Security is too hard. It is time for automation!

A presentation at DevOpsDays Bogota in September 2020 in Bogotá, Bogota, Colombia by Sasha Czarkowski (Rosenbaum)

Slide 1

Slide 1

Slide 2

Slide 2

Security is too hard. It’s time for automation! Sasha Rosenbaum @DivineOps

Slide 3

Slide 3

Dev Ops Architect Product Manager Microsoft => GitHub @DivineOps

Slide 4

Slide 4

And you?

Slide 5

Slide 5

State of security today

Slide 6

Slide 6

Slide 7

Slide 7

More code = more problems Source: GitHub Data Science team analysis

Slide 8

Slide 8

Insecure code causes breaches Source: 2019 Data Breach Investigations Report, Verizon 53% of breaches are caused by weaknesses in applications

Slide 9

Slide 9

The earlier we remediate, the better! SDLC Stages Develop Build Test Deploy Breach $ Millions $7,600 Remediation Costs Sources: NIST, Polemon Institute $80 Development $240 Build $960 Test/QA Production Breach

Slide 10

Slide 10

Security researchers are outnumbered! Sources: NIST, Polemon Institute

Slide 11

Slide 11

Assume Breach There are two types of companies: those that have been hacked, and those that don’t know they have been hacked

Slide 12

Slide 12

Slide 13

Slide 13

Slide 14

Slide 14

The Two Widest Back Doors • Credential Theft • Exploiting Known Vulnerabilities

Slide 15

Slide 15

Attackers have changed their playbook… 46% How do breaches occur? of compromised systems had no malware on them 100% 67% of victims have upto-date anti-virus signatures of victims were notified by an external entity Source: Mandiant 2014 Threat Report 33% of victims discovered the breach internally MICROSOFT CONFIDENTIAL, NDA 99% Of the exploited vulnerabilities were compromised more than a year after the CVE was published. 23% Of recipients open phishing messages (11% click on attachments) 50% Nearly 50% open emails and click on phishing links within the first hour.

Slide 16

Slide 16

Phishing • Total population of 524 people. • 220 people clicked on signup button. 37 people clicked on both phishing emails • Only 11 people (2%) reported to as probable phish!

Slide 17

Slide 17

Employee awareness training is not very effective in preventing phishing attacks

Slide 18

Slide 18

Slide 19

Slide 19

Email protection

Slide 20

Slide 20

Securing the software supply chain

Slide 21

Slide 21

How much do you rely on open source?

Slide 22

Slide 22

Open source software in the Enterprise New Code 99% of organizations make extensive use of open source Inner Source 90% of new application development leverages open source software. Source: Forrester Wave Software Composition Analysis 2017 Open Source New Application Code

Slide 23

Slide 23

Slide 24

Slide 24

Slide 25

Slide 25

99% Of the exploited vulnerabilities were compromised more than a year after the CVE was published

Slide 26

Slide 26

Slide 27

Slide 27

90% percent of active applications use libraries with a known CVE — 30 percent used a library with a critical CVE. Patching a critical CVE took an average of 34 days. Source: TCell Security Report, 2018

Slide 28

Slide 28

Automatically upgrade vulnerable dependencies

Slide 29

Slide 29

Slide 30

Slide 30

Dependabot increases the resolve rate and speed

Slide 31

Slide 31

Package Management Ø OSS dependencies are scanned for vulnerabilities and kept up to date Ø Builds artifacts are managed Ø Binary artifacts are accessed via a trusted feed and scanned for vulnerability

Slide 32

Slide 32

Securing you Code

Slide 33

Slide 33

Secret scanning

Slide 34

Slide 34

Code scanning

Slide 35

Slide 35

Slide 36

Slide 36

Code scanning can help!

Slide 37

Slide 37

Code scanning is still an aspiration Of applications using static analysis! ~Weekly Source: Veracode SOSS Vol. 10 ~Daily

Slide 38

Slide 38

Code scanning is automated code review!

Slide 39

Slide 39

Code scanning

Slide 40

Slide 40

Automation is not everything

Slide 41

Slide 41

Slide 42

Slide 42

Why Threat Model? A way to identify security issues during design Developers think about how a product works Attackers think about how to abuse a product Shift the mindset Think like an attacker

Slide 43

Slide 43

Threat Model: Pull Request Bypass

Slide 44

Slide 44

War Games

Slide 45

Slide 45

“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win” — John Lambert (MSTIC)

Slide 46

Slide 46

Security Mindset - Assume Breach Started with war games to the learn attacks and practice response vs. „ Initially double-blind test „ Over time, eliminated blue team Our defenders need to be our defenders Shifted left to prevent top risks „ Credential theft „ Secret leakage „ OSS vulnerabilities

Slide 47

Slide 47

Slide 48

Slide 48

Example: Red Team Attack Open File Share Plaintext Test Credentials Dev box with Test Account as Local Admin Dev’s Credentials Mimikatz Credential Dump

Slide 49

Slide 49

Another Source of Leak: Credentials in a File What do plaintext credentials look like? Every team seems to experience this one at the beginning.

Slide 50

Slide 50

Prove it!

Slide 51

Slide 51

Every time someone viewed the dashboard…

Slide 52

Slide 52

Protect Against Lateral Movement Ø Assume layers before yours will be breached Ø Never assume an internal service is unimportant Ø Never assume a service is secure because it is internal

Slide 53

Slide 53

No Standing Permissions Ø No standing access to production Ø JIT ( just in time) tokens only Ø Secure Workstations only Ø Infrastructure refresh

Slide 54

Slide 54

Internal CTFs Capture the Flag events

Slide 55

Slide 55

Slide 56

Slide 56

Thank you! @DivineOps

Slide 57

Slide 57

Thank you! @DivineOps