AppSec in the Modern Era

I recently wrote an article for Signal Sciences discussing the top 5 application security defense needs in the modern era. It’s very DevOps in nature. You can see the full article in all of its original glory here > Top 5 AppSec Defense needs in the Modern Era

 

In the article, I covered what I thought was the most critical things needed for a plausible application security program in the modern era.

  1. OWASP Top Ten coverage is a must-have and is expected
  2. Have Defense against Bots and Scrapers
  3. Do Business Logic monitoring
  4. Achieve Operational Insight through Visualizations and Dashboards
  5. Distribute security information where people naturally are, a la ChatOps.

Thoughts, comments?  Hit me up on twitter (@wickett) or in the comments on the original article > Top 5 AppSec Defense needs in the Modern Era

This is a sample of putting visualizations behind your application security defense. These images are provided from Signal Sciences

 

 

Leave a comment

Filed under DevOps

CloudAustin Talks – April 2016

The CloudAustin user group that Karthik, James, and I run is in its fifth year and still going strong.  Our venue hosts at Rackspace now have the equipment to record the talks!  So I thought I’d share the videos and slides with our readers. Thanks to Derrick Wippler and Mike Schwartz, our speakers, and Rackspace and CenturyLink, our sponsors.

What Are Containers And Why Are They So Important, by Derrick Wippler

Struggling to understand all the hype around Docker? Don’t understand the difference between a VM and a container? Why are immutable operating systems cool? Why is everyone going crazy over Kubernetes/Swarm/Apache Mesos?

This talk will attempt to inform by pulling back the curtain on the container hype. We will dissect what a container is, why clustering containers and orchestration matters, immutable operating systems and finally where this is all going and how it will effect your future interaction with the cloud.

Derrick Wippler is: Tech Geek, Container evangelist, Software Developer, Entrepreneur and Rackspace Cloud Block Storage Imagineer. Creator of a SuperNES emulator (http://www.superretro16.com). And you can read my musings on technology on my blog (http://thrawn01.org)

Who Are You?  From Meat To Electrons And Back Again, by Mike Schwartz

Conventional wisdom tells us to use two-factor authentication—and it does help to improve security. But the best way to reduce user-friction is to never require a person to authenticate. This talk will provide a modern solution to reconcile these two divergent imperatives by leveraging standard profiles of OAuth2 for trust elevation. Its not just the front door that needs protection!

Mike Schwartz is the Founder of Gluu, a security software company serving companies, governments and universities around the world. Schwartz is a domain expert in application security, authentication and API access management. The Gluu Server is one of the leading implementations of OpenID Connect. Schwartz has participated in the development of standards like the User Managed Access (UMA) profile of OAuth2, a new standard for API access management. He is also Co-chair of the Open Trust Taxonomy for OAuth2 (OTTO) working group at Kantara to create new standards for multiparty federation. Before starting Gluu, Schwartz was a security integrator for many large enterprises. He also was the Founder of an ISP in the ’90s. He now resides with his family (and pigeons) in Austin, TX.

Does this make you want to speak at CloudAustin, or sponsor it?  Well please do!  Come email us at austin-cug-admin at googlegroups dot com and sign up.  And of course come attend, we meet the third Tuesday night of every month at Rackspace’s Austin facility on I-35 at 183.

Leave a comment

Filed under Cloud

Lean Security

James and I have been talking lately about the conjunction of Lean and Security.  The InfoSec world is changing rapidly, and just as DevOps has incorporated Lean techniques into the systems world, we feel that security has a lot to gain from doing the same.

We did a 20 minute talk on the subject at RSA, you can check out the slides and/or watch the video:

While we were there we were interviewed by Derek Weeks.  Read his blog post with a transcript of the interview, and/or watch the interview video!

Back here in Austin, I did an hour-long extended version of the talk for the local OWASP chapter.  Here’s a blog writeup from Kate Brew, and the slides and video:

We’ll be writing more about it here, but we wanted to get a content dump out to those who want it!

1 Comment

Filed under DevOps, Security

Classy up your curl with curl-trace

 

Let’s say you are debugging some simple web requests and trying to discern where things are slowing down.  Curl is perfect for that.  Well, sort of perfect. I don’t know about you but I forget all the switches for curl to make it work like I want.  Especially in a situation where you need to do something quickly.

Let me introduce you to curl-trace.

It’s not a new thing to install, its just an opinionated way to run curl.  To give you a feel for what it does, lets start with the output from curl-trace.

Screenshot 2016-03-11 10.15.35

As you can see, this breaks up the request details like response code, redirects and IP in the Request Details section and then breaks down the timing of the request in the Timing Analysis section.  This uses curl’s --write-out option and was inspired by this post, this post, and my co-worker Marcus Barczak.

