FarshadAbasi

foreign

[Music] excellent all right good afternoon everybody and welcome to a talk on building more secure applications uh harnessing the power of OAS security knowledge framework application security verification standard on kubernetes so lots of different things we're going to talk about uh two of them are from Owasso kubernetes obviously is not from a wasp uh this presentation uh is prepared by myself and my colleague Kurt who unfortunately can't be with us today and I want to give him full credit for a lot of the heavy lifting that he's done to get this working and it's not fortunate that he can't be here a little bit about me my name is farshad Abbasi I've been building application software

and systems for says 25 is actually probably longer than that half of my time was spent as a software developer so I built a software professionally for large and small companies in town Motorola all kinds of different brand names you may be familiar with or not but then after building software a lot of uh my software got hacked and I learned a lot of hard lessons so I decided to shift on the other side and help software to developers make software that hopefully doesn't get hacked so that's what I've been doing for the last 14 years I spent a decade as a senior member of HSBC bank's I.T security team I was uh I was uh

fortunate enough to be a part of their uh their movement in building an application security team in the late 2000s I mean we built an abstract focused team that worked with software developers to build more secure software and then as the world went from waterfall to Agile to devops we got to adopt and learn how to do those things at the Forefront of and all that so I'm quite grateful for the experiences that I learned and I'm out there uh

the person I'm a CIS sbaws for AWS professional Azure engineer all that kind of stuff so I won't bore you with it let's just do a quick pull um I know it's in the afternoon and this is the last talk so you're all probably tired and everything else but let's just find out how many people are developers and building stuff

data if it's a set of about 283 requirements for building secure applications and then you underneath it all you're using where your SKF uses kubernetes and Docker as the infrastructure and it's the foundation and SKF itself is an application it's just a web application that uses kubernetes and Docker containers to orchestrate labs and it uses asps as the foundational knowledge material so we're going to look at about a bunch of all that kind of stuff and and so SPF is composed of labs code examples knowledge Based training and all the good stuff so what you will take away by the end of presentation is understanding why and how to use SKF and ASCS why would you

want to do all this stuff uh the tools to get SKF up and running um so that was the challenge we solved and that's what I'm presenting on because we try to get up and running for ourselves and for our clients and we ran into a lot of problems so we decided to roll up our sleep and make it work and then we've made the source code available so all of you can take this after the after the event and go and stand up your own security knowledge framework stack and on top of kubernetes and the audience oh yeah and one more thing so you'll take away tools for getting a staff up and running on kubernetes and getting

the most out of the SDS and SDF to build more secure applications because I they're your developers as a few of you mentioned or you're helping developers hopefully so this could be a great Tool uh to build more secure applications and the audience's security practitioners that are helping developers uh roll out training programs or supporting them in some shape or form software developers who need to write more secure software themselves today and uh it and Ops folks are interested in kubernetes hey these are deploying business why and how to use ASCS and SKF and we'll do a bunch of demos and

I think it's like that as well so first of all a lot of people come to me and say hey we're looking for a coding standard and they're like hey we were told that oh asking can be used as a

implemented system again and so it provides them with a list of developers with a list of requirements for secure development not necessarily A coding standard you can use it as a metric for your app's security so if you're an application owner and

you want to have a certain level of assurance ASDS groups requirements into three levels level one level two and one and is like actually in fact the government of Canada they published a baseline Level One controls that's the minimum and then level two is for applications that have a bit more sensitive data they may have a little bit of a higher Assurance requirements and level three is for applications that have medical data processing large Financial transactions and things like that so then you can categorize your applications and use it as a metric to figure out you know how sensitive your application is and that kind of thing you can also Force use it as a guidance

for secure development as we mentioned earlier and you can use it during procurement of application security right if you're gonna go buy a pen test which I hate the word because pen testing is not the only thing you should do for your application in fact Olas web security testing diet says that head testing is not effective for applications and it's only but it's going to give you a lot of feel of your actual issues if you really want to test an application you got to do a design review got to do threat modeling you got to do code review and time testing but the problem with pen testing is that pet testing requires you to have known

vulnerabilities and then chain them and you know penetrate the system while if you just wrote brand new code there is no cve there's no involvability for that brand new code so pen testing and applications that can just research and not super effective so but you can use the asps as a way to measure different pen test providers right so you can say hey you're a pen test provider and you're a test provider and are you using asps if they're not then it's going to be hard to compare them so it's a great way to force your provider to be uh to be consistent and use it and you can see the categories of the SBS here it's got 14 categories category

