Page 1
How trends in IT force Security to behave as an Immune System
RED TEAM, BLUE TEAM OR WHITE CELLS?
This work is licensed under a Creative Commons
Attribution-ShareAlike 4.0 International License.
Image: Yersinia pestis (bubonic plague) a CC NC ND image by Philip Moyer -
https://www.flickr.com/photos/59039691@N00/2539168777/
Page 2
Frank Breedijk• Security Officer at Schuberg Philis
• (Official) Security dude since 2000
• Author of Seccubus
Coordinates:• https://www.linkedin.com/in/seccubus
• @Seccubus on Twitter
• [email protected]
WHO AM I?
Page 3
Barriers – First line of defense• Skin
• Stomach acid
• Acidic oil on skin
Sort of our firewalls, IPS, Anti-virus
IMMUNE SYSTEM 101 – NONSPECIFIC
Image: boom barrier a CC NC SA image by miez!
https://www.flickr.com/photos/41449558@N06/6941463985/
Page 4
Hard shell, soft
center…
OLD STYLE SECURITY APPROACH
Image: Egg with glowing eyes a CC NC SA image by Keith Marshall
https://www.flickr.com/photos/69877992@N00/304559359/
Page 5
THE EGG HAS HATCHED…
SaaS
PaaS
Page 6
The ugly truth has been revealed
We still suck at making good eggshells…
THE EGG HAS HATCHED
Image: P1010649 a CC SA image by Rick Kimpel
https://www.flickr.com/photos/18606128@N00/201198827/ Image: @akaasjager’s top by Frank Breedijk
Page 7
No matter how well you secure an
infrastructure, there is always somebody who
can break into it.
JOIN THE RED TEAM, WE HAVE COOKIES…
Image:
http://devopsreactions.tumblr.com/post/4916808
8989/backup-and-dr-testing
Page 8
Humans are not wrapped in bubble wrap
(mostly)
Humans ingest parts of their environment
Humans interact in funny ways
While we do get sick,
we don’t die often…
THE IMMUNE SYSTEM IS AWESOME!
Image: Bubble mummy a CC NC SA image by Katie Laird
https://www.flickr.com/photos/48889057845@N01/8583055777/
Page 9
Not just barriers
Inflamation• Getting materials where they need to be
• Making life a bit harder for the attacker
Phagocytes• Know what a bacterium/virus looks like
• Eat it
Comparable to
incident response…
IMMUNE SYSTEM 101 – NONSPECIFIC
Video source: https://www.youtube.com/watch?v=aWItglvTiLc
Mist, schon Vormittags Brand! a CC NC SA image by André
https://www.flickr.com/photos/30982194@N05/3700447633/
Page 10
When a white cell eats an antigen it represents
its receptor on its outside
The immune system ( the T and B
Lymphocytes) create anti-bodies and effector T-
Cells
Antibodies fit the antigen receptors and kill
antigens
Effector T-Cells kill infected body cells
Antibodies make you immune
IMMUNE SYSTEM 102 – SPECIFIC / ADAPTIVE
Page 11
Preferably before they can do harm
ANTIBODIES KILL ANTIGENS
A CC NC SA image by Alex
https://www.flickr.com/photos/95222260@N00/5190067591/
Page 12
The body has several feedback loops like this
Fast• Pain, bad taste
• ‘Must not continue’
• ‘Must not do that again’
Moderate• Generation of antibodies
Slow• Evolutionary
• ‘Survival isn’t mandatory’
FEEDBACK LOOPS
Image: Lightning Loop a CC image by Dakota Ray
https://www.flickr.com/photos/54782241@N05/5855339649/
Page 13
Sometimes the body cannot create enough
anti-bodies
Sometimes it cannot do it fast enough
A treatment with anti-biotics will help
Anti-biotics just kill any bacteria
Good bacteria suffer as well
ANTI-BIOTICS
Image: Radioactive Injection a CC NC SA image by Taran Rampersad
https://www.flickr.com/photos/35468158048@N01/2102121338/
Page 14
Firewalls• What is not exposed cannot be attacked
Web Application Firewall• OWASP Common Rule Set
Intrusion Prevention Systems
Minimize you exposure
Keep out people that are
clearly up to no good
INFOSEC IMMUNITYNONSPECIFIC IMMUNITY - BARRIERS
Source: http://devopsreactions.tumblr.com/post /46061575774/surviving-a-
ddos-attack
Page 15
Current feedback loops are too slow• Developer writes/tests code on own laptop
• Developer checks in code
