Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automated Security Testing in Continuous Integration

talk slides or my 2019 Talk
W-JAX
Continous Lifecycle Mannheim
Heise DevSec

  • Be the first to comment

  • Be the first to like this

Automated Security Testing in Continuous Integration

  1. 1. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Automated Security Testing 
 In Continuous Integration
  2. 2. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de 1) English 2)Deutsch Language Menu
  3. 3. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Agenda why? how? what? whoami?
  4. 4. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de whoami? Christian Kühn
 system developer
 #java #kubernetes #devops @DevOpsKA Meetup Organizer synyx GmbH Karlsruhe code with attitude! sw development
 consulting
  5. 5. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de questions ?!
  6. 6. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de - leakage of business data - leakage of user/customer data - service interruption - industry malfunction - death (😱) soſtware security issues:
 what could possibly go wrong?
  7. 7. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de equifax - “Credit Monitoring” examples: https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/ hacked 2017
 vulnerability in Apache Struts dependency 
 143,000,000 SSN 209,000 credit card numbers 182,000 “consumers” with PII
  8. 8. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de Mossack Fonseca - “Law Firm and coprorate service provider” examples: https://en.wikipedia.org/wiki/Panama_Papers hacked 2015
 vulnerability in Drupal 
 11.5 million leaked documents about money laundering tax avoidance corruption
  9. 9. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de what stops developers from patching? negligence priorities / lack of time skills / training insight “security - not my department” (or is it?)
  10. 10. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  11. 11. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de vulnerability /vʌln(ə)rəˈbɪlɪti/ noun 1. the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.
 
 … CVE "reference for publicly known information-security vulnerabilities and exposures" public CVE Database - sponsored by NIST 
 (National Institute of Standards and Technology)
  12. 12. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  13. 13. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de automate the sh!t out of it solution search for known vulnerabilities implement a process to fix ASAP (or whitelist 😇 ) treat security issues like technical debt
  14. 14. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de let's automatically find KNOWN vulnerabilities in dependencies / 3rd party libs components in docker images ( let's also scan our app dynamically )
  15. 15. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery today
  16. 16. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery ++
  17. 17. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de continuous delivery++
  18. 18. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de dependencies | components | 3rdparty libraries example: little maven/springboot demo-project: 
 6 maven dependencies 71 transitive dependencies
 github.com/cy4n/broken
  19. 19. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  20. 20. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de find vulnerable dependencies
  21. 21. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  22. 22. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  23. 23. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
  24. 24. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  25. 25. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de What is wrong with using containers? docker pull cy4n/broken FROM cy4n/broken:latest
  26. 26. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  27. 27. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de https://github.com/arminc/clair-local-scan docker run -d --name db arminc/clair-db:latest docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
  28. 28. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  29. 29. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de alternative: 
 trivy CLI-binary only
 no need for server
 local database
 https://github.com/aquasecurity/trivy
  30. 30. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
  31. 31. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  32. 32. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de API / Webserver ZAProxy burp
  33. 33. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de API / Webserver - dynamic testing OWASP ZAProxy url spider passive (and active) modes ajax supported
  34. 34. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de
  35. 35. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de DEMO!
  36. 36. Automated Security Testing In Continuous Integration Christian Kühn - @CYxChris - kuehn@synyx.de let's discuss 
 how to react?

×