How to implement SDL and don t turn gray. Andrey Kovalev, Security Engineer

Similar documents
Introduction into browser hacking. Andrey Kovalev

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

Fuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team

Application security : going quicker

Nick Coblentz, CISSP Senior Consultant, AT&T Consulting

CSE 127 Computer Security

Security Testing. John Slankas

Secure DevOps: A Puma s Tail

Black Hat Webcast Series. C/C++ AppSec in 2014

N different strategies to automate OWASP ZAP

OWASP Top 10 The Ten Most Critical Web Application Security Risks

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

Copyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis

Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

End-to-End Agile Testing using Incremental Approach for a Leading EIM Solution Provider ATTENTION. ALWAYS.

TESTING IN PRODUCTION: ENHANCING DEVELOPMENT AND TEST AGILITY IN A SANDBOX ENVIRONMENT

Secure Development Processes

Rethinking Product Security: Cloud Demands a New Way

Fuzzing. compass-security.com 1

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Data for LibreOffice developerss

The Way of the Bounty. by David Sopas

In collaborazione con

C/C++ toolchain. Static and dynamic code analysis. Karel Kubíček. Masaryk University. Brno, Czech Republic

CSE484/CSE584 BLACK BOX TESTING AND FUZZING. Dr. Benjamin Livshits

Presented by Alex Nicolaou

Maja Schreiner. 9th Lean, Agile & Scrum Conference 2017

Texas Regional Infrastructure Security Conference (TRISC) Dan Cornell

Getting the Most out of Access Manager

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Automated Security Scanning in Payment Industry

CS 155: Real-World Security

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Creating an AppSec Pipeline with containers in a week. How we failed and succeeded Jeroen Willemsen OWASP benelux days

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

THE ART OF SECURING 100 PRODUCTS. Nir

The Need for Confluence

Overcoming Stagefright Integer Overflow Protections in Android

Web Applications (Part 2) The Hackers New Target

A Security Practice Evaluation Framework

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

Structure-aware fuzzing

RKN 2015 Application Layer Short Summary

ACCURATE STUDY GUIDES, HIGH PASSING RATE! Question & Answer. Dump Step. provides update free of charge in one year!

Low level security. Andrew Ruef

Integrated Functional and Non -Functional Testing for Agile

IEEE Sec Dev Conference

Strengthen and Scale security using DevSecOps

C1: Define Security Requirements

A Strategic Approach to Web Application Security

Agile Accessibility. Presenters: Ensuring accessibility throughout the Agile development process

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Product Roadmap & Getting Started ITO LMS

Adopting Agile Practices

Man-In-The-Browser Attacks. Daniel Tomescu

18-642: Code Style for Compilers

Security Testing: Terminology, Concepts, Lifecycle

The Automated Exploitation Grand Challenge. A Five-Year Retrospective

Seminar report Software reuse

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

In-Memory Fuzzing in JAVA

What s New in LoadRunner/Performance Center Questions and Answers October 26, 2017

Ingredients Nokia 2

John Coggeshall Copyright 2006, Zend Technologies Inc.

CS 161 Computer Security

Story Refinement How to write and refine your stories so that your team can reach DONE by the end of your sprint!

The Fuzzing Project

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

HOW TO WRITE USER STORIES (AND WHAT YOU SHOULD NOT DO) Stuart Ashman, QA Director at Mio Global Bob Cook, Senior Product Development Manager, Sophos

DevOps A How To for Agility with Security

PENETRATION TEST REPORT

KLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND

Robots with Pentest Recipes:

Information Security CS 526 Topic 8

CSC 405 Introduction to Computer Security Fuzzing

Securing the continuous integration process

Framework for Application Security Testing. September 11th, 2018

Coverage-guided Fuzzing of Individual Functions Without Source Code

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

Application Security at Scale

Test-driven development

CS 161 Computer Security

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

EasyCrypt passes an independent security audit

MBFuzzer - MITM Fuzzing for Mobile Applications

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

Continuous Integration & Code Quality MINDS-ON NUNO 11 APRIL 2017

Automated Testing of Tableau Dashboards

Welcome to the OWASP TOP 10

CS 161 Computer Security

tostatichtml() for Everyone!

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Outline. 1 Motivation. 2 Secure Software Development. 3 Enabling Developers: From (Mild) Pain to Success. 4 Lesson s Learned

Application Security Kung-Fu Competitive Advantage from Threat Modeling

Transcription:

How to implement SDL and don t turn gray Andrey Kovalev, Security Engineer

Agenda SDL 101 Yandex approach SAST, DAST, FSR: drawbacks and solutions Summary 3

How to implement SDL and don t turn gray SDL 101

Canonical waterfall SDL Invented and used in Microsoft since 2004, published in 2012 5

Agile SDL variant from Microsoft Controls: one-time, bucket and sprint Actionable points: threat modeling, fuzz testing, code analysis, final security review Flexible scope, exceptions are not forbidden 6

How to implement SDL and don t turn gray Yandex approach

Development lifecycle 8

Development paradigm Scrum-based agile paradigm Sprint lasts 2 weeks Story point - approximate 1 day Tasks type: product feature, technologic task, infrastructure Product feature team: product manager, project manager and development team 9

