Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Dynamic Security Testing
November 2017
@omerlh
@yshayy
http://www.align.com/wp-
content/uploads/2017/09/Equifax_Infographic.png
And it affects the stock price...
disclosed
http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-
failed-to-patch-was-to-blame-for-data-breach/
https://nvd.nist.gov/vuln/detail/CVE-2017-5638
Will you be the next Equifax?
What can we do?
● Threat Modeling
● Design/Code review
● Bug bounties
● Security tests
● And many more…
Security Tests in CI
What's a feature management solution?
Let’s try to change the design a bit to
increase engagement
Demo e-commerce app
Example 1 - A/B Testing
Feature flags
Tweek is mission critical
Tweek is open source...
GitHub Flow
Source: GitHub
Checks - Quality Feedback
PR Quality Feedback
Security Department
Source: IT Crowd
Can we add security checks?
The best defense is a good offense
Source: http://community-sitcom.wikia.com/wiki/File:Dual_wielding_Chang.jpg
And run it in CI
Let’s take a hacking tool
OWASP Zap
OWASP Zaproxy
https://www.openhub.net/p/zaproxy
Free and Open Source hacking tool
Zap has two modes:
Passive Active
Let’s Hack Tweek!
Tweek’s Architecture
Passive Mode
What Zap does?
● Inspecting request and response
● Run passive scan rules:
○ Cookies misconfiguration
○ Security HTTP Head...
Setup Proxy
Browse Editor
Many findings
Potential issue
Why?
Zap does not only find the issues
It will also help you fix them!
Active Mode
What Zap does?
● Find all URLS/Paths
● Run active scan rules:
○ SQL injections
○ XSS
○ Directory browsing
○ Remote file in...
Zap can parse the spec
And now we can attack it…
Let’s push the red button
Now relax and drink some coffee
Massive attack
Many findings
Potential issue
Why?
Security Report - 2017
Questions so far?
And run it in CI
Let’s take a Hacking Tool
Zap has two modes:
Passive Active
Passive Mode
Tweek’s Security Testing
Tweek
API
Tweek
Editor
Integration
Tests
REST
UI
Automation
Tests
Selenium
ZAP Proxy
ZAP Proxy
RE...
Let’s use Docker
● Tweek is designed as a multi-container app
● Every microservice has an offical Docker image
● Tweek use...
Containerized them all!
Tweek
API
Tweek
Editor
Smoke
Tests
REST
UI
Automation
Tests
Selenium
ZAP Proxy
ZAP Proxy
REST
Sele...
docker-compose up
docker-compose is widely supported
Running it in CI
Zap API
Curl/CLI/SDK
So we have Security Tests...
But it’s not perfect…
OWASP Glue
OWASP Glue
Security Tool Filtering Reporting
Free and Open Source CI tool
Let’s add some glue to our CI
Using Glue
ruby /usr/bin/glue/bin/glue
-t zap
--zap-host http://zap-e2e --zap-port 8090 --zap-passive-mode
-f text
--exit-...
Let’s look at the findings…
Zap’s findings for the API
● Insecure cookies
● Missing security headers
● Insecure hash
FIXED
FIXED
IGNORE
Active Mode
Simply docker
docker run
-t --net=host
-v $(pwd):/zap/wrk
owasp/zap2docker-weekly
zap-api-scan.py
-t http://localhost:4003...
And the results...
Questions so far?
So we have dynamic security tests...
Let’s see if it works…
Should I approve this pull request?
Let's review it...
That looks good...
But the tests are failing...
Let's see why...
Source: https://giphy.com/gifs/thisisgiphy-reaction-audience-l4HodBpDmoMA5p9bG
Conclusion
Security Testing Options
Passive (Proxy) Active (OpenAPI)
Simple to integrate Simple to integrate
Wide coverage Wide Cover...
GitHub Only?
How can you use it?
Useful links
● Pull Request – adding security tests to Tweek
● Malicious Pull Request – The one show a few slides above
● ...
@omerlh
@yshayy
Thank You!
Security Testing with Zap
Security Testing with Zap
Security Testing with Zap
Security Testing with Zap
Security Testing with Zap
Security Testing with Zap
Security Testing with Zap
Upcoming SlideShare
Loading in …5
×

Security Testing with Zap

630 views

Published on

Running security tests as a part of your CI pipeline allows you to provide better and more relevant feedback to developers as quickly as possible (also known as the “Shift Left paradigm”/”DevSecOps” methodology).
Those slides are from a session at DevOpsDays TLV 2017 - how to use OWASP Zap to create valuable dynamic security tests. In those slide, I'm showing how we added those test to one of our open source project - Tweek (https://github.com/soluto/tweek)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security Testing with Zap

