Successfully reported this slideshow.

Automated Security Testing in Continuous Integration

0

Share

Upcoming SlideShare
Security as Code
Security as Code
Loading in …3
×
1 of 36
1 of 36

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Automated Security Testing in Continuous Integration

  1. 1. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Automated Security Testing 
 In Continuous Integration
  2. 2. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de 1) English 2)Deutsch Language Menu
  3. 3. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Agenda why? how? what? whoami?
  4. 4. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de whoami? Christian Kühn
 system developer
 #java #kubernetes #devops @DevOpsKA Meetup Organizer synyx GmbH Karlsruhe code with attitude! sw development
 consulting
  5. 5. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de questions ?!
  6. 6. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de - leakage of business data - leakage of user/customer data - service interruption - industry malfunction - death (😱) soſtware security issues:
 what could possibly go wrong?
  7. 7. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de equifax - “Credit Monitoring” examples: https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/ hacked 2017
 vulnerability in Apache Struts dependency 
 143,000,000 SSN 209,000 credit card numbers 182,000 “consumers” with PII
  8. 8. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Mossack Fonseca - “Law Firm and coprorate service provider” examples: https://en.wikipedia.org/wiki/Panama_Papers hacked 2015
 vulnerability in Drupal 
 11.5 million leaked documents about money laundering tax avoidance corruption
  9. 9. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de what stops developers from patching? negligence priorities / lack of time skills / training insight “security - not my department” (or is it?)
  10. 10. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  11. 11. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de vulnerability /vʌln(ə)rəˈbɪlɪti/ noun 1. the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.
 
 … CVE "reference for publicly known information-security vulnerabilities and exposures" public CVE Database - sponsored by NIST 
 (National Institute of Standards and Technology)
  12. 12. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  13. 13. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de automate the sh!t out of it solution search for known vulnerabilities implement a process to fix ASAP (or whitelist 😇 ) treat security issues like technical debt
  14. 14. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de let's automatically find KNOWN vulnerabilities in dependencies / 3rd party libs components in docker images ( let's also scan our app dynamically )
  15. 15. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery today
  16. 16. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery ++
  17. 17. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery++
  18. 18. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de dependencies | components | 3rdparty libraries example: little maven/springboot demo-project: 
 6 maven dependencies 71 transitive dependencies
 github.com/cy4n/broken
  19. 19. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  20. 20. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de find vulnerable dependencies
  21. 21. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  22. 22. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  23. 23. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
  24. 24. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  25. 25. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de What is wrong with using containers? docker pull cy4n/broken FROM cy4n/broken:latest
  26. 26. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  27. 27. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de https://github.com/arminc/clair-local-scan docker run -d --name db arminc/clair-db:latest docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
  28. 28. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  29. 29. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de alternative: 
 trivy CLI-binary only
 no need for server
 local database
 https://github.com/aquasecurity/trivy
  30. 30. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
  31. 31. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  32. 32. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de API / Webserver ZAProxy burp
  33. 33. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de API / Webserver - dynamic testing OWASP ZAProxy url spider passive (and active) modes ajax supported
  34. 34. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  35. 35. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
  36. 36. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de let's discuss 
 how to react?

×