Skip to content

Instantly share code, notes, and snippets.

@jnaulty

jnaulty/owasp-sf-jan-15-meetup.md

Last active January 16, 2020 18:17
Show Gist options
  • Save jnaulty/72edc1decff6002bcc21ead0bdebd9e5 to your computer and use it in GitHub Desktop.
Save jnaulty/72edc1decff6002bcc21ead0bdebd9e5 to your computer and use it in GitHub Desktop.
Download ZIP
Notes from the OWASP SF meetup Jan 15, 2020
Raw
owasp-sf-jan-15-meetup.md

OWASP SF Meetup

Jan 15, 2020

URL: Meetup

Talk 2

Dear Security, You're Wasting the Company's Money (Daniel Davis)

Unless you work for a government agency or a non-profit, you probably are employed by a for-profit company. In other words, you exist to make someone money (even better if it's you). Oh, I know what you're thinking, "but I work in security!" Yeah...about that. Your job is still to make the company money. Ever had to fight to the bloody end for support for you security efforts? Ever had to endlessly explain why what you're doing is important? Don't! Instead, show your company how what you're doing makes them money. Spoiler alert: people like money.

Bio:

From researching photonic crystals to military aerospace to military aerial networks and then autonomous vehicles, Daniel is now at Lyft championing risk science to enable efficient security decisions. Despite the eclectic background, Daniel's focus has always been on making timely, defensible, and data-driven decisions. Whether it's for the safety of a joint USAF/NATO program or prioritizing security efforts at a rideshare company, quantifying risk is the common enabler for success.

Notes:

Talk is going to be without interruptions. A drama, comedy, theatrical description of how to get better estimates for a return on security investment (ROSI).

FAIR INSTITUTE

URL: FAIR

pyfair

Factor Analysis of Information Risk (FAIR) model written in Python.

github.com/theonaunheim/pyfair

How to Measure Anything in cybersecurity risk - Daniel Geer

Referenced this book as the solution for calculating risk.

Risk Analysis Presentation from Authors

Talk 3

How Coinbase Scales Security Automation (Nishil Shah)

At Coinbase, we use a combination of human-driven code reviews and automated scans to mitigate developer errors. One of those automated tools that we maintain is Salus, a docker container that decides which FOSS security scanners to run, coordinates their configuration, and compiles the output into a single report. We'll even go over some of the over our successes and failures stories about running Salus in production for two years.

Bio: Nishil currently works on the Application Security team at Coinbase where he works on securing payments infrastructure along with maintaining Salus, Coinbase's security scanning orchestration tool.

Notes:

Nishil Shah

Project URL: github.com/coinbase/Salus

random mention

  • Need a good CVE Database for golang to search (or there might not be many people looking for vulns?).
  • Coinbase uses circleCI

Heimdall

2FA on code reviews (uses something too embarassed to FOSS-it like Salus)

When should companies opensource infra + security tooling?

Developer Interactions

Forcing Functions if Salus fails:

  • if salus returns bad results in prod, prod engineers turn of service--causing devs to fix it, fast.
  • engineers patch CVEs on the regular (w/out much interaction with security team)

special note on coinbase engineering mentality

We're a big pot of gold, and who doesn't like gold?

Salus Rollout Procedure

  • repo-by-repo

Onboarding includes AppSec Training from third-party vendor.

Dependency Problem

Answer to how they verify and vet 3rd party dependencies:

  • run salus on dependencies
  • code audit from AppSec team
  • Artifactory with versioning of third-party artifacts
  • controlling egress--aggressively

Takeaways

  • audit salus and test it out
  • golang needs a good CVE database
  • bsidesSF

AppSec Conference

Jan 21-24

Protecting the Bridge from Dollars to Bitcoin: Securing Coinbase’s Edge Payments Infrastructure

The presentation/talk will be on:

Integrating with fiat payments systems globally challenges the maturity of an entire security program. A security issue leads to identity theft and direct money loss, but integration is often a critical business priority. These payment systems span many types of architectures introducing more complexity and bugs. We’ll go over the typical API patterns and follow the lifecycle of an entire payment from pre-payment to reconciliation and map common payments vulnerabilities and remediation to their application security equivalents. We’ll go over how Coinbase has adapted traditional AppSec tools like 3rd party vendor reviews, threat modelling, static analysis, security champions, and bug bounties to the payments world to find and eliminate money loss and personal data loss bugs. We’ll even go through some of the privacy conundrums involved with interacting with the current financial system.

