Purple is the New Black: Modern Approaches to Application Security

so here we are with Tania Gingka Jane honey Junko we're also known as she packs purple she is an independent security consultant specializing in software and cloud security her obsession with securing software runs deep from starting her company to running her own wasp chapter for four years and found in the oh well ol wasp dev slop open source and education project with her countless blog articles workshops and talks her focus is clear tanya is also an advocate for diversity and inclusion co-founding the international women's organization whoa sac starting the online book yes the online hashtag mentoring monday initiative and personally mentoring advocating for and enabling countless other women in her field as a professional computer geek of 20-plus

years she is a person who is truly fascinated by the science of computer science give it up for Tanya thank you thank you for coming to my talk there's a whole bunch of really good talks for this entire conference and some of them are at the same time as mine so I appreciate you choosing mine this is going to be the Lightning version of this talk because usually it's a full hour where I try to melt your brains out of your ears so you're only gonna get 25 minutes of that let's start so this is called purple is the new black and we're going to talk about purple teams and by that I mean hi we're gonna talk about

modernizing application security because essentially we can't we can't have modern apps and then not change the way we do security because then we're only gonna be catching some of the problems and protecting them partially so I'm gonna talk about all new things not old stuff I'm skipping my own purpose all right let's do this so we always do the mandatory about me slide because we want you to think that we're qualified to give our own talks it's not like the bragging thing it's just like I need you to know I'm a person I do lots of stuff I hope you're gonna stay the whole time I'm obsessed with a wasp I am a big part

of lowsec and I train and do stuff so that's me hi okay onto the talk so I'm just going to talk about modern application security and normally I would do definitions but you already know that I'm not going to explain what app SEC is and do all of that warm up we're just gonna go right into it all right okay so again I love Oh ASP and I have stickers of this after in case you want it okay what the purple team does is application security so you have red team's that attack networks and attack software and attack systems you have blue team's that defend systems those are the people that fix your firewalls that patch things and implement security

tools but in the middle between the developers and the security team is the app SEC team that's where I live that's my favorite topic and that's what we're going to talk about today okay so the first thing I want to talk about that's a new thing at zero trust way back in the day when I started a long time ago in tech first of all there was no security because I'm older than I look but then eventually we're like you know what we should do we should put a big barrier and gate around everything we'll build a wall and then now keep everyone out and everyone inside I'm sure we trust them we have learned that that

doesn't actually work that well because what hackers like to call opportunity we as defender it's called pivoting and so we don't want them coming in and if they do we want it to be awful we want them to not be able to get anywhere so that's where zero trust came from a lot of people just talk about zero trust as it relates specifically to networks but I believe we can do this with apps with API is anything that talks to anything ask first ask first make sure that you trust them don't just blindly trust this is a thing we used to do I know cuz I did it but now we're not doing that anymore we're having better results and

hand in hand with zero trust is assumed breach so let's practice as though we have been breached let's assume that someone's been inside so let's say you have a bug bounty where you work or a responsible disclosure program if report something to you that's exploitable act like maybe it was go investigate check it out right do all the things and act as though you might have been breached you will unfortunately be right sometimes I know I know that sounds bad but trust me you will win if you act this way okay so other new things serverless is new logic apps are new first I'm going to explain what they are then I'm gonna make fun of them just

kidding not really and then I'm gonna explain like what security things we need to work about so a logic app is a trigger so it just calls a serverless app so let's say if someone tries to login 10 or more times in one second that will trigger a logic app lot of cloud providers have this they have different names for it but essentially it's just a trigger a serverless app is a script a little tiny piece of software that usually just does one thing and it did not live on a server that's why it's called service so basically when it gets triggered by illogic tap are called directly from an application it explodes a container runs itself and then

self-destructs so you don't have to pay for server time the whole time guess what we still have to secure them I don't think everyone knows yet though ask any pun tester people seem to be thinking like at 1990 again security doesn't count no that's not true it still counts so we still need to do all the same app SEC stuff that we normally do so we need to sanitize our inputs right I know that sounds really obvious like we need to authenticate and authorize pete like we can't just let everyone in I know this sounds like really obvious apparently it's not but there's more ok so with so these are yes so we want to monitor and log our functions but

