Over the years, AppSec has made progress but it has also made some mis-steps.  We focus almost solely on development practices and training as remediation.  This isn't sustainable and arguably does little good.  There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches to Application Security.

1. The Epistemological
Problem of
Application Security
- James wickett

2. @wickett #ruggeddevops
James Wickett
SR. ENGINEER, SIGNAL SCIENCES
AUSTIN, TX
HANDS-ON GAUNTLT BOOK
DEVOPS DAYS GLOBAL AND
AUSTIN ORGANIZER
LASCON ORGANIZER

3. Application Security Monitoring and Instrumentation
Application Security you can use!
An approach that integrates with devops organizations
Team from Etsy: Zane Lackey, Nick Galbreath

4. signalsciences.com

5. @wickett #ruggeddevops
Software development has been experimenting how we know
anything
Application Security abdicated runtime responsibility and
effectively abdicated development responsibility through
philosophical approaches and organizational silos
DevOps is here to stay, and security can actually be a part of it
Ops found a way to add value, security needs to find that same
path
There are three ways we can add value: at development, at
deploy, at runtime
Summary

6. @wickett #ruggeddevops
A study in how we
know anything in
Application Security

7. @wickett #ruggeddevops
Spoiler Alert:
We don’t !

8. @wickett #ruggeddevops
once upon a time…

9. @wickett #ruggeddevops
Epistemological
Problem of Software
Development

10. @wickett #ruggeddevops
Humans optimize
for the probable

11. @wickett #ruggeddevops
We optimize for the
probable

12. @wickett #ruggeddevops
Unit Testing

13. @wickett #ruggeddevops
Integration Testing

14. @wickett #ruggeddevops
Happy Path
Engineering

15. @wickett #ruggeddevops
We also optimize
for the possible

16. @wickett #ruggeddevops
Over Engineering

17. @wickett #ruggeddevops
The scaling algo
that never got used…

18. @wickett #ruggeddevops
There is too much to
choose from in the
realm of possible

19. @wickett #ruggeddevops
Actually, we optimize for
the perceived probable

20. @wickett #ruggeddevops
How do we know
what to create?

21. @wickett #ruggeddevops
This is the problem

22. @wickett #ruggeddevops
Epistemological
Problem of Software
Development

23. @wickett #ruggeddevops
We gather data and
rhetoric to support
our theories

24. @wickett #ruggeddevops
There are 3 major
arcs in the history of
Software Development

25. @wickett #ruggeddevops
First Arc:
Agile

26. @wickett #ruggeddevops
Agile avoids the
problem

27. @wickett #ruggeddevops
Agile reminds that
we dont know what
we are building

28. @wickett #ruggeddevops

29. @wickett #ruggeddevops
Behavior Driven
Development

30. @wickett #ruggeddevops
BDD = Agile +
feedback

31. @wickett #ruggeddevops
Behavior Driven Development is a
second-generation, outside–in, pull-
based, multiple-stakeholder, multiple-
scale, high-automation, agile
methodology. It describes a cycle of
interactions with well-defined
outputs, resulting in the delivery of
working, tested software that matters.
Dan North , 2009

32. @wickett #ruggeddevops
Amplify
Feedback
Loop

33. @wickett #ruggeddevops
Agile emphasizes
feedback to developers
from their overlords and
sometimes even customers

34. @wickett #ruggeddevops
TLDR;
Rapid Iterations Win

35. @wickett #ruggeddevops
Agile is
our guiding
Light

36. @wickett #ruggeddevops
The world has
changed since Agile

37. @wickett #ruggeddevops
We don’t sell
CD’s anymore

38. @wickett #ruggeddevops
Software as a
Service

39. @wickett #ruggeddevops
The last fifteen years have
brought a complete change in
our delivery cadence,
distribution mechanisms and
revenue models

40. @wickett #ruggeddevops
Second Arc: DevOps

41. @wickett #ruggeddevops
DEVOPS IS THE APPLICATION OF
AGILE METHODOLOGY TO SYSTEM
ADMINISTRATION
- THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK

42. @wickett #ruggeddevops
DEVOPS

43. @wickett #ruggeddevops
Agile
Infrastructure

44. @wickett #ruggeddevops
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

45. @wickett #ruggeddevops
Less WIP
Less technical debt

46. @wickett #ruggeddevops
Customers actually using
the feature while the
developer is working on it

47. @wickett #ruggeddevops
Great side effect:
Produces Happy Developers

48. @wickett #ruggeddevops

49. @wickett #ruggeddevops

50. @wickett #ruggeddevops
Devops realized that ops
doesn’t know what devs
know and vice versa

51. @wickett #ruggeddevops
Dev : Ops
10 : 1

52. @wickett #ruggeddevops
DevOps is an Epistemological
breakthrough joining people
around a common problem

53. @wickett #ruggeddevops
Culture is the most
important aspect to devops
succeeding in the enterprise
- Patrick DeBois

