tip: navigate with left/right arrows
|
@jvehent on twitter
She's a Full Stack developer
She didn't like it much
Traditional ops where deployments take entire weeks
aren't acceptable anymore.
To compete, startups need fast release cycles.
15min from patch to prod is the new standard!
She gets to use all the cool stuff!
in the real world, we're not quite there yet, but you get the point
Both sides typically work against each other, actively arming both the roadmap and security of the product
Walkthrough through the life-cycle of a project, from inception to retirement
CuteFox: a REST API that sends webpush notifications to Firefox users with photos of cute foxes.
A ~30min friendly discussion between the devs, ops, products managers and security team to go over the business risks of the project
A risk summary table from the RRA
We capture those recommendation into a "Risk Summary" bug. The bug stays open for the lifetime of the service and serves as a tracker for security discussions related to the project
test:
override:
- docker run mozilla/cutefox &
# pull down the ZAP docker container
- docker pull owasp/zap2docker-weekly
# Run ZAP against the application
- >
docker run -t owasp/zap2docker-weekly zap-baseline.py
-t http://172.17.0.2:8080/
# Shut down the application container
- >
docker kill
$(docker ps |grep mozilla/cutefox
| awk '{print $1}')
PASS: Absence of Anti-CSRF Tokens [40014]
WARN: Web Browser XSS Protection Not Enabled [10016] x 3
http://172.17.0.2:8080/
http://172.17.0.2:8080//robots.txt
http://172.17.0.2:8080//sitemap.xml
Similar to TDD: Write the security tests first, let them fail, implement the security control then verify the tests pass
We don't bolt it on top with WAFs and so on, we build security into the app directly
He's the Ops guy
etc...
Problem: secrets in cleartext files have a bad tendency to leak
Solution: SOPS - encrypt all credentials, decrypt at provisioning
# The secrets below are unreadable without access to one of the sops master key
myapp1: ENC[AES256_GCM,data:QsGJGjvQOpoVCIlrYTcOQEfQzriw,iv:ShmgdRNV6UrOJ22Rgr7habB74Nd/YFxU4lDh6jy6n+8=,tag:8GT6U8lzrI27DcFc1+icgQ==,type:str]
app2:
db:
user: ENC[AES256_GCM,data:Arbb,iv:7bjm4ZaVFlxNk3O4M1P67TqfFtXTOHOe5x9rjF6/R9o=,tag:d4+O8BUj+02qaeJorev2ww==,type:str]
password: ENC[AES256_GCM,data:9/jSxNCq0A==,iv:5mk+GS016hKGj6gVfQDMSyuuPy7/SVHLsqQXK3p1nds=,tag:AtK4nPFoSOOgdw6IZmiZmw==,type:str]
$ tlsobs addons.mozilla.org
[...]
--- Analyzers ---
* Mozilla evaluation: intermediate
- for modern level: remove ciphersuites ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, DES-CBC3-SHA
- for modern level: consider adding ciphers ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256
- for modern level: remove protocols TLSv1, TLSv1.1
- for modern level: consider enabling OCSP stapling
- for modern level: use a certificate of type ecdsa, not RSA
- oldest clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
but they are great for
Not an afterthought built on top
It's not SecDevOps, it's just DevOps.
Security is a natural component of it.
jvehent.github.io/continuous-security-talk