Uploaded byChristianKhn8
119 views

Automated Security Testing in Continuous Integration

talk slides or my 2019 Talk W-JAX Continous Lifecycle Mannheim Heise DevSec

Embed presentation

Download to read offline
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Automated Security Testing 
 In Continuous Integration
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de 1) English 2)Deutsch Language Menu
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Agenda why? how? what? whoami?
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de whoami? Christian Kühn
 system developer
 #java #kubernetes #devops @DevOpsKA Meetup Organizer synyx GmbH Karlsruhe code with attitude! sw development
 consulting
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de questions ?!
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de - leakage of business data - leakage of user/customer data - service interruption - industry malfunction - death (😱) soſtware security issues:
 what could possibly go wrong?
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de equifax - “Credit Monitoring” examples: https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/ hacked 2017
 vulnerability in Apache Struts dependency 
 143,000,000 SSN 209,000 credit card numbers 182,000 “consumers” with PII
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Mossack Fonseca - “Law Firm and coprorate service provider” examples: https://en.wikipedia.org/wiki/Panama_Papers hacked 2015
 vulnerability in Drupal 
 11.5 million leaked documents about money laundering tax avoidance corruption
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de what stops developers from patching? negligence priorities / lack of time skills / training insight “security - not my department” (or is it?)
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de vulnerability /vʌln(ə)rəˈbɪlɪti/ noun 1. the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.
 
 … CVE "reference for publicly known information-security vulnerabilities and exposures" public CVE Database - sponsored by NIST 
 (National Institute of Standards and Technology)
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de automate the sh!t out of it solution search for known vulnerabilities implement a process to fix ASAP (or whitelist 😇 ) treat security issues like technical debt
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de let's automatically find KNOWN vulnerabilities in dependencies / 3rd party libs components in docker images ( let's also scan our app dynamically )
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery today
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery ++
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery++
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de dependencies | components | 3rdparty libraries example: little maven/springboot demo-project: 
 6 maven dependencies 71 transitive dependencies
 github.com/cy4n/broken
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de find vulnerable dependencies
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de What is wrong with using containers? docker pull cy4n/broken FROM cy4n/broken:latest
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de https://github.com/arminc/clair-local-scan docker run -d --name db arminc/clair-db:latest docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de alternative: 
 trivy CLI-binary only
 no need for server
 local database
 https://github.com/aquasecurity/trivy
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de API / Webserver ZAProxy burp
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de API / Webserver - dynamic testing OWASP ZAProxy url spider passive (and active) modes ajax supported
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de let's discuss 
 how to react?

More Related Content

PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
PDF
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
PDF
Everything You Need To Know About ChatGPT
byExpeed Software
 
PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
byOECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
bySocialHRCamp
 
Storytelling For The Web: Integrate Storytelling in your Design Process
byChiara Aliotta
 
2024 State of Marketing Report – by Hubspot
byMarius Sescu
 
Everything You Need To Know About ChatGPT
byExpeed Software
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
bySearch Engine Journal
 
Product Design Trends in 2024 | Teenage Engineerings
byPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
byThinkNow
 

Recently uploaded

PPTX
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
PDF
From Sound Workflow Nets to LTLf Declarative Specifications
byLucaBarbaro3
 
PDF
Prasenjit Bhaumik Plano - Specializing In Web Applications
byPrasenjit Bhaumik Plano
 
PDF
Cloud Engineering Services | Infysion Technologies
bysolutioninginfysion
 
PPTX
Google Trips Data Scraping for Tourism & Demand Analysis.pptx
byWeb Data Crawler
 
PDF
Driving Finance Growth with Business Central ERP
byNavision India
 
PDF
our environment ppt made by many people name rarang yadav
byrarang180
 
PPTX
Dreamforce ‘25 Tour: Boost Productivity with AI-Assisted API Development
byPriya Shaw
 
PDF
CatoCoin (CATO) – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
PPTX
Architectural Styles in Software Engineering
byM Munim
 
PPTX
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
PPTX
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
PDF
Salesforce Agentforce Service Agent​.pdf
byRobert Mark
 
PDF
DSD-INT 2025 iMOD Parallel coupler development plan - Verkaik
byDeltares
 
PPTX
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
PPTX
ManageIQ - Sprint 278 Review - Slide Deck
byManageIQ
 
PDF
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
PPTX
Build Smarter with Google: A Workshop on MediaPipe, Firebase, Gemini and Anti...
byvanshikaprakash05
 
PPTX
How MathCo Solved Enterprise AI Validation Challenges
byIT IDOL Technologies
 
PDF
Problem Solving_20241203_220045_0000.pdf
bythakurayush00991
 
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
From Sound Workflow Nets to LTLf Declarative Specifications
byLucaBarbaro3
 
Prasenjit Bhaumik Plano - Specializing In Web Applications
byPrasenjit Bhaumik Plano
 
Cloud Engineering Services | Infysion Technologies
bysolutioninginfysion
 
Google Trips Data Scraping for Tourism & Demand Analysis.pptx
byWeb Data Crawler
 
Driving Finance Growth with Business Central ERP
byNavision India
 
our environment ppt made by many people name rarang yadav
byrarang180
 
Dreamforce ‘25 Tour: Boost Productivity with AI-Assisted API Development
byPriya Shaw
 
