Do you know that 90% of all vulnerabilities can be prevented by introducing security in every step of your software development lifecycle (SDLC)? Get ready to join Wouter on his journey on how he introduced security into the SDLC at a company. During his talk, Wouter will introduce you to how development, operations and security can be fitted together into “SecDevOps”. The talk uses practical examples so that you will be able to experiment with “SecDevOps” yourself and know what you should pay attention to when implementing this into your own SDLC.

1. Baking security into DevOps
a tale of hunting down bugs before breakfast
JSCONF.BE 2018

2. 2
Wouter Bloeyaert
Security Consultant @NVISO
Penetration Testing, Software Security,
NVISO labs
@someniak

3. 3
Today’s topic
Goal of today’s presentation
SEC

4. The struggle of integrating security into DevOps
SecDevOps cycles
Security
Requirements Design Development Testing Deployment
4

5. 5
Why security matters?
Some horror stories of what can happen.

6. Why security matters?
Some horror stories of what can happen.
6

7. Investigate the incident
Wake up your developers
Information disclosure (GDPR)
Financial loss & Data loss & Reputational Damage
7
Why security matters?
Some horror stories of what can happen.

8. 8
Why security matters?
How could it have been prevented?
Using a secure
development
framework
Penetration
test report
Writing secure
Code
Detecting
vulnerabilities
using automated
testing
Creating security
requirements
Security
Requirements Design Development Testing Deployment

9. What do we want
Searching for quick wins 
Highly automatable Easily implemented
Decent Output
9

10. Integrating security into DevOps
Vulnerabilities fixable using tools
OWASP TOP 10 2017
A01 – Injection
A02 – Broken Authentication
A03 – Sensitive Data Exposure
A04 – XML External Entities (XXE)
A05 – Broken Access Control
A06 – Security Misconfiguration
A07 – Cross-Site Scripting (XSS)
A08 – Insecure Deserialization
A09 – Using Components with Known Vulnerabilities
A10 – Insufficient Logging & Monitoring
10

11. Integrating security into DevOps
Quick Wins – Search for vulnerable code
Code analysis using
NodeJsScan
11

12. Integrating security into DevOps
Demo
12

13. Integrating security into DevOps
Quick Wins – Keep your packages up to date
Dependency analysis
using NPM audit
13

14. Integrating security into DevOps
Demo
14

15. Integrating security into DevOps
Quick Wins – Keep your packages up to date
Dependency analysis
using GitHub
15

16. Integrating security into DevOps
Demo
16

17. Integrating security into DevOps
Quick Wins – Search for smelly code
Detect smelly code using
JSLint
17

18. Integrating security into DevOps
Quick Wins – Search for vulnerabilities in containers
Use Dagda to find
vulnerabilities in
containers
Application Content
Application Code
Application Server
Bins & Libs
Base Image
Docker Engine
Host OS
Dagda scans your base image and
installed libraries and base
images.
18

19. Integrating security into DevOps
Quick wins, but 1 issue
19

20. NVISO’s Use Case
Our technology stack
Code is
developed
On push
Private Docker
Registry
Test/Production
20

21. NVISO’s Use Case
Our technology stack (SoftSnitch)
Webhook
Pull source code
Initiate scan
Scan source code /
application
Log to GitHub
issues/comments
Push,
Pull Request
21

22. NVISO’s Use Case
Demo
22

23. NVISO’s Use Case
What did we find?
23

24. Conclusions
24
“Security isn’t always
that difficult”

25. Conclusions
25
“Help developers fix bugs,
not frustrate them”

26. Conclusions
26
“Always look further”

27. 27
Wouter Bloeyaert
Security Consultant @NVISO
Penetration Testing, Software Security,
NVISO labs
@someniak