my little webap - devopssec is magic
TRANSCRIPT
My Little Webapp – DevOpsSec is Magic
Apollo Clark
@apolloclark
apolloclark.com
slideshare.net/ApolloClark/my-little-webap-devopssec-is-magic
About Me• Originally from Maine• Lived in Milwaukee, Chicago, Atlanta• Web developer since 2001• PHP, Python, Java, C++, Perl, Visual Basic, etc.• MySQL, PostgreSQL, MongoDB, Redis• Kali Linux, Burpsuite, Gauntlt, SQLMap, XSSer, etc.• Got badly hacked in 2010, been learning since• I like making good software
What if we could fix anythingin 10 minutes?
With DevOpsSec, you can!
How does it feel?
Prepare for a meme filled ride.
How do we do things today?
We need to build QA and security in.
What can we do?
Dev vs. Ops
Dev vs. Ops
• Devs are paid to change code, high entropy
Dev vs. Ops
• Devs are paid to change code, high entropy
• Ops are paid to have stability, low entropy
Dev vs. Ops
• Devs are paid to change code, high entropy
• Ops are paid to have stability, low entropy
• Change != Stability
Dev vs. Ops
• Devs are paid to change code, high entropy
• Ops are paid to have stability, low entropy
• Change != Stability
• IE8 only supports loading 31 CSS files
"One line of code can break everything."
What do we do?
Climbing the Pyramid
"The worst thing that can happen to a system is that it doesn't run. The second worse thing is that it runs very slowly."
Performance
• stress testing: "how many concurrent users?"
Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
• initial client-side load latency: "time to first tweet"
Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
• initial client-side load latency: "time to first tweet"
• client latency: "how long does action take?"
Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
• initial client-side load latency: "time to first tweet"
• client latency: "how long does action take?"
Don’t forget to DDoS yourself.
What we got:
What we want:
Code quality testing IS security testing.
Security Testing without Code Quality Checks:
Code Quality
• linting, correct formatting
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
2^6 possible code pathways
64 possible outcomes from 1 function.
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
• unit tests, detect integration issues
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
• unit tests, detect integration issues
• coverage, testing thoroughness
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
• unit tests, detect integration issues
• coverage, testing thoroughness
• mocks, speed up testing
Unit Testing
Ready to try some Unit Testing?
Unit Testing
GET /users/<account_name>
• happy path: "aclark"
• missing entry: "aclark2"
• lower bounds: "a"
• upper bounds: "aaaaaaaaa"
• empty: "account_name" : ""
• null: (null)
• fuzzing: "a2$@o9(@1"
"a2$@o9(@1" eventually becomes "a or 1=1; --"
Supported
Supported
• define supported devices, resolutions,
browsers, and versions
You can’t support everything:
Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
• test locally in VM images
Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
• test locally in VM images
• test on the cloud
Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
• test locally in VM images
• test on the cloud
Try using unsupported systems. Hopefully fail gracefully. Might even find something…
Pro-tip: Try setting your browser User-Agent to iPhone 3.0 when visiting news websites :P
Deployable
• atomic base box VM
Deployable
• atomic base box VM
• provisioning scripts
Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
• scan dependency list
Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
• scan dependency list
• scan server setup
#!/bin/bash
HOST="192.168.1.4"
PATTERN="443/tcp\s+open"
if nmap -p 80,443 $HOST | grep $PATTERN > /dev/null
then
echo "ERROR: Port 443 open!"
exit 1
else
echo "SUCCESS: No unauthorized ports open."
exit 0
fi
Bash Test
Gauntlt Test
@slow
Feature: simple nmap attack (sanity check)
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | 192.168.1.4 |
Scenario: Verify server is available on standard web ports
When I launch an "nmap" attack with:
"""
nmap -p 80,443 <hostname>
"""
Then the output should match /80.tcp\s+open/
And the output should not match:
"""
443/tcp\s+open
"""
Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
• scan dependency list
• scan server setup
My personal websites:
Monitoring
• request origin
If you’re a ‘Murican only company, why are you letting your server talk
to Russia?
Monitoring
• request origin
• request scans
Monitoring
• request origin
• request scans
• invalid requests
Monitoring
• request origin
• request scans
• invalid requests
• request flood
Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
• latency
Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
• latency
• cpu load
Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
• latency
• cpu load
My startup has < 100 users. It gets scanned and attacked every day.
Your live servers are gettinghammered all the time.
Security
• what to test?
This is your attack surface:
You can't know where those red dots are, so protect everything.
Security
• what to test?
• how to test?
Security
• what to test?
• how to test?
• monitor issues
Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
• prioritize issues
Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
• prioritize issues
• automate tests
Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
• prioritize issues
• automate tests
Give and request automated tests,not PDF docs.
Write "Malicious User Stories"
IF YOU SEE SOMETHING,
SAY SOMETHING.
... but, at least write a test.
Common Concerns:
DevOpsSec is free, you can do it today.
Automation does not replace people.Know why?
Automation is people.
Automation helps them focus on more difficult problems.
Repeat after me:
"I am DevOpsSec ..."
"... and so can you!"
Infosec Taylor Swift@SwiftOnSecurity
Apollo Clark@apolloclark
apolloclark.com
slideshare.net/ApolloClark/my-little-webap-devopssec-is-magicgithub.com/apolloclark/py-jenkins-ci