Kubernetes Security From The Trenches

Raw
salus-report-velero.json
==== Salus Scan v2.7.2
Overall scan status: FAILED in 184.87s
┌───────────────┬──────────────┬──────────┬────────┐
│ Scanner │ Running Time │ Required │ Passed │
├───────────────┼──────────────┼──────────┼────────┤
│ Gosec │ 184.26s │ yes │ no │
│ PatternSearch │ 0.0s │ yes │ yes │
│ RepoNotEmpty │ 0.0s │ yes │ yes │
│ ReportGoDep │ 0.61s │ no │ yes │
└───────────────┴──────────────┴──────────┴────────┘
==== Gosec: FAILED in 184.26s
~~ Scanner Logs:
{
"Golang errors": {
"pkg/cmd/cli/restore": [
{
"line": 0,
"column": 0,
"error": "loading files from package \"pkg/cmd/cli/restore\": -: go: downloading k8s.io/cli-ru
ntime v0.17.0\ngo: downloading github.com/gofrs/uuid v3.2.0+incompatible\ngo: downloading github.c
om/gobwas/glob v0.2.3\ngo: downloading google.golang.org/grpc v1.23.1\ngo: downloading github.com/
evanphx/json-patch v4.2.0+incompatible\ngo: downloading github.com/aws/aws-sdk-go v1.13.12\ngo: do
wnloading github.com/hashicorp/go-plugin v0.0.0-20190610192547-a1bc61569a26\ngo: downloading githu
b.com/Azure/azure-sdk-for-go v21.4.0+incompatible\ngo: extracting github.com/evanphx/json-patch v4
.2.0+incompatible\ngo: downloading github.com/sirupsen/logrus v1.4.2\ngo: extracting github.com/go
frs/uuid v3.2.0+incompatible\ngo: downloading github.com/joho/godotenv v1.3.0\ngo: extracting gith
ub.com/gobwas/glob v0.2.3\ngo: extracting github.com/hashicorp/go-plugin v0.0.0-20190610192547-a1b
c61569a26\ngo: extracting github.com/joho/godotenv v1.3.0\ngo: downloading github.com/hashicorp/ya
mux v0.0.0-20180604194846-3520598351bb\ngo: downloading github.com/oklog/run v1.0.0\ngo: extractin
g github.com/sirupsen/logrus v1.4.2\ngo: extracting github.com/oklog/run v1.0.0\ngo: extracting gi
thub.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb\ngo: downloading github.com/hashicorp/
go-hclog v0.0.0-20180709165350-ff2cf002a8dd\ngo: extracting github.com/hashicorp/go-hclog v0.0.0-2
0180709165350-ff2cf002a8dd\ngo: downloading github.com/mitchellh/go-testing-interface v0.0.0-20171
004221916-a61a99592b77\ngo: extracting github.com/mitchellh/go-testing-interface v0.0.0-2017100422
1916-a61a99592b77\ngo: extracting k8s.io/cli-runtime v0.17.0\ngo: downloading github.com/liggitt/t
abwriter v0.0.0-20181228230101-89fcab3d43de\ngo: extracting github.com/liggitt/tabwriter v0.0.0-20
181228230101-89fcab3d43de\ngo: extracting google.golang.org/grpc v1.23.1\ngo: downloading google.g
olang.org/genproto v0.0.0-20190911173649-1774047e7e51\ngo: extracting google.golang.org/genproto v
0.0.0-20190911173649-1774047e7e51\ngo: extracting github.com/aws/aws-sdk-go v1.13.12\ngo: download
ing github.com/go-ini/ini v1.28.2\ngo: downloading github.com/jmespath/go-jmespath v0.0.0-20160202
185014-0b12d6b521d8\ngo: extracting github.com/go-ini/ini v1.28.2\ngo: extracting github.com/jmesp
ath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8\ngo: extracting github.com/Azure/azure-sdk-for-
go v21.4.0+incompatible\ngo: downloading github.com/Azure/go-autorest/autorest/date v0.1.0\ngo: ex
tracting github.com/Azure/go-autorest/autorest/date v0.1.0\ngo build github.com/Azure/go-autorest/
autorest: no Go files in \ngo build github.com/Azure/go-autorest/autorest/adal: no Go files in \ng
o build github.com/Azure/go-autorest/autorest/azure: no Go files in \ngo build github.com/Azure/go
-autorest/autorest/date: no Go files in "
}
],
"pkg/install": [
{
"line": 0,
"column": 0,
"error": "loading files from package \"pkg/install\": -: go: downloading k8s.io/apiextensions-
apiserver v0.17.0\ngo: downloading github.com/imdario/mergo v0.3.5\ngo: downloading cloud.google.c
om/go v0.46.2\ngo: downloading github.com/Azure/go-autorest v11.1.2+incompatible\ngo: extracting g
ithub.com/imdario/mergo v0.3.5\ngo: extracting github.com/Azure/go-autorest v11.1.2+incompatible\n
go: downloading github.com/Azure/go-autorest/autorest v0.9.0\ngo: extracting github.com/Azure/go-a
utorest/autorest v0.9.0\ngo: downloading github.com/Azure/go-autorest/autorest/adal v0.5.0\ngo: ex
tracting github.com/Azure/go-autorest/autorest/adal v0.5.0\ngo: extracting k8s.io/apiextensions-ap
iserver v0.17.0\ngo: extracting cloud.google.com/go v0.46.2\ngo build github.com/Azure/go-autorest
/autorest: no Go files in \ngo build github.com/Azure/go-autorest/autorest/adal: no Go files in \n
go build github.com/Azure/go-autorest/autorest/azure: no Go files in "
}
],
"pkg/restic/mocks": [
{
"line": 0,
"column": 0,
"error": "loading files from package \"pkg/restic/mocks\": -: go: downloading github.com/stret
chr/testify v1.4.0\ngo: extracting github.com/stretchr/testify v1.4.0\ngo: downloading github.com/
pmezard/go-difflib v1.0.0\ngo: downloading github.com/stretchr/objx v0.2.0\ngo: extracting github.
com/pmezard/go-difflib v1.0.0\ngo: extracting github.com/stretchr/objx v0.2.0\ngo build github.com
