Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv 2017

96 views

Published on

DevOpsDays Tel Aviv 2017

Published in: Technology
  • Be the first to comment

  • Be the first to like this

All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv 2017

  1. 1. Dynamic Security Testing November 2017 @omerlh @yshayy
  2. 2. http://www.align.com/wp- content/uploads/2017/09/Equifax_Infographic.png
  3. 3. And it affects the stock price... disclosed
  4. 4. http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it- failed-to-patch-was-to-blame-for-data-breach/
  5. 5. https://nvd.nist.gov/vuln/detail/CVE-2017-5638
  6. 6. Will you be the next Equifax?
  7. 7. What can we do? ● Threat Modeling ● Design/Code review ● Bug bounties ● Security tests ● And many more…
  8. 8. Security Tests in CI
  9. 9. What's a feature management solution?
  10. 10. Let’s try to change the design a bit to increase engagement Demo e-commerce app Example 1 - A/B Testing
  11. 11. Feature flags
  12. 12. Tweek is mission critical
  13. 13. Tweek is open source...
  14. 14. GitHub Flow Source: GitHub Checks - Quality Feedback
  15. 15. PR Quality Feedback
  16. 16. Security Department Source: IT Crowd
  17. 17. Can we add security checks?
  18. 18. The best defense is a good offense Source: http://community-sitcom.wikia.com/wiki/File:Dual_wielding_Chang.jpg
  19. 19. And run it in CI Let’s take a hacking tool
  20. 20. OWASP Zap
  21. 21. OWASP Zaproxy https://www.openhub.net/p/zaproxy Free and Open Source hacking tool
  22. 22. Zap has two modes: Passive Active
  23. 23. Let’s Hack Tweek!
  24. 24. Tweek’s Architecture
  25. 25. Passive Mode
  26. 26. What Zap does? ● Inspecting request and response ● Run passive scan rules: ○ Cookies misconfiguration ○ Security HTTP Headers ○ Mixed Content ○ And many more
  27. 27. Setup Proxy
  28. 28. Browse Editor
  29. 29. Many findings
  30. 30. Potential issue
  31. 31. Why?
  32. 32. Zap does not only find the issues It will also help you fix them!
  33. 33. Active Mode
  34. 34. What Zap does? ● Find all URLS/Paths ● Run active scan rules: ○ SQL injections ○ XSS ○ Directory browsing ○ Remote file inclusion ○ And many more
  35. 35. Zap can parse the spec
  36. 36. And now we can attack it…
  37. 37. Let’s push the red button
  38. 38. Now relax and drink some coffee
  39. 39. Massive attack
  40. 40. Many findings
  41. 41. Potential issue
  42. 42. Why?
  43. 43. Security Report - 2017
  44. 44. Questions so far?
  45. 45. And run it in CI Let’s take a Hacking Tool
  46. 46. Zap has two modes: Passive Active
  47. 47. Passive Mode
  48. 48. Tweek’s Security Testing Tweek API Tweek Editor Integration Tests REST UI Automation Tests Selenium ZAP Proxy ZAP Proxy REST Selenium
  49. 49. Let’s use Docker ● Tweek is designed as a multi-container app ● Every microservice has an offical Docker image ● Tweek uses Docker-native CI (Codefresh) ● Test suites also run as docker containers ● Zap has an official docker image
  50. 50. Containerized them all! Tweek API Tweek Editor Smoke Tests REST UI Automation Tests Selenium ZAP Proxy ZAP Proxy REST Selenium
  51. 51. docker-compose up
  52. 52. docker-compose is widely supported
  53. 53. Running it in CI
  54. 54. Zap API
  55. 55. Curl/CLI/SDK
  56. 56. So we have Security Tests...
  57. 57. But it’s not perfect…
  58. 58. OWASP Glue
  59. 59. OWASP Glue Security Tool Filtering Reporting Free and Open Source CI tool
  60. 60. Let’s add some glue to our CI
  61. 61. Using Glue ruby /usr/bin/glue/bin/glue -t zap --zap-host http://zap-e2e --zap-port 8090 --zap-passive-mode -f text --exit-on-warn 0 http://editor --finding-file-path /usr/src/wrk/glue.json
  62. 62. Let’s look at the findings…
  63. 63. Zap’s findings for the API ● Insecure cookies ● Missing security headers ● Insecure hash FIXED FIXED IGNORE
  64. 64. Active Mode
  65. 65. Simply docker docker run -t --net=host -v $(pwd):/zap/wrk owasp/zap2docker-weekly zap-api-scan.py -t http://localhost:4003/api/swagger.json -f openapi -r report.html Find out more on Zap’s wiki...
  66. 66. And the results...
  67. 67. Questions so far?
  68. 68. So we have dynamic security tests...
  69. 69. Let’s see if it works…
  70. 70. Should I approve this pull request?
  71. 71. Let's review it...
  72. 72. That looks good...
  73. 73. But the tests are failing...
  74. 74. Let's see why...
  75. 75. Source: https://giphy.com/gifs/thisisgiphy-reaction-audience-l4HodBpDmoMA5p9bG
  76. 76. Conclusion
  77. 77. Security Testing Options Passive (Proxy) Active (OpenAPI) Simple to integrate Simple to integrate Wide coverage Wide Coverage Fast Slow Mixing tests types Dedicated tests types
  78. 78. GitHub Only?
  79. 79. How can you use it?
  80. 80. Useful links ● Pull Request – adding security tests to Tweek ● Malicious Pull Request ● Demo repo – Adding security tests to vulnerable app - Juice Shop ● Blog Post – how I added security tests to Tweek @omerlh @yshayy
  81. 81. One tool in the toolbox
  82. 82. Open Source is all about Community
  83. 83. @omerlh @yshayy Thank You!

×