steering a bullet train: owasp latam tour ba 2015

Steering a Bullet Train

Santiago Kantorowicz

Security Technical Leader at MercadoLibre

bnbsec.blogspot.com

About Me?

Information Security Technical Leader at MercadoLibre

Software Security + Infrastructure Assessment

Pen Testing & Development Background

Agenda

Traditional SDLC

MercadoLibre’s Context

MercadoLibre goes Devops

Security at Mercadolibre 5 years ago

Our SDL approach

Traditional SDLC

Design Code Test Security Deploy

1 big release at a time

Traditional SDLC

Not always

Design Code Test Security Deploy

Traditional SDLC Matured

Design Code Test Deploy

QA

Security

Still: 1 big release at a time

Traditional Development Cycle

Developers ≠ Ops

Developers access to

production

Agenda

Traditional SDLC




Our SDL approach

#1 e-commerce platform in Latin America

#8 in the World

> 2600 employees

Who we are

Who we are

http://es.slideshare.net/DanielRabinovich/daniel-rabinovich-velocity-2014-santa-clara

http://es.slideshare.net/DanielRabinovich/daniel-rabinovich-php-conference

Mercadolibre 2010


Agenda

Traditional SDLC


MercadoLibre goes DevOps


Our SDL approach

MercadoLibre Evolution: DevOps

Today’s Picture

>100 deploys a day

Developers ~ Operations (24/7)

Developers Access to production

Technology Diversity

Developers >> AppSec

Today’s Picture

“Desarrollamos a velocidad

casi de Hackaton”

Today’s Picture

Agenda

Traditional SDLC




Our SDL approach

How InfoSec was 5 years ago at

Mercadolibre

Operational tasks

Security Feature?

Not involved in product development

How does DevOps affects InfoSec

No formal security stage

Security unaware of deploys

No formal kick-off of every initiative

Agenda

Traditional SDLC




Our SDL approach

Analysis

Design

Coding

Testing

How we envision AppSec in DevOps

Premises

Security follows the business

Explain impact in their words

Be open and friendly!

Choose your battles: Tradeoffs!

Get feedback & iterate more effective

Security Training

Threat Modeling

Security Code

Review

Secure Coding

Culture

Development

Security Features

Static Code Analysis Security Testing

Internal

Security Testing

External Vulnerability Fixing

Vulnerability

Tracking

WAF

How we envision AppSec


Security Training Culture

Development

Train every developer! (Mandatory)

8 hour Theory/Practical Training

Developer oriented

Examples in dev language they use


Development

Workshops

Threat Modeling

Hacking Infrastructure

Browser Exploitation

Dynamic Security Testing

Whatever devs need to know! or may awake interest!

e-learnings: Short!


Development

Games!

SECURITY


Development


Development

Communicate

Security News

Vulnerabilities

Breaches

Invite Key Developers to security Events &

conferences.


Security Training

Threat Modeling Secure Coding

Culture

Development

Security Features

http://www.microsoft.com/en-us/download/details.aspx?id=12379

http://www.microsoft.com/sdl/

Design stage

Prevent vulnerabilities

Adapt Threat Modeling to your organization

Teach how to do it and ask for invites

Threat Modeling







Security

DevOps Teams

…

Threat Modeling

Security

Security Focal Points

…

Threat Modeling

Security Focal Points

Threat Modeling

Volunteers

Ask managers

Start with Devs you

know

Next: critical Projects

Threat Modeling

AppSec can’t be everywhere

Define criteria for critical projects

Set SFP in each of those

Appsec participates in threat models of

Critical Projects

Secure Coding Security Features

Training!

Security Checklists (Pre/Post) OWASP

TOP 10

Security Advisor position


Security Training

Threat Modeling

Security Code

Review

Secure Coding

Culture

Development

Security Features


Internal

Manual tests!

Abuse Cases (informal Brainstorm)

CI security integration

Security Testing

Internal

Security Code

Review

Agile Guidelines:

Adapt to your organization

Give alternatives

Checklists of what to look for

Listener

Static Code

Review

Static Code Analysis

Centralized

+ InfoSec view

+ All Source code

- Another tool developers need to add to their routine.

Decentralized

+ Integrated with CI

+ Developers don’t have to look at another tool, it’s in their

every day.

- Different CI solutions, sometimes not available.

- Non centralized view of InfoSec

Static Code Analysis

Security Training

Threat Modeling

Security Code

Review

Secure Coding

Culture

Development

Security Features


Internal

Security Testing


Vulnerability

Tracking


Security Testing

External

Pen Test all you can!!

White box (even if outsourced)

Educate developers to ask for them

Prioritize!

Deploy

Web

Scanner

Security Testing

External

Use existing tools

Classify!

Type

Manager/Director/etc.

Team

Communicate Approach for help

Vulnerability Fixing Vulnerability

Tracking

Security Training

Threat Modeling

Security Code

Review

Secure Coding

Culture

Development

Security Features


Internal

Security Testing


Vulnerability

Tracking


WAF

WAF

First Last Line of Defense

Gain Visibility

Quick reaction

Metrics, Metrics, Metrics

Open vs Closed in Q

Average fix time

Aging

Distribution (type, manager, project)

Conclusions

Adapt to organization

Evangelize Games

Start with less disruptive (time consuming)

practices

Measure

Blog: bnbsec.blogspot.com

Thank you