Codebase and CI One repository for Desktop and mobile versions Languages: C++ 14, JavaScript, Java, ObjectiveC (for mobile) Size of code : approximately 10 GB Our codebase is about 20% and Chromium is about 80% CI system: TeamCity with own modifications 10

Yandex SDL approach Education (developers, managers, testers) Guides CTFs Trainings Security design review Design Threat model Consulting Implementation analysis SAST DAST Response Final security review Bugbounty Fixcheck Pentesting 11

Main scope Security-related features New key and complicated features Yandex browser Web-API enhancements All features, that potentially could reduce security or privacy of our users 12

How to implement SDL and don t turn gray Examples, solutions and drawbacks

Security design review

Design & consulting Product requirements analysis Make architecture modification roadmap (if needed) Consulting in choosing right security solutions or algorithms (if needed) Provide special recommendations for testers 15

Threat modeling 2 types of models: general and feature-based General threat model is based on typical threats and created (and updated) by security team Feature based model is created for feature during security design review with managers and developers (one release control) Feature based model is the scope for final security review or for special fuzzers 16

General threat model of the Yandex Browser Attack vector Typical vulnerabilities Severity level Sandbox escape Sandbox policy flaws, lpe, etc P1 RCE Memory corruption, logic flaws P2 SOP bypass Uxss, cache issues, api issues, etc P2 HTTPS bypass Bugs in the TLS realization P3 CSP bypass Any except proxy- or extension-based P3 Protect bypass Secure wifi, safe browsing bypass P3 Built-in extensions flaws Xss, xsrf, xxe, sensetive info leakage P3 UI Redressing and evil manipulations Full screen imitation, browlocking, etc P4 DoS Local or remote hangs P4 17

Static analysis

Why do we need SAST? We have platform specific code (Windows, Android, etc), there are lack of modern DAST tools (sanitizers, fuzzers, etc.) We do not have special test cases (or any test at all) to use it It s easy to create own checkers, which could help to find potentially dangerous function calls High code coverage from scratch (particulary there are some exceptions) 19

Main SAST drawbacks Signal / Noise = 20 / 80 from scratch, developers don t like it SAST tools have issues with modern language techniques, e.g. shared / weak pointers You should build your code (at least for C++) with SAST tool and have to wait support for modern compilers / IDE Powerful tools and solutions are not free 20

Solution: tune your checkers Select checker (rule) Switch checker off Mark flaws as TP or FP Run analyzer No Yes Could be fixed Enhance it Send to dev dashboard Yes P > 0.7 Analyze FP nutshell 21

Results 80 Code coverage, % 70 All checkers precision, % 60 52,5 40 35 20 17,5 0 Iteration 1 Iteration 2 Iteration 4 Iteration 15 0 Iteration 1 Iteration 2 Iteration 4 Iteration 15 22

Dynamic analysis

Why do we need DAST? Best accuracy, if it finds something developers have to fix Finds memory corruption or undefined behavior issues automatically (almost) Lots of powerful tools are free and open source 24

Main DAST drawbacks Multiplatform infrastructure for testing is required Developers have to write unit tests or fuzz tests and it s hard to attain 80-100% coverage It s not easy to implement complex solution on some platforms (Windows, Android) Doesn t find issues, which were not executed during the test 25

Our dynamic security testing solution DAST Sanity testing Fuzz testing 26

Sanity testing Build your unit tests with sanitizers (Asan, Ubsan, Tsan, etc) Add additional testing step to your CI process Run sanitized tests regularly during this step on your testing infrastructure Collect crashes and analyze them using llvm-symbolizer 27

Unit fuzz testing Implement after sanity testing For baseline ask developers to create fuzz tests with afl + libfuzzer with some input corpuses Add additional steps to your CI process: corpus collector and tests runner 28

Special fuzz testing Strange or complex solution requires special fuzzers, which works like standalone program Security team creates and runs such solutions 29

Final security review

Main FSR drawbacks It could become bottleneck if you don t implement other steps of SDL In agile development it s lack of time to recheck threat model, results of security tools, and bug fixes, etc 31

Final security review solution Per feature review process Non blocking for non-security features For some small features it s just check, that all automation controls are passed If feature is key-feature security team focuses on feature-based threat model and performs additional pentesting 32

How to implement SDL and don t turn gray Summary

Process conclusions For huge products start SDL from their security related or most valuable features Work with all your team: managers are also your process s actors Actualize your threat model as often as you can, think out of the box, create separate models for special features Work with your developers: actual guides, trainings, special hackathons or ctfs helps to increase code quality Want to measure effect? Start from the response stage 34

Methods conclusions There is no silver bullet, you have to use different approaches to implement security controls If you have good test cases coverage start DAST from building tests with sanitizers else try to write fuzzy tests with afl+ libfuzzer Using SAST watch your checkers, switch off false positive checkers, create 2 different filters: for developers and for security team Enhance tools, SAST or DAST analyzers form scratch are not good enough for you 35

Thank you! Q &A Andrey Kovalev Security Engineer avkov@yandex-team.ru @L1kvID @L1kvID

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback