© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES1 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
Maginot LineCommon AppSec Anti-Patterns
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 @PeteChestna
Who am I?
• 27+ Years Software Development Experience
• 12+ Years Application Security Experience
• Certified Agile Product Owner and Scrum Master
• At current employer since 2006• From Waterfall to Agile to DevOps• From Monolith to MicroService• Consultant on DevSecOps best practices
• Fun Fact: I love whiskey!• Tell me where to drink local whiskey
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES3 @PeteChestna
Agenda
• InfoSec vs. AppSec maturity
• Common anti-patterns
• Practical solutions
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
InfoSec vs. AppSec
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5 @PeteChestna
InfoSec
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES6 @PeteChestna
AppSec
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
AppSec Anti-Patterns
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES8 @PeteChestna
AP: The Goal?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9 @PeteChestna
AP: The Goal?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9 @PeteChestna
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES10 @PeteChestna
AP: The Goal?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES11 @PeteChestna
AP: The Goal?
Find TrackDevelop Fix Re-test
Develop
Bug
NoBug Develop Develop Develop
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12 @PeteChestna
AP: The Goal?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13 @PeteChestna
Measurement is Key
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14 @PeteChestna
Training and Awareness
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15 @PeteChestna
Train Yourself on the Process
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES16 @PeteChestna
Help them fix what they find
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17 @PeteChestna
AP: Security Mandate
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18 @PeteChestna
AP: Security Mandate
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES19 @PeteChestna
Relationships
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES20 @PeteChestna
Mutual Accountability
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES26 @PeteChestna
AP: What Open Source?
Healthcare Provider
How: Targeted a flaw in OpenSSL, CVE-2014-0160, better known as Heartbleed
Result: The theft of Social Security Numbers and other personal data belonging to 4.5 million patients
Financial Institution
How: Hackers exploited a known vulnerability in an open source component
Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs.
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES27 @PeteChestna
Built Mostly from Components
80% to 95% of modern apps consist of assembled components.
Proprietary Code
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
Open Source
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES28 @PeteChestna
Open Source – More or Less Secure?
• Defect rate in open source is no better or worse than first party code
• The difference is that developers never revisit
• Integrated and abandoned
• It’s not a problem until a vulnerability is discovered
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES29 @PeteChestna
Integrated and Abandoned Explicitly -Struts
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES30 @PeteChestna
Integrated and Abandoned Implicitly –Apache Commons Collections
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES31 @PeteChestna
Component Family Tree –Apache Commons Collection (ACC) 3.2.1
Apache Commons Collections 3.2.1
(1290)
Apache Commons BeanUtils (1348)
Spring Web (1779)
Spring Framework (501)
...
Core Hibernate ORM Functionality (1185)
Spring TestContextFramework (3007)
Spring Web MVC (1314)
...
Apache Commons Configuration (803)
Hadoop Core (399)
SonarQube Plugin API (262)
...
Apache Velocity (748)
Spring Context Support (916)
SnakeYAM (519)
...
Within 5 generations, 80,323components contain ACC 3.2.1
The components are then used in millions of software applications
>26% of software applications had ACC 3.2.1
50.3% of software applications had some vulnerable version of ACC
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES32 @PeteChestna
AP: What Open Source?Strategy: Security Champions
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES33 @PeteChestna
AP: What Open Source?Strategy: Assess MTTR
• How quickly can you ship a code change?
• For each application:– Methodology– Test automation– Time to deploy– CI/CD?– Minutes/Hours/Days/Weeks?
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES34 @PeteChestna
AP: What Open Source?Strategy: OSS Incident Response Plan
• Monitor for new CVEs
• Triage CVE based on:– Database of applications– CVSS score– Known exploit
• Disseminate to champions– Vulnerability assessment– Remediation plan– Notification of remediation or
mitigation
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES46 @PeteChestna
Conclusions
© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES47 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES
Thank you