54. @wickett #ruggeddevops
Culture is shaped in
part by values

55. @wickett #ruggeddevops

56. @wickett #ruggeddevops
Mutual Understanding
Shared Language
Shared Views
Collaborative Tooling

57. @wickett #ruggeddevops
DEVOPS IS THE INEVITABLE RESULT OF
NEEDING TO DO EFFICIENT OPERATIONS IN
A [DISTRIBUTED COMPUTING AND CLOUD]
ENVIRONMENT.
- TOM LIMONCELLI

58. @wickett #ruggeddevops
http://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf

59. @wickett #ruggeddevops
TLDR;
Devops practices
improve IT performance

60. @wickett #ruggeddevops
Culture
Automation
Measurement
Sharing
- @damonedwards, @botchagalupe

61. @wickett #ruggeddevops
Devops gone wrong

62. @wickett #ruggeddevops
“THAT THE WORD #DEVOPS GETS REDUCED
TO TECHNOLOGY IS A MANIFESTATION OF
HOW BADLY WE NEED A CULTURAL SHIFT”
- @PATRICKDEBOIS
http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops

63. @wickett #ruggeddevops
Third Arc:
Continuous
Delivery

64. @wickett #ruggeddevops
Continuous Delivery is not
merely how often you
deliver but how little
you can deliver at a time

65. @wickett #ruggeddevops
Delivery
Pipelines
are rad!

66. @wickett #ruggeddevops
Batch Size of 1

67. @wickett #ruggeddevops
Give power to the
Developers

68. @wickett #ruggeddevops
Allocate time to
enhance the build,
test and deploy system

69. @wickett #ruggeddevops
Reduce Code Latency
Increase Code Velocity

70. @wickett #ruggeddevops
That compliance
necessitates Separation
of Duties is a myth

71. @wickett #ruggeddevops
3 Arcs:
Agile
DevOps
Continuous Delivery

72. @wickett #ruggeddevops
The next Arc:
Security
Rugged

73. @wickett #ruggeddevops
“…Those stupid developers”
- Security person

74. @wickett #ruggeddevops
“Security prefers a system
powered off and unplugged”
- Developer

75. @wickett #ruggeddevops
Cultural Unrest
with security in
most organizations

76. @wickett #ruggeddevops
Compliance Driven
Culture

77. @wickett #ruggeddevops
“[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY: THAT STRUCTURED
INADEQUACY IS ALMOST AS GOOD AS
ADEQUACY AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS GOOD AS
PROPERLY FUNDED SECURITY WORK”

78. @wickett #ruggeddevops
Security is where ops
was 5 years ago…

79. @wickett #ruggeddevops
In the beginning of
devops, we had the
#noops movement

80. @wickett #ruggeddevops
Let’s get ready for
#nosec

81. @wickett #ruggeddevops
Actually, it is
already here

82. @wickett #ruggeddevops
Dev : Ops : Sec
100 : 10 : 1

83. @wickett #ruggeddevops
Understaffing means
no one thinks security
helps the business win

84. @wickett #ruggeddevops
DevOps changed that
for Ops, security can
change too

85. @wickett #ruggeddevops
Netflix
demonstrated
that people
care about
resiliency

86. @wickett #ruggeddevops
Innately, we all care

87. @wickett #ruggeddevops
Rugged Software Movement

88. @wickett #ruggeddevops
I AM RUGGED AND, MORE IMPORTANTLY, MY CODE
IS RUGGED.
I RECOGNIZE THAT SOFTWARE HAS BECOME A
FOUNDATION OF OUR MODERN WORLD.
I RECOGNIZE THE AWESOME RESPONSIBILITY THAT
COMES WITH THIS FOUNDATIONAL ROLE.

89. @wickett #ruggeddevops
I AM RUGGED BECAUSE MY CODE CAN FACE
THESE CHALLENGES AND PERSIST IN SPITE
OF THEM.

90. @wickett #ruggeddevops
#ruggeddevops

91. @wickett #ruggeddevops
https://vimeo.com/54250716

92. @wickett #ruggeddevops
http://www.youtube.com/watch?v=jQblKuMuS0Y

93. @wickett #ruggeddevops
The best thing security can
do is help developers and
help operations

94. @wickett #ruggeddevops
Start there

95. @wickett #ruggeddevops
it’s going to take a
change on our part

96. @wickett #ruggeddevops

97. @wickett #ruggeddevops
#BadIdea 1
WAF’s suck, lets do
developer training

98. @wickett #ruggeddevops

99. @wickett #ruggeddevops

100. @wickett #ruggeddevops
Awareness campaign
OWASP Top Ten

101. @wickett #ruggeddevops
We abandoned knowing
anything useful about
the Runtime

102. @wickett #ruggeddevops
#BadIdea 2
Developers can’t figure it
out, lets do vuln scanning
instead

103. @wickett #ruggeddevops
“Developers are stoopid,
here is a 400 page PDF of
our findings to prove it”
- Pen tester

104. @wickett #ruggeddevops
Even with the emphasis
on appsec training, in
practice we made it a
dark art

105. @wickett #ruggeddevops
#BadIdea 3
Fix Low-Hanging Fruit

106. @wickett #ruggeddevops

107. @wickett #ruggeddevops
You probably still have
something the flies want

108. @wickett #ruggeddevops
we actually don't know
who is attacking us

109. @wickett #ruggeddevops
We don't actually know
what they are attacking

110. @wickett #ruggeddevops
Runtime knowledge is
silo’ed at best so devs
fix what they know

111. @wickett #ruggeddevops
#badidea 4
Put in tooling that no
one outside of security
can understand

112. @wickett #ruggeddevops
job security!

113. @wickett #ruggeddevops
usually in the name
of compliance

114. @wickett #ruggeddevops
“Get a WAF dude!”
- PCI-DSS 6.6

115. @wickett #ruggeddevops
Choose your own
adventure…

116. @wickett #ruggeddevops
smallest possible
solution you can
consider a WAF…

117. @wickett #ruggeddevops
CDN added
ModSecurity Ruleset
Huzzah!

118. @wickett #ruggeddevops
An appliance that
blocks all the things

119. @wickett #ruggeddevops
And now no one eats
lunch with you
anymore

120. @wickett #ruggeddevops
“every aspect of managing WAFs is an
ongoing process. This is the antithesis
of set it and forget it technology.
That is the real point of this research.
To maximize value from your WAF you
need to go in with everyone’s eyes open
to the effort required to get and keep
the WAF running productively.”
- a whitepaper from a WAF vendor

121. @wickett #ruggeddevops
Ok, we’re good
here…

122. @wickett #ruggeddevops
If everyone’s is running the
WAF, who is running the
business?

123. @wickett #ruggeddevops

124. @wickett #ruggeddevops
Ok, we are sorry…
How do we add value
already?

125. @wickett #ruggeddevops
Two ways!

126. @wickett #ruggeddevops
Add value to Devs
Add value to ops

127. @wickett #ruggeddevops
Pray the business
notices

128. @wickett #ruggeddevops

129. @wickett #ruggeddevops
Pro-Tip #1
Automate security tooling
to run in testing

130. @wickett #ruggeddevops
Start with Adding just one
test for XSS on a few pages
in your app

131. @wickett #ruggeddevops

132. @wickett #ruggeddevops
gauntlt automates
security tools

133. @wickett #ruggeddevops
GAUNTLT
Open source, MIT License
Gauntlt comes with pre-canned steps that hook
security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr

134. @wickett #ruggeddevops

135. @wickett #ruggeddevops

136. @wickett #ruggeddevops

137. @wickett #ruggeddevops

138. @wickett #ruggeddevops

139. @wickett #ruggeddevops
here’s an XSS attack
you can use

140. @wickett #ruggeddevops
@slow @final
Feature: Look for cross site scripting (xss) using arachni
against a URL
Scenario: Using arachni, look for cross site scripting and
verify no issues are found
Given "arachni" is installed
And the following profile:
| name | value |
| url | http://localhost:8008 |
When I launch an "arachni" attack with:
"""
arachni --modules=xss --depth=1 --link-count=10 --auto-
redundant=2 <url>
"""
Then the output should contain "0 issues were detected."

141. @wickett #ruggeddevops
http://theagileadmin.com/2015/06/09/pragmatic-security-and-
rugged-devops/

142. @wickett #ruggeddevops
github.com/gauntlt/gauntlt-demo

143. @wickett #ruggeddevops
http://bit.ly/gauntlt-book-deal
50% off Hands-on
Gauntlt Book

144. @wickett #ruggeddevops
Pro-tip #2
Put that security testing
in your continuous
integration system

145. @wickett #ruggeddevops

146. @wickett #ruggeddevops

147. @wickett #ruggeddevops
https://speakerdeck.com/garethr/battle-tested-code-without-the-battle

148. @wickett #ruggeddevops
Pro-Tip #3
Add Application Security
telemetry to devs and ops

149. @wickett #ruggeddevops
Convert App Security
Logs into metrics in
the systems dev and
ops use

150. @wickett #ruggeddevops
Runtime
Instrumentation for
Application Security

151. @wickett #ruggeddevops
RunTime Correlation
between biz, ops, dev, sec

152. @wickett #ruggeddevops
SQLi + HTTP 500’s +
login spikes +
transaction decrease

153. @wickett #ruggeddevops
Pro-Tip #4
Add Security at OS and
config management level

154. @wickett #ruggeddevops

155. @wickett #ruggeddevops
Learn some
chef/puppet/ansible

156. @wickett #ruggeddevops
OS and Config
Management

157. @wickett #ruggeddevops
reverse the #nosec trend
Add Value to Devs
Add Value to Ops

158. @wickett #ruggeddevops
Software development has been experimenting how we know
anything
Application Security abdicated runtime responsibility and
effectively abdicated development responsibility through
philosophical approaches and organizational silos
DevOps is here to stay, and security can actually be a part of it
Ops found a way to add value, security needs to find that same
path
There are three ways we can add value: at development, at
deploy, at runtime
Summary