Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Continuous Integration and Security Testing with .NET

548 views

Published on

Assessment of automated security testing tools for .NET. How to integrate security testing to CI builds with .NET? Presented at Need 4 Speed 2015 Q4 review at Rovaniemi.

Published in: Technology
  • Be the first to comment

Continuous Integration and Security Testing with .NET

  1. 1. CI SECURITY CONTROLS IN .NET Joona Immonen Software architect joona.immonen@solita.fi
  2. 2. PROBLEM DOMAIN
  3. 3. CI SECURITY CONTROLS › Static code analysis • FxCop, VisualCodeGrepper, SonarQube, ReSharped commandlinetools › Code quality metrics • SonarQube, Code metrics › Configuration and deployment analysis • Microsoft Baseline Security Analyzer, Attack surface analyzer › Vulnerability scanning • OWASP-ZAP, Nessus › Performance testing • jMeter
  4. 4. TOOLS IN SECURE DEVELOPMENT LIFECYCLE Beforedevelopment Definitionanddesign Development Deployment Maintenance FxCop X VisualCodeGrepper X SonarQube X Code Metrics X OWASP ZAP X X X MBSA X X ASA X Nessus X X jMeter X X X
  5. 5. TOOLS IN DEFENCE IN DEPTH Network Host Appserver Application Web.config Sourcecode FxCop X X VisualCodeGrepper X X SonarQube X X Code Metrics X OWASP ZAP X X MBSA X X ASA X X Nessus X X X X jMeter X X
  6. 6. HOW TOOLS MITIGATE ”OWASP TOP 10” Injection Brokenauth XSS Directobjref Misconf Dataexposure Functionlevelauth CSRF Knownvuln Unvalidatedredirects FxCop 1 1 1 1 VCG 1 1 1 SonarQube 1 1 1 1 Code Metrics OWASP ZAP 2 2 2 2 2 1 2 1 2 MBSA 2 2 ASA 1 Nessus 1 1 1 1 2 1 1 2 1 jMeter empty=no, 1=maybe, 2=meant for that
  7. 7. HOW TOOLS MITIGATE CSA ”NOTORIOUS NINE” DataBreaches DataLoss AccountorServiceTraffic Hijacking InsecureinterfacesandAPIs DenialofService MaliciousInsiders Abuseofcloudservices InsufficientDueDiligence SharedTechnology Vulnerabilities FxCop 1 1 VisualCodeGrepper 1 1 SonarQube 1 1 Code Metrics 1 OWASP ZAP 1 1 1 MBSA 1 1 ASA 1 1 Nessus 1 1 1 jMeter 1 1 empty=no, 1=maybe, 2=meant for that
  8. 8. HOW USEFUL TOOLS WERE FROM PROJECT PERSPECTIVE 0 1 2 3 4 5 Usefulness of tools Average Project 1 Project 2
  9. 9. SONARQUBE: WHAT IS AN ISSUE?

×