one focuses on architecture design and threat modeling the other categories are technical controls are things you build into your application um and I'll and I'll spare you to go and have a look at them in depth and hopefully you'll adopt them but here's an example this is category 7.1 which focuses on law content thank you and so they should show you um you know for if your application if you've determined that your application only requires Assurance at level one then you know those are the two controls that you so verify that XYZ happens but developers can simply take that and say well if I'm going to get tested on that I better build that control into my

application it's akin to test driven design for those of you who are familiar with that tdd so uh it has all these features it has projects it has code examples it has checklists as you see so first of all you can go to the uh security knowledge framework uh webpage it's on the oas.org site

and they've got a link here to do it on online demo so I'll just skip all right the Internet is slow my apologies on behalf of the internet connection and we can continue on oh what's going on here connection fails oh the uh the internet connection that I'm connected to is not related not letting this go through which is not good because I was going to show you a bunch of cool things so so okay all right well we'll just skip it and I'll just talk about it that's fine um so yeah the project section allows you to definitely go play with it yourself and take a look the project section allows you to take asvs and

create groups of uh requirements that matter to you right yes yes the regular one has 283 controls the web one also has quite a few Patrols so what you can do is you can go uh through those controls create a project and then put in this subset that applies to you and then manage it I'm not a fan of that project section because it's trying to mimic what jira does and a lot of developers already have gr or project management system so that's not what I use it for mostly mostly I would use it for code examples the checklist the knowledge base and the labs and what's really beautiful is because they use asps as a foundation all these things

are traceable so you can start by making a checklist of the asps items that matter to you and then for each of those you can look at the knowledge base where it provides further explanations Way Beyond what a SVS provides the SVS in the actual standard provides a really high level definition of what the requirement is but in the knowledge base in SKF they go deep into what it actually means how you do it how you remediate it and if you want to see some code examples they've got examples and at least four common languages I believe they have java.net python JavaScript and you can also add your own oftentimes we get asked by clients that hey you know

we're using language X and Y can you come and do some training customized to that a good language for our developers so we can use this platform and if it doesn't have those code examples for the SDS items you want to train the developers on you can simply add them in that's the one that's the beauty of this open source framework and uh and then of course you can do training with learning Journeys as well so you can you can leverage the lab

for example the Ingress API at the time when they built this was a beta which has now moved on so there's a lot of compatibility issues is what we resolved that we so so I think I already asked who's using kubernetes and so that the examples we've provided um are AWS specific we also have a mini Cube uh example of that if you want to run it locally it's available in the GitHub repository that I'll uh put on this line at the end so you can see yeah I'm watching here and the end this is the uh this is the address of our GitHub repo where we released our code and yeah we've got two

different flavors of it we got one that can be deployed locally with minifube and Docker composed on your machine and there's one that you can use to deploy this on AWS with cuffs and terraform and cops are not to be confused with the police cops allows you to manage kubernetes clusters right those of you which I think is a lot of who've used kubernetes know that kubernetes is not easy to deal with right and just getting it working as hard everything about kubernetes can be hard cops makes it easy to start stop create clusters and manage all that kind of stuff and we also leverage care so lessons that we learned was that using the so branch of SKF and so branch

and SKF 4.0 and Docker images is what you got to do using cops and terraform and AWS uh it was not easy but we made it work and we ended up using uh let's encrypt certificates and AWS Integrations these were the enhancements that we made and uh we encourage you all to join the security knowledge framework on the Owasso slack Channel if you have questions or want to participate in the project or help in any way or get any information so the current security knowledge framework is maxed at version 1.2114 and the deployment templates have issues so you need a lot of patience to get it to work but we've made that simple so you can use our scripts to get

it up and running pretty quickly and I'll do a quick demo of that as well so this is probably really small and you can't see but there were a couple of pieces of code this is where we had to fix so you know that it was mostly around the Ingress API so as I mentioned the Ingress API for kubernetes 1.21 wasn't bigger and and since then has come out of beta but because SKF itself hadn't updated certain parts of it uh it would break and so we've we've managed to address that and release that code so I'm just going to show you a demo yes please why

why it was easy this was easier for us and we want to make this portable to the local version and others so if we stick to that it may and obviously for portability so here's so what we've what we've rolled out is a shell script so when you source that it will create a whole bunch of other shell scripts as you can see here and uh those other shell scripts are very nicely numbered so this is a multi-step process and then as you can see here once this this source and it runs then you basically end up with telescopes that uh that are provided to you and they're nicely numbered so you first start with the ones that that

start with the number zero and you run them and that'll allow you to like 010 defines the the labs it then it o2o it creates the labs and an o3o validates them or for all uh creates the uh the Ingress routes then oh the fifth one gets it all up and running and you'll see that here I'm going to run it so we start by using the definition one and and one other thing I'm going to mention is that security knowledge framework requires two kubernetes clusters why does it do that because the labs have vulnerabilities in them and the authors felt that it was not so secure if you have the command and control or what

they call the demo the portal application in the same place as we have these vulnerable apps so if someone you know if a particular vulnerable app has a vulnerability and can break out of the containers say which is very theoretical could be difficult technically they could access the uh the command and control of security knowledge Frameworks for that reason they've put them separately but they are looking at re-architecting this right now there's a lot of work going on the project has kicked up again and in that in fact the other day one of the project leads on LinkedIn was I was asking people to join and help with that so we've decided to do that and I encourage you that are

interested as well so this is going to build the labs cluster first and then it's another the second set would start with the more cluster and at the end we tie it all together so you know you run the first script and then that'll that'll uh create that'll Define your uh uh Eddie's security knowledge framework labs and then after that's done I'm going to put it on double speed here so we can flat so you know it'll go through the motions and it will set everything up so the first step to find it then it created it and then once the labs are created then you run the third script so it would go through the motions

and go creating the tasks let's keep going and then when you've done that then you run the next script which is the the third one which is the value so there's always a Define create validate for both sides and then you set up the the C names and the routes so right now you can see here the lab cluster is ready so then we create the Ingress route so for those of you who are not familiar with kubernetes the Ingress API allows you to make the kubernetes services available to outside right so in this case we're our service is the the labs that we're going to use the Ingress to set it up so that you can access it from the outside

in this case the outside would be the kubernetes or the security knowledge framework can either control so here we go so yeah after creating it then it'll go to the next step which is uh which is uh there we go so Coupe control context is set to our lab environment and then we run the final one here there's a couple more so this one gets the Ingress for the labs sorry I put it back on double sleep now we're going to set up the demo which is the actual security knowledge framework command and control and then so the same similar steps you define it you create it you validate it set up the Ingress and at the end we tie it all

together and we'll have a demo environment so this one is now creating that uh based on the definitions

and once that's created we're gonna validate

so now we have the the demo clusters ready so we're going to just basically set up request for all of this and then we basically copied at the end we just set up a c name for it and then you can you know go to that URL and use your brand new created uh created security knowledge framework cluster so this last step where you apply it what this does this the first few steps they set up the kubernetes clusters for you but what the last step will do the last step will actually deploy what's required things like MySQL is required and flask and a bunch of stuff this is for the actual application so the first two steps set

up your infrastructure and then once your infrastructure is set up then you put in the moving Parts the code is actually of security knowledge framework and there it is it's up and running right so you know just because we don't have the Internet working on my laptop we'll just uh show you the rest of the demo um I was hoping to actually play around with a couple lab examples but uh we'll just rely on the pre-recorded video here I reconnected it to this one but the TLs issue is I'm having some TLS issues it's streaming I think I'm hoping it's streaming so here it is so now the the cluster is up and running and uh ignore this so we're going to

copy and paste the URL of our brand new created security knowledge uh cluster the framework cluster SKF and it's coming up it's coming up there it is so this is the new slash screen of SKF and they made it pretty fancy so if you're a developer you can jump into things that are helpful to you the code examples the knowledge based on the security requirements if you're a tester they've got a bunch of things for you like training and Labs now you want to look at the knowledge base that just made it easy to jump to the different sections but as you can see at the top these are the these are the key sections

of security knowledge framework right your projects your code examples your checklist your knowledge base lots of training as I mentioned but these big colorful buttons just make it easier to go into the section that's more relevant to your function because any of these different folks uh can be leveraging security knowledge framework to do their job better so let's look at the labs here particularly we look at a lab that's related to lfi or local file inclusion and here we go okay so yeah we're going to go to the lab section and then in the lab section so and then the other nice thing as I mentioned is there's a lot of traceability right so if you start with

a checklist which is why I recommend it's got asbs regular the web one it's got the SPs mobile and you can go through them and then you know create your own checklist or you can add entries if there's something missing you're like hey you know our environment is custom we need to add a few things you can add them in yourself as well and the labs are all related back into those particular asps level and they've got the the different levels of difficulty as well listed here and not the knowledge of this is also connected and it's all traceable from that perspective and if you can if you want to know about a particular lab they've got write-ups

on what that vulnerability the

week is about and how it works it launches I think vulnerability right I'm sure many of you are familiar with things like web goat which has been around forever right Jeff Williams created that years ago you're familiar with probably Juice Shop if you're not a highly recommend it it's a modern application with a rest API it's written in angular node and expressed me use that quite a bit to train uh train train folks but the challenge with them is that they don't really trace the asps so if you've got a company that is adopted asps as their requirements and you've tested based on asps what you want is you want to go through the parts uh the

weaknesses right you want to say well our developers failed on these particular asps items so you want to take those to deliver custom Training those other things like web code or Juice Shop they're just implementing General OS top 10. right

this presenter was that Brian was speaking about you should be able to say well you know these particular asps numbers failed can I go and teach them so then here's the relevant Lads that that are directly related so in this particular case let's say your developers you know they're not implementing things related to the local file inclusion or path traversal property so then there's a lab where they can learn about it so then once the containers launched the URL is provided that you can go to

so there's our lab so I mean you know basically note so that unfortunately I can't interact with this because again the internet is not working on this laptop but um you know this is just a basic uh example of a drop down menu right so you can when you create the drop down menu you can either specify the specific value right uh in that in the list of the in the list in the drop down list or you can just use the display text so in this case if you actually inspect this the developer uh just used the display text they didn't specify an actual value so you as a tester you can go in and put a value and

see what happens right so normally what this will happen is like in this in this example application you can select a chapter in a book you can select intro chapter one chapter two and depending on what you select it goes to the back end and grabs the file for the intro or for chapter one or chapter two and it displays it to the user except that the person that developed this are just using the display text as the value to go and fetch that file they're not explicitly specifying that a they're not specifying a value for that item so you can go in and change that so here we go I'm going to show you

so you can go and add that in and then add in a path of your choosing and see what you can get so in this case we're going to go and try to grab the classic pass WD file and grab people's passwords so here you can see that uh that uh yeah that as I was mentioning that there's no value explicitly provided or actually they've got here they've got Text slash intro.txt right um it's funny because in the live version that's currently on the SKF site it doesn't have a value so this must have been a different version that that we used previously for this video but yeah so here you can see that there's

this this file so as a tester I'm curious like what else can I do with this so what I'm going to do is try to put a different path so I'm going to delete this and I'm going to try to go dot dot and then Etc has something you need and see if it'll go and fetch that for me and then you know once I've done that there's the drop down I select it and there it is right it grab the password file because this web application wasn't built property so this is how you can demonstrate to your developers um and they can go and learn about these topics very easily and there's a write-up for each of these as well so

once they've done the lab as I was showing in the in the earlier uh in the earlier slide that uh you can there's additional reading or material or code exam you know the particular use case is that you have the company acne Court they have three developers and they're growing to be 10 people by the end of the year and the development team knows that it's important to uh uh to be secure right but they're all looking at each other and they want to build security requirements into their app and then they come and they say hey we want a coding standard right and and so it's like well okay well there's no coding standard but the security knowledge

framework can be used as a platform to achieve your goals right so acne core who's about three developers doesn't have a lot of money can go and implement this for free and then get their three Developers foreign

checklist that they've created or the requirements that they think are applicable to them go and learn about it Go and read up on what each of those asps items mean now if they just go and take the SDS standard on its own

they asked yes they look at each other and we're like well we don't quite understand this yes yes this is not enough definition but the security knowledge framework elaborates on it gives you a lot more information so that it makes it easier to really figure out what is that requirement about and so this acne core team they can do that they can do this first of all what they should do is they should do it scoping exercise where they take they go through all 283 controls and figure out which ones fit their application they might be indicating an application that doesn't have a front end foreign

task to try to create an application it's probably no one's maintaining it right using a standard like this um it's it's crowdsourced it's open source they're maintaining it all the time there's some really smart people contributing to the standard including our team you know we've contributed dozens and dozens of additions and corrections to the standard to make it better for everyone so this this team can adopt it and then use SKS not only to manage their requirements but also to train their developers and and make them more successful you can also um you can also um add your own modules and add your own Labs so I'll just show you a quick demo on that and then let's go here

[Music] um so you a bunch of you mentioned you've heard of juice shop right so what you can do I mean you shop is containerized so you can just plug that into SKF so that your team members can just simply let's just do an example of that right so team you've added let's say you've got the Juice Shop container you reconfigured kubernetes to show you to give you two shop let me just move this out of the way it looks

almost there Juice Shop will be available to them as a lab and then they can just go and look for it or scroll down and find it but it's the same manner that you would launch it right so there comes your container that you've made and in fact we've had things that are not present or had more difficult examples more advanced examples but in this case we've added a Juice Shop as a container here and there it is it launched students shop very easily so you know again it becomes your centralized training platform for that rather than telling your developers oh the Juice Shop is hey it's all an SPF and then you can also use the the

training feature to create a training path which which you can investigate so in this case there's our Juice Shop uh view shop instance is up and running it gives you the IP address of where you can access it and uh then of course it takes a bit of time for the container to come up and then after it's up there it is you shop is ready to go so then you can go and play with it in this case you know let's take a quick uh let's take a quick look at a basic example where um you know you go to this uh to this uh to the this particular exercise and your goal is to find you know a particular

hidden uh information in the legal MD so you go and open that up and then it shows you that it's going to an activity is coming from an FTP path yeah you'll see in a second and then if I go to that path I see okay let me see if I can get this out

by the way oops sorry about that that you can explore so here it is you just remove that legal MD go to their FTP folder and there's a whole bunch of other goodies uh that uh that you can grab so let's go back to the slides here um yeah so you can learn with SKF you can train High testers can use it um you know it's it's uh it's quite a great platform so what are some of the takeaway considerations some of the takeaway considerations are that you can use it as requirements as I mentioned before and you can use it for all the things of course but it can help you get more out of asps and you can use

it as part of your app set training platform you can harness it for more secure development life cycle um or sdlc you can customize the code examples checklists and knowledge base you can add your own requirements in there you can add your own code examples if you're using a language that is not there we've had clients that have asked us hey I'm using go or I'm using Ruby or whatever can you do that we can you know we have the expertise we can simply go in and take some code and add it to the particular examples for those and I and ideally you if you do that release it back to the project so other

can others can benefit from it as well that'd be a good thing um and you can set up customized training uh based on areas of weakness right I really emphasize that because if you just provide General training to developers a lot of companies do the basic or last top 10 type of training it's not as it is useful and 100 recommend that you do that but getting a training that's focused on areas of weakness is way more effective a lot of platforms that are out there say commercial scanner scanning platforms they'll scan your application and they'll highlight weaknesses and then they also say well your developers failed on XYZ here click on in this particular link to go get some training

related to that right so this is the free version of that I mean it doesn't tie into your automated testing of course uh but you know you can do that yourself you can say which which ASCS controls are we failing on often and you can even trace it I believe again Brian was mentioning using your sim and all those kinds of results and or you're looking at your security operations results every year and then trying to figure out what have we been failing on what kind of threats have been

so yeah feel free to contact myself and my colleague the cart say able to get the software running on GitHub and

um [Music] okay um this is not using the AWS AKs service so what this is going to do is set up a machine and then deploy all the stuff in there so it's not using the kubernetes service per se it's using cops so I could use an ECG so it's just just deploying infrastructure ECS as you said they also have the eks which is the full-blown kubernetes it's not leveraging those Services it can you know go to music unit says yeah because we also launch it on a VM locally so you can use also if you don't want to use AWS we've also made uh let me just go back to the web page I I pre-loaded

it luckily before this internet connection issue but you if you go to our uh there it is um we've got both the mini Cube built for Ubuntu so if you don't want to put it on AWS that's an option so you can just run a you know small instance of mini Cube if it's nice and portable and just run it on Ubuntu on your machine locally and there's the instructions on how to do that and if you want to build it out in AWS and do the full build which is the demo that I was showing which I recommend you do then you just go with this you just have to make sure that the user that you're using has the

permissions to be able to roll out all the services that are required any other questions who's gonna run home and start using this I hope all of you right yes awesome it's a great project like I I'm quite grateful for the people that started this they've done a lot of really good work um you know it needs more work but we're hoping that we can all help and make it better and the whole Community can benefit from it as a result cool well if there are no other questions I'd like to thank everybody for attending this presentation as well as besides and uh and thanks again [Applause]