/Azure/go-autorest/autorest: no Go files in \ngo build github.com/Azure/go-autorest/autorest/azure
: no Go files in \ngo build github.com/Azure/go-autorest/autorest/date: no Go files in \ngo build
github.com/Azure/go-autorest/autorest/adal: no Go files in "
}
],
"pkg/test": [
{
"line": 0,
"column": 0,
"error": "loading files from package \"pkg/test\": -: go: downloading github.com/spf13/afero v
1.2.2\ngo: downloading k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a\ngo: extracting gith
ub.com/spf13/afero v1.2.2\ngo: extracting k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a\n
go build github.com/Azure/go-autorest/autorest: no Go files in \ngo build github.com/Azure/go-auto
rest/autorest/adal: no Go files in \ngo build github.com/Azure/go-autorest/autorest/azure: no Go f
iles in "
}
]
},
"Issues": [
{
"severity": "HIGH",
"confidence": "HIGH",
"rule_id": "G402",
"details": "TLS InsecureSkipVerify set true.",
"file": "/home/repo/pkg/cmd/util/downloadrequest/downloadrequest.go",
"code": "InsecureSkipVerify: true",
"line": "105"
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"rule_id": "G204",
"details": "Subprocess launched with variable",
"file": "/home/repo/pkg/cmd/cli/bug/bug.go",
"code": "exec.Command(\"open\", url)",
"line": "196"
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"rule_id": "G204",
"details": "Subprocess launched with function call as argument or cmd arguments",
"file": "/home/repo/pkg/plugin/clientmgmt/client_builder.go",
"code": "exec.Command(b.commandName, b.commandArgs...)",
"line": "77"
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"rule_id": "G302",
"details": "Expect file permissions to be 0600 or less",
"file": "/home/repo/hack/issue-template-gen/main.go",
"code": "os.OpenFile(outTemplateFilename, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0644)",
"line": "32"
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"rule_id": "G304",
"details": "Potential file inclusion via variable",
"file": "/home/repo/pkg/util/filesystem/file_system.go",
"code": "ioutil.ReadFile(filename)",
"line": "72"
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"rule_id": "G204",
"details": "Subprocess launched with variable",
"file": "/home/repo/pkg/cmd/cli/bug/bug.go",
"code": "exec.Command(\"rundll32\", \"url.dll,FileProtocolHandler\", url)",
"line": "203"
},
{
"severity": "MEDIUM",
"confidence": "HIGH",
"rule_id": "G204",
"details": "Subprocess launched with variable",
"file": "/home/repo/pkg/cmd/cli/bug/bug.go",
"code": "exec.Command(\"xdg-open\", url)",
"line": "199"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/pkg/cmd/util/downloadrequest/downloadrequest.go",
"code": "errors.New(\"download request was unexpectedly deleted\")",
"line": "88"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/pkg/cmd/cli/bug/bug.go",
"code": "kubectlCmd.Process.Kill()",
"line": "151"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/hack/crd-gen/main.go",
"code": "gzw.Close()",
"line": "118"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/hack/crd-gen/main.go",
"code": "file.Close()",
"line": "117"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/pkg/cmd/cli/completion/completion.go",
"code": "cmd.Root().GenBashCompletion(os.Stdout)",
"line": "48"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/third_party/kubernetes/pkg/kubectl/cmd/completion.go",
"code": "out.Write([]byte(zshHead))",
"line": "33"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/third_party/kubernetes/pkg/kubectl/cmd/completion.go",
"code": "out.Write([]byte(zshInitialization))",
"line": "160"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/third_party/kubernetes/pkg/kubectl/cmd/completion.go",
"code": "velero.GenBashCompletion(buf)",
"line": "163"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/third_party/kubernetes/pkg/kubectl/cmd/completion.go",
"code": "out.Write(buf.Bytes())",
"line": "164"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/third_party/kubernetes/pkg/kubectl/cmd/completion.go",
"code": "out.Write([]byte(zshTail))",
"line": "172"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/pkg/plugin/framework/object_store_client.go",
"code": "stream.CloseSend()",
"line": "89"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/pkg/plugin/framework/server.go",
"code": "s.flagSet.Parse(os.Args[1:])",
"line": "168"
},
{
"severity": "LOW",
"confidence": "HIGH",
"rule_id": "G104",
"details": "Errors unhandled.",
"file": "/home/repo/pkg/generated/crds/crds.go",
"code": "gzr.Close()",
"line": "60"
}
],
"Stats": {
"files": 206,
"lines": 24946,
"nosec": 0,
"found": 20
}
}
==== PatternSearch: PASSED in 0.0s
==== RepoNotEmpty: PASSED in 0.0s
==== ReportGoDep: PASSED in 0.61s
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment