AppSec California 2019

The DevOps Movement has won, and all too often, left security wondering what our role is in the new world. Effective collaboration requires new skills, new approaches, and a new speed. We’ll look at all three, how security can collaborate, how we can engage before a line of code has been written, and how we can benefit from the directions the world is going.

We’ve all experienced it: you’re working on a task, adding some code, and then you need to store some sensitive configuration value. It could be an API key, client secret or an encryption key ― something that’s highly sensitive and must be kept secret. And this is where things get messy. Usually, secret storage is highly coupled with how the code is deployed, and different platforms have different solutions.

Kubernetes has a promise to simplify this process by using the native secret object, which, as the name implies, can be used to store secrets or sensitive configurations. Unfortunately, Kubernetes secrets are fundamentally broken, and a developer who tries to use them will definitely have some issues.

But no need to worry ― there are solid alternatives for storing secrets securely on Kubernetes platform. One solution is to use Kamus, an open-source, git-ops solution, that created by Soluto, for managing secrets on Kubernetes. Kamus can encrypt a secret so it can be decrypted only by your app on runtime - and not by anyone else.

The first part of this session will cover the challenges faced when using Kubernetes secrets (from a usability and security point of view). The second part will discuss some of the existing solutions (Sealed Secrets, Helm Secrets and others), their pros, and cons, and then feature Kamus: how it works, what problems it solves, how it differs from other solutions, and what threats it can help mitigate (and what threats it can’t).

The talk will cover all that is required to know so you can run Kamus on your own cluster and use it for secret management.  Join me for this session to learn how you can build a Kubernetes cluster than can keep a secret ― for real.

Title: Netflix's Layered Approach to Reducing Risk of Credential Compromise

Building a secure system is like constructing a good pizza – each individual layer adds flavor that ultimately builds to the perfect bite. At Netflix we have hand-crafted ingredients that by themself are scrumptious, but when placed together strategically on the crust (read: cloud), constructs a pizza so large that any pizza lover (read: attacker) would be challenged to finish.  Attendees will learn the secret to the sauce that is Netflix Infrastructure Security, be equipped to start baking pizza in their own kitchen, and leave satisfied.

Forging a strong relationship with developers is essential part of creating an impactful AppSec program. Without it, your team will have little idea what's going on and will have trouble getting bugs fixed and features shipped. Segment has built strong ties to developers using our competition-based training featuring Burp Suite and OWASP Juice Shop, partnership during implementation of tooling, and contributions to the existing codebase. This presentation is chock full of practical examples and references that attendees can bring back to their organization.

From the time we choose to rise each morning, to the time we finally rest our heads, almost every decision made in our daily lives, depends on something. When we understand these dependencies, we are better equipped to control our responses. Managing vulnerability response is no different. In fact, the quality of a response correlates closely to the degree in which dependencies are known and understood. This is especially clear when managing the response for third party components. As developers incorporate more and more open source and commercial third party components into their products, the complexity of these dependencies continues to increase, threatening the ability of a PSIRT to provide quality vulnerability response. A framework for managing dependencies (and their dependencies!), is critical to enabling developers to understand the downstream impact of decisions (made upstream) on a PSIRT. A framework opens the door for PSIRTs to shape the decisions that are made around third party components, much earlier in the product lifecycle. By driving a dialogue through dedicated PSIRT controls upstream, we lay the foundation for a PSIRT response that truly shifts from reactive to proactive. In this talk, come and learn about the framework that Dell EMC has used with good success!

There's no blueprint for how to be successful at a small startup. Startups are quirky, ambiguous, and full of challenges and broken processes. Startups also have a high risk tolerance and rarely introduce security from the beginning. This talk will discuss different approaches to introducing security at a company, how to be successful as a security professional at a startup, and how to integrate your security team with the rest of the company.

The good old days of waterfall! You had "The One Design To Bind Them All" and once it got all agreed, the developers would happily implement it "per spec". But alas, we are not there anymore. Agile methodologies basically guarantee that the deployed system will change, and change fast, since inception. Design emerges as it develops. How do we cope with that in Threat Modeling? This talk explores the way Autodesk is moving to a team-based collaborative and continuous Threat Modeling methodology, and how the dialog has moved the dependency away from security SMEs and into the team. PyTM, an Open Source threat-modeling-as-code support system is also presented.

In this presentation, Koen will share his experiences with Product Teams at Riot Games and how those teams do or do not take security into consideration. Every product team is unique; but they all behave in similar security patterns, and care about security in predictable ways. Using metrics of our Bug Bounty program and security review process, we’ll dissect the impact that team culture and process have on the security posture of a product. The framework that we’ve created allows you to quickly see what makes a good team good, and how other teams can improve. Taking into account how agile organisations want to operate, we will look at some tools you can introduce into your product teams to help raise the security bar.

​Presentation Link​​​

Why do we have such a hard time getting engineering teams to care about vulnerabilities? How is it that we are fixing lots of vulnerabilities, yet are still falling ever further behind on the actual risks? These questions both have the same answer, but getting to it requires empathy, trust, courage, and a giant step back from our day-to-day approach to security.

In this talk we will share our experiences about creating proactive partnerships with engineering and product teams. From the ways we have seen this fail to recent success stories, we will illustrate specific practices that help developers and security teams focus and align on a shared view of risk, rather than a laundry list of vulnerabilities: the leverage that comes from enabling rather than gating, automating for visibility and action to manage scale, threat modeling across organizations rather than individual applications, and the particulars of how we get big security features onto busy product teams' roadmaps.