• Code gets picked up by build system
• Is (maybe) unit tested
• Is manually tested for functionality
• Many changes are accumulated in a release
• Release is deployed in acceptance
• Pentest is conducted on acceptance
• Issues are discovered
The shorter the feedback loop
the greater the learning effect
INFOSEC IMMUNITYFAST FEEDBACK LOOP
Source: http://www.gifbay.com/gif/description-141598
Page 16
Integrate security tools into your build street
Plenty of code quality tools out there:• Commercial: HP, IBM, Veracode, WhiteHat Security,
Qualys, Checkmarkx, Trustwave, Apptherity, Contrast
Security, Pradco, Acunetix, N-Stalker, Virtual Forge, Trend
Micro, Burp Suite
• Open Source: Skipfish, Nikto, ZAP, Seccubus, Gauntlt
Include checking for
vulnerable
sub-components
INFOSEC IMMUNITYFASTER FEEDBACK LOOPS
Page 17
Train developers• Good patterns prevent injuries
• Learns developers to spot potential security issues early
Do (peer) code review• Don’t commit directly, use pull requests
Include security in your scrum• Standups
• Sprint planning
• Backlog grooming
• Acceptance by product owner
INFOSEC IMMUNITYLEARN FROM OTHERS
Source: http://devopsreactions.tumblr.com/post/48511362536
/i-dont-need-to-test-that-what-can-possibly-go-wrong
Page 18
Having Security review all changes simply
doesn’t scale
PEER REVIEW IS KEY
Source: http://securityreactions.tumblr.com/post/
67562914945/java-source-code-review
Page 19
Learn from the failures of others• Including ‘Darwin Award winners’
Learn from good examples• Share your successes
INFOSEC IMMUNITYFAST FEEDBACK LOOP
Source: http://testerreactions.tumblr.com/post/50489315537
/new-implementation-first-verification
Page 20
Heartbleed affected 2/3 of all SSL servers
A small mistake implementing a ping
“We can’t even add Ping, how the heck are we going to fix everything else?” – Dan Kaminsky
Vulnerability introduced in code in December 2011
Vulnerability in production code since March 2012
Publicly known in August 2014
INFOSEC IMMUNITYNONSPECIFIC IMMUNITY – INFLAMATION
Page 21
Finding and fixing incidents
But, also representing these incidents
to the feedback loops
INFOSEC IMMUNITYNONSPECIFIC IMMUNITY - PHAGOCYTES
Source: http://securityreactions.tumblr.com/post/59198452899/crypto-
implementation-in-whistle-im
Page 22
Feed back security findings
Feed back as WAF signatures• Anti-bodies / Band-aid
Feed back as Unit Tests• Anti-bodies
• Shortens feedback loop to developers
Feed back al lessons learned• Learn from those that have had (major) incidents
INFOSEC IMMUNITYFASTER FEEDBACK LOOPS
Image: TV Vortex a CC image by Alexis O’Connor
https://www.flickr.com/photos/10088577@N00/707845930/
Page 23
alert tcp $EXTERNAL_NET any -> $HOME_NET
$HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash
Vulnerability Requested (header) “; flow:established,to_server;
content:”() {“; http_header; threshold:type limit, track by_src,
count 1, seconds 120; sid:2014092401;)
Page 24
Of course it is not a permanent solution
But, it makes life a little bit harder for the
attacker
It buys you system so time to come up with a
fix
WAF SIGNATURES FOR VULNERABILITIES
Bleeding Kitty a CC image by Daniel Lobo
https://www.flickr.com/photos/62518311@N00/13900006125/
Page 25
If a security issue has been discovered
Or, if you are building a sensitive function
Make sure you write a security unit test
EXAMPLE 1
FEED BACK SECURITY UNIT TESTS
Page 27
If a security issue has been discovered
Or, if you are building a sensitive function
Make sure you write a security unit test
EXAMPLE 2
FEED BACK SECURITY UNIT TESTS
Page 28
17 class ApiRbacTest(ResourceTestCaseWithHelpers):
18 fixtures = (
19 'auth_user',
20 'team',
21 )
22
23 def test_candidate_resource(self):
24 bundle = self.create_bundle_for_resource_test(models.Candidate)
25
26 def test_list_endpoints(url):
27 # As an anonymous user.
28 TeamGroupPermission.objects.all().delete()
29 self.logout()
30
31 self.assertHttpUnauthorized(self.api_client.get(url))
32 self.assertHttpUnauthorized(self.api_client.put(url))
33 self.assertHttpUnauthorized(self.api_client.post(url))
34 self.assertHttpUnauthorized(self.api_client.patch(url, data=bundle.data_list))
35 self.assertHttpUnauthorized(self.api_client.delete(url))
36
37 # As a user with read-only permissions.
38 self.add_permission_for_user('admin', 'comp_sbp', settings.PERMISSIONS.SHOW_ATS)
39 self.logout()
40 self.login('admin', 'admin')
41
42 self.assertHttpOK(self.api_client.get(url))
43 self.assertHttpUnauthorized(self.api_client.put(url, data=bundle.data_list))
44 self.assertHttpUnauthorized(self.api_client.post(url, data=bundle.data_detail))
45 self.assertHttpUnauthorized(self.api_client.patch(url, data=bundle.data_list))
46 self.assertHttpUnauthorized(self.api_client.delete(url))
47
48 # As a user with read-write permissions.
49 self.add_permission_for_user('admin', 'comp_sbp', settings.PERMISSIONS.EDIT_ATS)
Page 29
If a security issue has been discovered
Or, if you are building a sensitive function
Make sure you write a security unit test
EXAMPLE 3
FEED BACK SECURITY UNIT TESTS
Page 32
The negative space is just as interesting
DON’T JUST TEST THE HAPPY FLOW
Page 33
Sometimes you just
have to say NO.
INFOSEC IMMUNITYANTI-BIOTICS
Page 34
Sometimes you just
have to say NO.
INFOSEC IMMUNITYANTI-BIOTICS
Page 35
So parts of your code
really need to be
protected
CROWN JUWELS
Crown of King Christian IV a CC NC ND image by Ville Misaki
https://www.flickr.com/photos/75595126@N00/7432041286/
Page 36
INFOSEC IMMUNITYSIGNATURES ON CRITICAL CODE
New/changed code is checked in
Critical code does NOT match signature
Build failsSecurity team reviews critical
code and signs itBuild ok!
Page 37
Life (in Infosec) is full of little surprises
Attacks only get better,
they never get worse
DON’T EXPECT TO BE PERFECT
Source: http://imgur.com/c9pCa18
Page 38
The days of InfoSec Island/Castle have ended
If you didn’t realize this this, don’t worry:
“Survival isn’t mandatory”
Security needs to align to the tools used by
developers
Acting as immune system means• Help stopping blatantly offensive elements
• Provide early feedback
• Cleaning up infections and
• Help build resistance against new vulnerabilities
• Providing a shot of anti-biotics if needed
SUMMARY
Image: Fortress Lérins a CC SA image by Mark Fischer
https://www.flickr.com/photos/80854685@N08/8730781472/
Page 39
SECURITY IS PART OF ALL THE WAYS OF DEVOP
System thinking• Code not in production isn’t code
• Code that isn’t secure isn’t code
Stop treating security as a silo…
Image: 2010 a CC NC ND image by Annais Ferreira,
http://www.flickr.com/photos/79083322@N00/4453826217/
Page 40
ALLOW SECURITY TO PROVIDE A STRONG FEEDBACK SIGNAL
The shorter the feedback loops are, the
better the learning effect• Automated security testing
• Unit tests for security
• Signed code
• Allow security to pull the Andon cord
• Have Nagios tests for security?
Page 41
ALLOW FOR EXPERIMENTATION???
DevOps is THE chance
for security to finally get it right
Image: Rainbolt a CC NC ND image by Brian Auer,
http://www.flickr.com/photos/29814800@N00/1480408255/
Page 42
Doctor Jack• Registered EDP auditor
• Licensed MD
• Good friend
• ‘Dirty mind is a joy forever…’
THANK YOU…
Page 43
Frank Breedijk• Security Officer at Schuberg Philis
• (Official) Security dude since 2000
• Author of Seccubus
Coordinates:• https://www.linkedin.com/in/seccubus
• @Seccubus on Twitter
• [email protected]
WHO AM I?