  1. 1. Dynamic Security Testing November 2017 @omerlh @yshayy
  2. 2. http://www.align.com/wp- content/uploads/2017/09/Equifax_Infographic.png
  3. 3. And it affects the stock price... disclosed
  4. 4. http://www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it- failed-to-patch-was-to-blame-for-data-breach/
  5. 5. https://nvd.nist.gov/vuln/detail/CVE-2017-5638
  6. 6. Will you be the next Equifax?
  7. 7. What can we do? ● Threat Modeling ● Design/Code review ● Bug bounties ● Security tests ● And many more…
  8. 8. Security Tests in CI
  9. 9. What's a feature management solution?
  10. 10. Let’s try to change the design a bit to increase engagement Demo e-commerce app Example 1 - A/B Testing
  11. 11. Feature flags
  12. 12. Tweek is mission critical
  13. 13. Tweek is open source...
  14. 14. GitHub Flow Source: GitHub Checks - Quality Feedback
  15. 15. PR Quality Feedback
  16. 16. Security Department Source: IT Crowd
  17. 17. Can we add security checks?
  18. 18. The best defense is a good offense Source: http://community-sitcom.wikia.com/wiki/File:Dual_wielding_Chang.jpg
  19. 19. And run it in CI Let’s take a hacking tool
  20. 20. OWASP Zap
  21. 21. OWASP Zaproxy https://www.openhub.net/p/zaproxy Free and Open Source hacking tool
  22. 22. Zap has two modes: Passive Active
  23. 23. Let’s Hack Tweek!
  24. 24. Tweek’s Architecture
  25. 25. Passive Mode
  26. 26. What Zap does? ● Inspecting request and response ● Run passive scan rules: ○ Cookies misconfiguration ○ Security HTTP Headers ○ Mixed Content ○ And many more
  27. 27. Setup Proxy
  28. 28. Browse Editor
  29. 29. Many findings
  30. 30. Potential issue
  31. 31. Why?
  32. 32. Zap does not only find the issues It will also help you fix them!
  33. 33. Active Mode
  34. 34. What Zap does? ● Find all URLS/Paths ● Run active scan rules: ○ SQL injections ○ XSS ○ Directory browsing ○ Remote file inclusion ○ And many more
  35. 35. Zap can parse the spec
  36. 36. And now we can attack it…
  37. 37. Let’s push the red button
  38. 38. Now relax and drink some coffee
  39. 39. Massive attack
  40. 40. Many findings
  41. 41. Potential issue
  42. 42. Why?
  43. 43. Security Report - 2017
  44. 44. Questions so far?
  45. 45. And run it in CI Let’s take a Hacking Tool
  46. 46. Zap has two modes: Passive Active
  47. 47. Passive Mode
  48. 48. Tweek’s Security Testing Tweek API Tweek Editor Integration Tests REST UI Automation Tests Selenium ZAP Proxy ZAP Proxy REST Selenium
  49. 49. Let’s use Docker ● Tweek is designed as a multi-container app ● Every microservice has an offical Docker image ● Tweek uses Docker-native CI (Codefresh) ● Test suites also run as docker containers ● Zap has an official docker image
  50. 50. Containerized them all! Tweek API Tweek Editor Smoke Tests REST UI Automation Tests Selenium ZAP Proxy ZAP Proxy REST Selenium
  51. 51. docker-compose up
  52. 52. docker-compose is widely supported
  53. 53. Running it in CI
  54. 54. Zap API
  55. 55. Curl/CLI/SDK
  56. 56. So we have Security Tests...
  57. 57. But it’s not perfect…
  58. 58. OWASP Glue
  59. 59. OWASP Glue Security Tool Filtering Reporting Free and Open Source CI tool
  60. 60. Let’s add some glue to our CI
  61. 61. Using Glue ruby /usr/bin/glue/bin/glue -t zap --zap-host http://zap-e2e --zap-port 8090 --zap-passive-mode -f text --exit-on-warn 0 http://editor --finding-file-path /usr/src/wrk/glue.json
  62. 62. Let’s look at the findings…
  63. 63. Zap’s findings for the API ● Insecure cookies ● Missing security headers ● Insecure hash FIXED FIXED IGNORE
  64. 64. Active Mode
  65. 65. Simply docker docker run -t --net=host -v $(pwd):/zap/wrk owasp/zap2docker-weekly zap-api-scan.py -t http://localhost:4003/api/swagger.json -f openapi -r report.html Find out more on Zap’s wiki...
  66. 66. And the results...
  67. 67. Questions so far?
  68. 68. So we have dynamic security tests...
  69. 69. Let’s see if it works…
  70. 70. Should I approve this pull request?
  71. 71. Let's review it...
  72. 72. That looks good...
  73. 73. But the tests are failing...
  74. 74. Let's see why...
  75. 75. Source: https://giphy.com/gifs/thisisgiphy-reaction-audience-l4HodBpDmoMA5p9bG
  76. 76. Conclusion
  77. 77. Security Testing Options Passive (Proxy) Active (OpenAPI) Simple to integrate Simple to integrate Wide coverage Wide Coverage Fast Slow Mixing tests types Dedicated tests types
  78. 78. GitHub Only?
  79. 79. How can you use it?
  80. 80. Useful links ● Pull Request – adding security tests to Tweek ● Malicious Pull Request – The one show a few slides above ● Demo repo – Adding security tests to vulnerable app - Juice Shop ● Blog Post – how I added security tests to Tweek @omerlh @yshayy
  81. 81. @omerlh @yshayy Thank You!

×