The goal of curl-trace is to quickly expose details for troubleshooting web performance.

How to setup curl-trace

Step 1

Download .curl-format from github (or copy from below)

\n
 Request Details:\n
 url: %{url_effective}\n
 num_redirects: %{num_redirects}\n
 content_type: %{content_type}\n
 response_code: %{response_code}\n
 remote_ip: %{remote_ip}\n
 \n
 Timing Analysis:\n
 time_namelookup: %{time_namelookup}\n
 time_connect: %{time_connect}\n
 time_appconnect: %{time_appconnect}\n
 time_pretransfer: %{time_pretransfer}\n
 time_redirect: %{time_redirect}\n
 time_starttransfer: %{time_starttransfer}\n
 ----------\n
 time_total: %{time_total}\n
 \n

And put that in your home directory as .curl-format or wherever you find convenient.

Step 2

Add an alias to your .bash_profile (and source .bash_profile) for curl-trace like this:


alias curl-trace='curl -w "@/path/to/.curl-format" -o /dev/null -s'

Be sure to change the /path/to/.curl-format to the location you saved .curl-format. Once you do that and source your .bash_profile you are ready to go.

Usage

Now you can run this:

$ curl-trace https://google.com

Or follow redirects with -L

$ curl-trace -L https://google.com

Thats it…

Now you are ready to use curl-trace. If you have anything to add to it, just send me an issue on github or a PR or ping me on twitter: https://twitter.com/wickett.

Enjoy!

UPDATE: 3/17/2016

There was a lot of good feedback on curl-trace so it has now been moved to its own repo: https://github.com/wickett/curl-trace

 

1 Comment

Filed under DevOps

RSAC gets down with the Rugged DevOps!

This year at RSAC—you know RSA, its the really big InfoSec conference that isn’t BlackHat/DefCon—there was a mini-conference on Rugged DevOps. For the last few years they have been featuring this mini-conference as a way to bring DevOps into the InfoSec community.

I did a writeup of the event over on Medium and I hope you find it interesting. One of my favorite parts of the event is summed up from that article:

To give you a feel for how well it went, I think it is easily summed up with what happened at the closing. To a mostly full room of about 500 people the question was asked, “How many of you have been here all day?” Over 80% of the hands went up. For being a conference within a conference that number is surprising, for doing that with the InfoSec crowd, it is proof that the industry culture is truly shifting.

Security is ready to join the DevOps tribe.  It’s our duty as stewards of DevOps to do this right.

In the article on Medium I link to all the talks and speakers at the event. Check out the presos on SlideShare, follow the speakers on Twitter and most importantly be part of the joining of the tribes.

Leave a comment

Filed under DevOps

Links on Bridging Security and DevOps

If you remember, I (@wickett) said I would be doing more blogging for Signal Sciences in the new year. We still are in January, but I am glad to say that so far so good. Here are a couple highlights from recent posts:

That’s all for now.  Happy Friday everyone!

Leave a comment

Filed under Conferences, DevOps, Security

In the New Year, resolve to bring Security to the DevOps party

Happy New Year!  May this be your year of much successful DevOps.

Last year I wasn’t too vocal about my work over at Signal Sciences. Mostly because I was too busy helping to rapidly build a NextGen Web Application Firewall as a SaaS from the ground up. This year you will be hearing a bit more as I am regularly contributing to the Signal Sciences blog (Signal Sciences Labs) over at Medium (sorry WordPress!).

I will try and occasionally link into some of my posts over there to The Agile Admin, around topics like:

  • The challenges we faced building a modern security product
  • Bridging the gap with Security and DevOps
  • Attack Driven Operations
  • and other Rugged DevOps topics…

Which brings me to the point of this post…

Bring Security to the DevOps party!

I am making a personal goal this year to bring security engineers, auditors, penetration testers and even those forensics folks to the devops party.  I have my sights mostly set on DevOps Days Austin as the event to physically bring people to (watch out Austin Security people!) but I am already crafting blog posts and many cunning tweets to also bring them over as well.  This year can you join me in trying to bridge this gap?

Last month I had the opportunity to do Sec Casts panel with these fine folks (all of which you should follow) on topics around devops and security:

 

If you don’t want to hear us go on for about an hour, you can read the write-up here. I mention this panel specifically because I think the topics brought up in it are directly impactful to the goal of bridging security and devops.  Maybe it will give you some ideas on how to bridge the gap in your own organization.

Happy New Year and lets make this the year that Security is finally brought into the DevOps fold.

Leave a comment

Filed under DevOps