CatoCoin (CATO) – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority
 
Architectural Styles in Software Engineering
byM Munim
 
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
Salesforce Agentforce Service Agent​.pdf
byRobert Mark
 
DSD-INT 2025 iMOD Parallel coupler development plan - Verkaik
byDeltares
 
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
ManageIQ - Sprint 278 Review - Slide Deck
byManageIQ
 
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
Build Smarter with Google: A Workshop on MediaPipe, Firebase, Gemini and Anti...
byvanshikaprakash05
 
How MathCo Solved Enterprise AI Validation Challenges
byIT IDOL Technologies
 
Problem Solving_20241203_220045_0000.pdf
bythakurayush00991
 

Featured

PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
PDF
Skeleton Culture Code
bySkeleton Technologies
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
PDF
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
PPTX
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
PDF
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
PDF
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
PDF
Getting into the tech field. what next
byTessa Mero
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
PDF
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
PDF
Introduction to Data Science
byChristy Abraham Joy
 
PDF
Time Management & Productivity - Best Practices
byVit Horky
 
PDF
The six step guide to practical project management
byMindGenius
 
PDF
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
byRachelPearson36
 
PDF
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
byApplitools
 
PDF
12 Ways to Increase Your Influence at Work
byGetSmarter
 
PDF
ChatGPT webinar slides
byAlireza Esmikhani
 
PDF
More than Just Lines on a Map: Best Practices for U.S Bike Routes
byProject for Public Spaces & National Center for Biking and Walking
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
bymarketingartwork
 
Skeleton Culture Code
bySkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
byNeil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
bycontently
 
How to Prepare For a Successful Job Search for 2024
byAlbert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
byKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
bySearch Engine Journal
 
5 Public speaking tips from TED - Visualized summary
bySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
byClark Boyd
 
Getting into the tech field. what next
byTessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
byLily Ray
 
How to have difficult conversations
byRajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
byChristy Abraham Joy
 
Time Management & Productivity - Best Practices
byVit Horky
 
The six step guide to practical project management
byMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
byRachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
byApplitools
 
12 Ways to Increase Your Influence at Work
byGetSmarter
 
ChatGPT webinar slides
byAlireza Esmikhani
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
byProject for Public Spaces & National Center for Biking and Walking
 

Automated Security Testing in Continuous Integration

  • 1.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Automated Security Testing 
 In Continuous Integration
  • 2.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de 1) English 2)Deutsch Language Menu
  • 3.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Agenda why? how? what? whoami?
  • 4.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de whoami? Christian Kühn
 system developer
 #java #kubernetes #devops @DevOpsKA Meetup Organizer synyx GmbH Karlsruhe code with attitude! sw development
 consulting
  • 5.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de questions ?!
  • 6.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de - leakage of business data - leakage of user/customer data - service interruption - industry malfunction - death (😱) soſtware security issues:
 what could possibly go wrong?
  • 7.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de equifax - “Credit Monitoring” examples: https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/ hacked 2017
 vulnerability in Apache Struts dependency 
 143,000,000 SSN 209,000 credit card numbers 182,000 “consumers” with PII
  • 8.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Mossack Fonseca - “Law Firm and coprorate service provider” examples: https://en.wikipedia.org/wiki/Panama_Papers hacked 2015
 vulnerability in Drupal 
 11.5 million leaked documents about money laundering tax avoidance corruption
  • 9.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de what stops developers from patching? negligence priorities / lack of time skills / training insight “security - not my department” (or is it?)
  • 10.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  • 11.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de vulnerability /vʌln(ə)rəˈbɪlɪti/ noun 1. the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.
 
 … CVE "reference for publicly known information-security vulnerabilities and exposures" public CVE Database - sponsored by NIST 
 (National Institute of Standards and Technology)
  • 12.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  • 13.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de automate the sh!t out of it solution search for known vulnerabilities implement a process to fix ASAP (or whitelist 😇 ) treat security issues like technical debt
  • 14.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de let's automatically find KNOWN vulnerabilities in dependencies / 3rd party libs components in docker images ( let's also scan our app dynamically )
  • 15.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery today
  • 16.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery ++
  • 17.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery++
  • 18.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de dependencies | components | 3rdparty libraries example: little maven/springboot demo-project: 
 6 maven dependencies 71 transitive dependencies
 github.com/cy4n/broken
  • 19.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  • 20.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de find vulnerable dependencies
  • 21.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  • 22.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  • 23.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
  • 24.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  • 25.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de What is wrong with using containers? docker pull cy4n/broken FROM cy4n/broken:latest
  • 26.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  • 27.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de https://github.com/arminc/clair-local-scan docker run -d --name db arminc/clair-db:latest docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
  • 28.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  • 29.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de alternative: 
 trivy CLI-binary only
 no need for server
 local database
 https://github.com/aquasecurity/trivy
  • 30.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
  • 31.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  • 32.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de API / Webserver ZAProxy burp
  • 33.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de API / Webserver - dynamic testing OWASP ZAProxy url spider passive (and active) modes ajax supported
  • 34.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  • 35.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
  • 36.
    Automated Security TestingIn Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de let's discuss 
 how to react?