for IT Management and the Open Group Reference Architecture (IT4IT)

• Rationalize upwards of 100 tools within our DevSecOps Tool chain down to less than a dozen products that together form a functional tool chain for enterprise-scale SAFe

• Measure results and document improved governance, security, cost, quality, speed of innovation and team collaboration across the software supply chain.

• Improve predictability – Provide leadership with consistent measurable metrics across all R&D cost, quality and speed vectors for continuous improvement

Getting Started – Leverage Open Standards and select the best products available that align with standards

Vision: Leverage Open Standard Framework, Value Streams, Metrics and Measurements to Assure Value to our Customers

Driving alignment across the Four Focus Areas

Focus Area

Products

DeliveryStrategy

Master Use Cases

Shared Services

Common Foundation

ADM ITOM SEC IMG AMC BDP

Mission

Common technical point of view defined through use cases and high level architecture with contribution from all PG, Field and customers

Efficiently delivered across Product Groups through the use of:

• Common Reference Architecture that ensure every solution across all Focus areas makes up a consistent IT landscape

• Shared technology & components across solutions ensuring lower TCO, minimize cost, and ensure ease of reuse

PoV and use cases are delivered by combining the best and most relevant products across our Product Families

Common set of shared services for development and delivery of products to ensure efficiency and alignment

Customer Centric

Innovation

Shared Architecture

Foundation Tech Stack

EnterpriseDevOps

Hybrid ITMgmt

Security,Risk &

Governance

PredictiveAnalytics

& ML

1 2 3 n

77

Plan (Strategy to Portfolio)

Build (Requirement to Deliver)

Run(Detect to Correct)

Deliver(Request to Fulfill)

In-house Traditional

Azure AWSPrivate cloud SaaS

Development Lifecycle

Portfolio

Fulfilment

Service Portal

Operations

Support

BuildDesign

Security & Compliance

Release

ConsumptionQuality

Oracle Cloud

Google Cloud

Enterprise DevOps use case

1

2

Continuous Release: Service System Deployment3

6

Forward to Backlog

78

Plan (Strategy to Portfolio)

Build (Requirement to Deliver)

Run(Detect to Correct)

Deliver(Request to Fulfill)

In-house Traditional

Azure AWSPrivate cloud SaaS

Development Lifecycle

Portfolio

Fulfilment

Service Portal

Operations

Support

BuildDesign

Security & Compliance

Release

ConsumptionQuality

Oracle Cloud

Google Cloud

Many open source products augment the toolchain

Micro Focus Product

Micro Focus Product

Micro Focus Product

Micro Focus Product

Micro Focus

Micro Focus Product

Micro Focus

Micro Focus

How Did IT4IT help us with DevOps Tool Chain RationalizationDrinking our own Champaign

• We selected less than 12 products for the Enterprise DevSecOps tool chain. Several of our own products along with several open-source options. In all cases we have used IT4IT as the template for standardized integrations between functions

• The dominant software component is top-level project control and orchestration software, which we used to control sprints, user stories, defect management, backlogs, sprint plans, epics, test status, security scan results, and so on

• Around this core set of products we added other tools as needed and published model office which is a prescriptive implementation of enterprise DevSecOps

• The model office has been used with several large customers to help refine the target tool landscape as we look at what to transform and what to keep

Details on the Journey to Value

81

Software Factory – Phase 1Objective: Set a cost effective common engineering tools & services to deliver in high speed & quality at scale

• CLIP – Closed Loop Incident Process

• ALM

• SCM

• Binary Repository

Plan (S2P) Build (R2D) D2C

R2F

ALM

Portfolio/P2M

Test

SaaS Service

Service Support

Build FactoryDesign Release Mgmt.

Service Portal

Defect

Mgmt.

Requirement

Mgtmt.

Project Mgmt. Test Mgmt.

SCMGitHub

Binary Repo Artifactory

Black text = CapabilitiesPurple text = AvailableGreen text = PlannedBlue text = Interfacing SystemsDashed line = SW Factory scope

Security Testing

Performance Testing

CLIP

Hybrid Infrastructure

Service Catalog Collaboration Reports & KPIs

Code Signing

CLIP

82

Software Factory – Phase 2Objective: Set a cost effective common engineering tools & services to deliver in high speed & quality at scale

• P2M interlock

• Performance Testing

• Code Signing

• Collaboration – Wiki

Plan (S2P) Build (R2D) D2C

R2F

Portfolio/P2M

Test

SaaS Service

Service Support

Build FactoryDesign Release Mgmt.

Product Portfolio

Value Stream

Governance

&

Management

E2E Life Cycle Management

E2E Release

Measurements

Service Portal

Defect

Mgmt.

Requirement

Mgtmt.

Project Mgmt. Test Mgmt.

SCMGitHub

Binary Repo Artifactory

Black text = CapabilitiesPurple text = AvailableGreen text = PlannedBlue text = Interfacing SystemsDashed line = SW Factory scope

Security Testing

Dynamic and Static

Performance Testing

Testing as a Service

CLIP

Help Desk &

Problem/Incident

Management

Service Monitoring

Predictive Monitoring

Hybrid Infrastructure

Service Catalog Collaboration

Wiki

Reports & KPIs

Code SigningAujas

83

Software Factory – Phase 3Objective: Set a cost effective common engineering tools & services to deliver in high speed & quality at scale

• Service Portal / Catalog

• Reports / KPIs

• ChatOps

• Hybrid Infrastructure

Plan (S2P) Build (R2D) D2C

R2F

ALM

Portfolio/P2M

Test

SaaS Service

Service Support

Build FactoryDesign Release Mgmt.

Product Portfolio

Value Stream

Governance

&

Management

E2E Life Cycle Management

E2E Measurements

Hybrid Cloud Management

Service Portal

Defect

Mgmt.

Requirement

Mgtmt.

Project Mgmt. Test Mgmt.

SCMGitHub

Binary Repo Artifactory

Black text = CapabilitiesPurple text = AvailableGreen text = PlannedBlue text = Interfacing SystemsDashed line = SW Factory scope

Security TestingDynamic and Static

Performance Testing

Testing as a Service

CLIP

Help Desk &

Problem/Incident

Management

Service Monitoring

Predictive Monitoring

Hybrid InfrastructureHCM

Service CatalogCollaboration

Wiki, MS Teams

Reports & KPIs

Tableau/Vertica

Code SigningAujas

Security Governance

Security in Engineering Lifecycle SolutionRepositories Integration

…IDE

Specific

Scanner

OWASP

Dep

Checker

Web

Content

Scanning

Static

Code

Analysis

Repos

ScannersContaine

r

Scanner

Image

Scanner

Github ArtifactoryDockerhu

b …

Findings

Sec Tools Integration

Simple Service Consumption

Apply Sec Policy

Risks Normalized View

Sec AnalyticsKnowledge

Sharing

Precision Guided Alerts

DevOps

End to

End

Toolchai

n

Software Security Scanning Center

Success MetricsContinuing to improve overtime

• It is quit possible that we are the worlds largest global SAFe implementation

• Our standardized tool chain is now in use all our 500+ global teams, and the architecture is delivering value for customers as well

• We are the largest world wide customer of our own products with an average of 10 million lines scanned per day and have automated performance and functional testing

• 6 Scanners in use, ~20,000 True findings and a 70% False Positive Accuracy

• Over 2,000+ Change Request and 2,000+ Hot fixes delivered annually

• Goals of teams and the organizations are linked to the overall goals of the end-to-end DevSecOps value chain

• Consistent enterprise performance metrics and analytics have enabled us to find and resolve issues that improve quality, security and speed our innovation cycle.

Lessons LearnedDriving adoption with standards is all about providing value 1st

1. Automation across tools is essential for SAFe and DevSecOps to be efficient

2. IT4IT provides a best-practice tools architecture, including functionality and data flows, to guide and prescribe how to integrate and automate the tool chain

3. Successful adoption of an enterprise solution requires focusing on providing value, not enforcement and compliance

4. As we learned to implement SAFe at scale, we began to worry less about some tools (i.e. The IDE). As long as developers check in source to Git and follow their pipeline tasks in the Kanban, things work well.

5. Agile frameworks other than SAFe are OK, the tool chain still works very well. The real value is unifying reporting, metrics and portfolio management

Lessons Learned for Security & Testing AutomationSecurity is not an island and must be centralized and automated to improve the velocity of innovation

• Agile – integration to build systems, quality management solution, AGM tools, DevOps tools and service layers

• Scalability – Make sure the solution is scalable to the size of your organization• One-stop shop – Keep all scanners in one place• Efficiency – Plan for major reductions to the cost to run security test automation

throughout the Engineering Lifecycle• Leverage Smart Analytics to reduces number of false positives• Must established a supporting governance structure to monitor adoption and

stop vulnerable code from going to production• Consistent risk determination requires an enterprise risk management

framework (NIST RMF for example)

Software Factory live on quarterly release cycles

88

Technology is easy Change is about people mindsets and willingness to learn …

Stay with it Create a vision and an enduring strategy end to end …

Spearhead the change Leverage centers of excellence …

Measure outcomes Find the right partners (internal and external) …

Fail fast Deliver solutions and iterate as frequently as possible …

Make bets Have the courage to go against the grain …

Celebrate success You can never over–communicate …

89

Summary of learnings …

October 8, 2019 90

Any Questions?