The benefits of using third-party and open source components are often negated by the inherent risks that come with them. Systematically reducing risk while allowing the benefits to prevail can be challenging. Organizations often rely on methods of identification that provide instant gratification, but fall short on delivering a simple, coherent strategy for long-term risk identification and remediation. This session will cover current best practices, explore how they will evolve over time, and provide concrete examples attendees can put into practice with minimal effort. Demonstrations will cover the creation of software bill-of-material (S-BoM) documents from a polyglot build environment, using OWASP Dependency-Track to automatically identify outdated and vulnerable components, and how organizations can automate their response to specific types of security events. Advanced topics of discussion will include current and emerging standards as well as government initiatives that may shape the view of the status quo. 

“I am just going to ignore these tickets until they go away”
“These security tickets are ruining my product roadmap”
“This is the most obscure corner case of security, this can never happen in real life”
“Yes, I’ll fix this in……...2022”

We have all heard these things from engineering teams, when it comes to vulnerability management (or mismanagement). And on the other hand, the security teams continually feel that engineers don’t listen to them or don’t care about security.

How do we get away from this adversarial relationship and collaborate on vulnerabilities to make real progress?
How do we drive a sense of urgency and ownership of security so it becomes everyone’s responsibility?
How do we bring a great customer experience to everyone involved in the vulnerability management process?

This talk is our story of how we transformed our vulnerability management process from a nuisance or an invisible process to a collaborative process that drives accountability and transparency.

To shift the mindset of how vulnerability management was perceived, we sought to engage with the people who interact with the program the most. In the initial investigation we conducted interviews with Security Champions, Engineering Teams, Release Management, Engineering Leadership, Security Engineers and Compliance. It was important to understand our users’ perspective so that we could change the conversation around vulnerability management towards a more decentralized model.  From the moment a vulnerability is opened (whether from an automated tool or a human), there are a lot of decisions to be made. In this talk, we will discuss the parameters we put in place to set up every hand-off of a bug’s life. Whether it’s using CVSS V3 scoring to help prioritize vulns, recommending due dates, allowing engineers to scope the work and propose a due date, or how tickets are even acknowledged, you will learn the best practices that we have found successful in building out a strong, yet ever maturing vulnerability management program. Furthermore, we will share screenshots and demo the life of a vulnerability managed in our Jira Kanban boards from both the security team and engineering team’s perspective that support a self-service type model. When you decentralize and empower engineers to make decisions in the workflow, you have now enabled them to take ownership of security.

With all the decision-making authority, also comes accountability. This is one area that we were really passionate about to ensure there is accountability of decisions made and visibility across the management chain. We defined key metrics that the leadership cares about and are also important to the success of security strategy. While the metrics showed long term trends, we figured out effective ways of tactically managing escalations and driving ownership through real time dashboards. In the talk, we will share the specific metrics / charts that we reported on and also the various forums (meetings) that we setup with stakeholders up and down the hierarchy, that helped us drive day to day execution on vulnerability remediation.

To summarize, in this talk we will discuss the pain points that most organizations face in getting traction to vulnerability remediation, how we decided to tackle the challenge, the solution we built and how we drove accountability to improve metrics. We will talk about the key decisions we made that the audience can relate to and improve their own vulnerability management program. Finally, we will show templates of our Jira boards, metrics and charts that helped in measuring success of the program.

The Elevation of Privilege card game has been designed for threat modeling based on STRIDE threats, and has since become a widely-deployed tool for security and development teams. One of its many feats is to bridge the knowledge gap between development and security when analyzing a software system, allowing for a structured conversation with intensive knowledge sharing. This is achieved by leveraging elements of game design, allowing for reciprocity and better engagement. These feats make it an ideal candidate to help with other closely related areas where developers need to cooperate with departments like compliance, legal, or privacy. Specifically looking at privacy, due to its obvious relevance recently, this presentation will show an extension of the Elevation of Privilege card game that LogMeIn has adopted to meet its privacy by design requirements. It will show the research that helped define the cards of the suit and give a quick overview of the individual cards. By the end of the talk, practitioners will have a new toolset to include into their security and privacy processes. Furthermore interested listeners will hear methods on how to design extensions to already available games, allowing to incorporate topics they feel necessary for their work practices into fun exercises.

Micro Services enables developers to break down the monolithic application into smaller and manageable micro services. It is accelerated by Cloud Native platform such as Kubernetes and ISTIO. However the challenge of enforcing finer grained authorization at API got even more complicated. Earlier the API Gateway used to be monolithic gateway that can enforce authorization policy. Now when services are being build in different platforms and deployed at a faster speed, the single monolithic gateway approach is not scalable without architectural changes. Open Policy Agent is one option that provides the programmatic flexibility to enforce authorization at end point or at data level and still maintain the interoperability using OAuth.

In this talk we will explore how Open Policy Agent can be used to enforce fine grained authorization programmatically and integrated with ISTIO. We will also compare how Kubernetes as a platform has made it possible to enforce programmatic finer grained authorization that is external to Kubernetes infrastructure. Attendees will walk away with challenges of enforcing Authorization in Micro Services world and how OPA can help achieve fine grained authorization for your Micro Services in the Kubernetes/ISTIO world. Attendees will also learn how to use OPA to enforce authorization policies for Kubernetes API.