then we want it actually I'm getting ahead of myself we wanted to do secure coding and we want to make sure we verify or that we secure our data in transit and then if you put in a database obviously at rest but there's new stuff so this is the new stuff modern improvements so we want to do an API gateway I know we talked about how gates are bad like four seconds ago but what I mean by this is like no one is allowed talking to the api's unless they come in through the gateway and then you still have secured your api's within their but it's one more layer of defense and depths and then on top of

that we want to not only monitor and logger functions want the information to go to the sim because we want to pick up on when there are anomalies and problems and if no one's actually looking at those logs we won't find them and I have so many stories about logging things and then finding out years later oh that looks really bad in 2011 anyway next um we want to manage our secrets in a secret store so way back in the day when we used to save our stuff directly into our code that became bad then we put in the database that became bad now we use secret stores and your api's can - and lastly

oh no there's two more we want our api's or our service apps to generally just do one thing we don't want one cyrillus app that does 500 things because that's an app just write an app right like if you have each serverless app just do one tiny thing if one of them is down there one of them's broken the rest of your app and your functionality still works so menu minimal granularity and then lastly we want to isolate our function perimeters and by this I mean don't just automatically trust so if you have an app you log into it you authenticate to it it calls a service app you authenticates that serverless app then that service app calls another one you

still need to attend a cape there for some reason everyone's like oh it's fine now it's not okay next awesome third party component and library management software supply chain security there are a lot of tools right now on the market that do this and then there's a free one from wasp called a wasp dependancy check a lot of people call this open source security as in managing all of your third-party components but it doesn't actually matter if it's open source or its proprietary source if there are vulnerabilities in it and you put it in your app and then you release your app you took oath vulnerabilities put it right in and then release them so it

doesn't matter if you using something that's proprietary like.net if you're using something totally open-source like Ruby both them are awesome but I want you to use secure versions so we usually do something called software composition analysis or SCA so I'm gonna say something vendors don't like I think you should use two tools not one if you can afford it because each tool looks at things in a completely different way and they have different teams looking at different things and whenever I used to be a pen tester and I would pen test somewhere they'd say okay we'll call you next year and I would tell them stupidly this is why I don't make enough money I'd be

like you shouldn't hire me you should hire another pen tester who will look at it with a different set of eyes and they might find something that I've missed like I like to think I'm perfect but only me and my mom actually believe that okay and so you also in my opinion want to scan your repository often but then you also want to scan in your build pipeline I know that this might sound weird but sometimes you upgrade from a much older version to a newer version so you've actually gone up a version but that version is the one with the vulnerabilities so that's why you want to check in your pipeline and then you

also want to check in your repository specifically because you have lots of legacy apps that you probably don't release very often but there's still researchers and malicious actors who are still looking at them and the longer it's been out there and the longer you haven't checked it for the more likely that there's actually vulnerabilities that have been documented that are known that you could be catching by scanning your apposite or irregularly I already said that all right next I'm very I'm trying really hard to keep on time okay so online storage crown jewels when I first started going to security conferences open s3 buckets were like this really big joke and everyone's like hahahaha because

apparently we laugh at our victims that's what we do but I am really happy that all of the cloud providers have learned from that and now all of them are by default making the settings quite secure but we can do more so on top of making like them not being open by default there's a lot more now so one you can make templates with whoever your cloud provider is all the major public clouds do this so that every new container their storage container that's created underneath your organization or your subscription has a template that it must follow and you can just walk that down really you can harden the crap out of that and then on top of that I suggest that

everyone start classifying their data who thinks data classifications really fun and exciting just kidding who here does instant response and when you find out that all the data that's been leaked as public feels really relieved yeah I totally have strands of hair that are all gray and they're because people did it label or classify their data not kidding so please classify your data it really really really helps your ensnare responders and it helps everyone know what to do with it next we should monitor these containers what I know I'm wild and we should Alert on them Mosul cloud providers will let you like they have all sorts of automatic monitoring and all of that you can do but you could

do some yourself like we talked about earlier with triggers and server lists you can create your own triggers and have serverless do things for you that's what code is it's computers doing your bidding that's why I like it so I strongly strongly suggest monitoring all your containers and setting up alerts if you have a public cloud provider give it your phone number if you're on the security team it might sound silly but I had a juror call me once and I was so glad it had my phone number just once in two years but gosh it mattered anyway next you should also audit this and make sure that you're only accessing your containers sorry I shouldn't say

containers you should only access your online storage using a service account so I used to back in the day because I started programming at the beginning of time I would use Tonya's account Tonya's account would access the database and Tonya's I can't would do this and Tonya's account would do that and would go find a better job and then all the things are broken so instead we want to have service accounts doing things so it's not done yet 4:00 a.m. that appears to think that she needs to log into blah blah blah if you see a service account doing that you're like okay I know what's going on but if you see Tonya doing that there's

probably a problem and if an incident hasn't already been called and started you probably should start running mmm okay next container it's an orchestration so I'm going to explain first I know that a lot of you probably know this and sometimes i over-explained I do that because when I first went to a security conference I couldn't understand anything the whole two days and I just walked around like this and I really want to make sure everyone understands the whole talk so I don't mean to patronize anyone I know most of you know this but for the few that don't so we used to run servers on physical machines and then eventually we started creating virtual machines or VM so we

would take an operating system smush it run it in a hypervisor on a server so we could run a few on the same machine but then a very smart person created containers containers are even smaller so a virtual machine might need two gigs of space and two gigs of memory to run so you could put maybe two or three or four on a server a container you can run with sometimes two Meg's of memory and four Meg's of space so you can put a whole bunch of containers and run them all at the same time makes things faster smaller and you only have the parts of the operating system you truly need and then orchestration is the managing of

all the containers deleting loading them up taking them down all the things that you do with containers is orchestration okay now your experts please still do regular Network security on these things please still make sure your configurations make sense it sounds really silly but sometimes we get new tech and we are so excited i OT and then we just forget all about the rules of security and it's bad people don't forget unfortunately so we have to be diligent right from the very beginning and that includes with fun fun fun containers plus basically it's kind of the same as previous like with virtual machines except for there's new configurations there's new security tools there's new types of scanning there's new types of

vulnerabilities but you still basically need to look out for vulnerabilities and you still need to a lot of people say you shouldn't patch you would just create a new updated version and then release that and delete the old one but the point is is that you absolutely absolutely need to make sure that they are secure you can't just put a container out there for a year and then just let it go I mean you could but it's going to be very bad I'm also specifically with containers you really need to watch out for who has the rights to edit them create them or delete them this is a brand new area of interest for people who don't have your best

interests at heart so please watch that and then lastly just do all the same things you would normally do like you still need to protect them in all the same way that you would protect anything on your network okay next sorry I'm going fast but like I said we have only a few minutes left okay so api's and micro services am I going to explain what this is yes I'm so an API stands for application programming interface but it's basically an app with no front end and it can do whatever you want except for have a front end so there's no GUI but there's all those other things and then a micro service is an API that just as one

single thing the idea of a micro service is that if you have an app that then we call one giant API if instead you have 20 micro services if one of them's down the rest of your app still works and that's pretty great so guess what we still have to do basic app sec we still need to make sure our inputs are good we still want to use everything with TLS we still want to do all the stuff that you already obviously have memorized and always do perfectly you need to do that but more there's always more a new thing well it's not really that new but it seems it must be new because not everyone is using it yet

service match service matches a layer of infrastructure and all of your api's can go through it and then it protects it end to end you don't have to change any code yes that sounds great all the cloud providers offer it there's also third-party ones they're interoperable and yeah I I like the idea of having an extra layer of security standardization or templating for your org I have worked out a lot of places or a whole bunch of different teams we're all making api's and they're all excited and everyone was a snowflake snowflakes are bad insecurities snowflakes make it hard for me to do my job I mean if you're a contractor pen tester you're like yeah

I'm awesome look at all these snowflakes but as someone who is quite often or until recently used to always be the employee where it's like I own that API I sit next to those people you want to have standardization and templating whenever you can I'm also a big fan of linting linting is like the grammar police but for your code I remember the first time I developer showed me a new language and they're telling me you don't even have to declare what type of variable it is it'll just figure it out from the context no no no poetic license anymore the grammar police are here and we are linting so you can lint your api's and make sure that it's following

the language or the standard to the code it's really it's really very helpful even though if at the time it's pointing out your bugs it might seem really annoying but then when your app doesn't get breached it feels good later throttling and resource quotas oh my gosh I only have five minutes left okay well that's self-explanatory yeah you should have been to Kate and then you should authorize you should hide what you can and not share any extra information and please wait list the HTTP verbs or methods that you use it's a it's get and post and then everything else just block it unless you a really good reason okay modern tooling so I'm gonna go through this really

quickly because we have five minutes and I talk too much these are new types of tools I asked interactive application security testing rasp this is like a laughs only knives crappy way way better what apps are slow okay stop it Tonya no I just mean that I'm talking too much not that I'll always make fun of laughs okay file integrity monitoring which goes hand-in-hand with application waitlisting this is something that I strongly advise people should put on their servers so that only the things that are supposed to run on your servers run and nothing else cloud native controls each one of the public cloud providers has their own special things that they have made specifically only

for their cloud if you are paying for their service take advantage and use all the free stuff you can adding security to your DevOps pipelines I'm sure there's been a lot of talk about that and there will be tomorrow at 3:00 in room 16 customizing your alerts automating responses using server lists and logic apps as triggers and I don't know it's a type that call this new type of tool but basically there's a whole bunch of systems out there right now which will inventory all of your public assets and watch them and tell you when scary stuff happens no one's come up with a really cute acronym that sends an asked or ASP yet but I'm sure someone

will okay modern tactics and then we're done adding security to your DevOps pipelines creating negative unit tests instead of just positive ones breaking security activities into Sprint's turning contest results into unit tests so you can have regressive security testing tuning tools via automation and efficiency automating a repository scans it's just sitting there right why not just take advantage and it's cetera et cetera this is basically all I ever talk about my talks like I'm a broken record application security okay so oh yeah we can't talk about dev suck-ups there's not going to be time for that but I'm trying to press the button and it's going okay and I'm gonna have to skip a few slides

really sorry I've definitely done this in 25 minutes before but maybe we started late cloud security some apps live in the cloud if your software developer and you have an app that is living in the cloud if the cloud is wildly insecure you're still in trouble okay and lastly this is a summary if you're gonna take a photo of a slide this is the slide you want and after this I'm gonna give you some resources so keep your phones out do I've have like two minutes left okay so resources all these resources are free Oh wasp whoo here's part of their local ojas chapter awesome I dream of the day where all your hands go up

we're cuddly cuddly security cuddly Care Bears we really are women of security we're gonna host the CTF tomorrow morning and we're gonna crash our safe Tuesday night so women up security welcomes you if you are a woman or you identify at all as a woman please come and meet lots of other friends and every Monday on Twitter I use this hashtag to try to pair mentors and mentees who here has worked in security for two years or more congratulations all of you are qualified to be mentors event you didn't know that you know enough to do your job and there's someone who wishes they knew enough to do your job so they could apply please consider reaching out and

lastly you can follow me I'm biased but I think I'm great and now let's summarize what have we learned today we learned some modern tools some modern practices required so that we can secure our apps we can't keep doing things the old way if we want to secure things developers and ops aren't going to wait for us they're not so we have to get with wherever they're going and follows closely as Ken thank you very much for your time today you [Applause]