Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Automating Security Tests for
Continuous Integration
Stephen de Vries
@stephendv
www.continuumsecurity.net
About Continuum Security
• Founded 2012
• Services: Security Testing, BDD-Security jump start
• Products: Securing the SDL...
Security Testing
• Performed after build
• Uses external testers
• Process is opaque to
dev/opts
Unit/Integration/Function...
Design Build
Unit
Tests
Integration
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Agile
• Short iterative ...
Design Build
Unit
Tests
Integration
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Continuous Delivery with...
Design Build
Unit
Tests
Integration
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Continuous Deployment wi...
• Everyone is responsible for
• Move testing closer to the code
• Continuous automated testing
• Tests are visible to the ...
Design Build
Integration TestsUnit
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Continuous Deployment wit...
Design Build Integration Tests
Unit
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Continuous Deployment wi...
Who owns the security tests?
A) Security team
• Benefits of automation
• Fast feedback
• Poor collaboration
• Lack of owne...
Who owns the security tests?
B) DevOps team with oversight by Security
• Better collaboration
• More sense of ownership of...
Who owns the security tests?
C) Sec + Dev + Ops in a cross-functional
team
• Security testing is our problem
• We have the...
Automated Security Tests should:
• return either a pass or fail result
• execute quickly (similar to acceptance tests)
• t...
BDD-Security Testing Framework
https://github.com/continuumsecurity/bdd-security
BDD-Security = JBehave +
OWASP ZAP +
Ness...
Infrastructure Security Testing
Application Security Testing
HTTP/S Proxy
Manual Application Security Testing with OWASP ZAP
HTTP/S Proxy
Manual Application Security Testing with OWASP ZAP
^
BDD-Security
Functional Security Tests
Integrating with Jenkins
• Configuration
• Test run
Summary
• Security testing is just another form of software testing
• Automate as much as possible for faster feedback
• S...
Other related tools
• Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn
• ZAP-JUnit (Java) https://github.c...
Thank you
www.continuumsecurity.net
@stephendv
Automating security tests for Continuous Integration
Automating security tests for Continuous Integration
Automating security tests for Continuous Integration
Automating security tests for Continuous Integration
Upcoming SlideShare
Loading in …5
×

Automating security tests for Continuous Integration

9,410 views

Published on

Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests
Integration depends on the level of cultural integration of security into DevOps.
3 Models of test ownership:
1. Owned by Security team - least desirable
2. Owned by DevOps, overseen by security - better
3. Owned by SecDevOps, look Ma, no silos.

Overview of BDD-Security
Configuring Jenkins with BDD-Security as inline tests

Published in: Software

Automating security tests for Continuous Integration

  1. 1. Automating Security Tests for Continuous Integration Stephen de Vries @stephendv www.continuumsecurity.net
  2. 2. About Continuum Security • Founded 2012 • Services: Security Testing, BDD-Security jump start • Products: Securing the SDLC – Open Source • BDD-Security Testing Framework • OWASP ZAP integration with JUnit • Nessus Java client API – Commercial • IriusRisk Risk Management for Application Security: www.iriusrisk.com
  3. 3. Security Testing • Performed after build • Uses external testers • Process is opaque to dev/opts Unit/Integration/Functiona l Testing • Performed during build • Owned by dev/test • Tests visible to the team
  4. 4. Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Agile • Short iterative cycles • Extensive automated testing • Low/zero cost to test • Tests can replace documentation Security Testing Waterfall
  5. 5. Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Delivery with DevOps • Automated delivery into pre-prod • Automated acceptance tests
  6. 6. Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Deployment with DevOps Security Testing • Etsy: 50+ deploys per day • Amazon: 300+ per hour • Gov.uk: 10+ deploys per day
  7. 7. • Everyone is responsible for • Move testing closer to the code • Continuous automated testing • Tests are visible to the team quality quality security security ^
  8. 8. Design Build Integration TestsUnit Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Deployment with SecDevOps: Blocking tests
  9. 9. Design Build Integration Tests Unit Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Deployment with Semi-SecDevOps: Parallel tests
  10. 10. Who owns the security tests? A) Security team • Benefits of automation • Fast feedback • Poor collaboration • Lack of ownership by DevOps
  11. 11. Who owns the security tests? B) DevOps team with oversight by Security • Better collaboration • More sense of ownership of security • Good stepping stone to…
  12. 12. Who owns the security tests? C) Sec + Dev + Ops in a cross-functional team • Security testing is our problem • We have the tools and skills to manage it
  13. 13. Automated Security Tests should: • return either a pass or fail result • execute quickly (similar to acceptance tests) • test infrastructure and application tiers • test functional security features, e.g. Login, Password Reset • capture manual testing processes and automate them, i.e. security regression tests • be checked into version control along with the code • be understandable by the whole team
  14. 14. BDD-Security Testing Framework https://github.com/continuumsecurity/bdd-security BDD-Security = JBehave + OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications Selenium +
  15. 15. Infrastructure Security Testing
  16. 16. Application Security Testing
  17. 17. HTTP/S Proxy Manual Application Security Testing with OWASP ZAP
  18. 18. HTTP/S Proxy Manual Application Security Testing with OWASP ZAP ^ BDD-Security
  19. 19. Functional Security Tests
  20. 20. Integrating with Jenkins • Configuration • Test run
  21. 21. Summary • Security testing is just another form of software testing • Automate as much as possible for faster feedback • Security Tests can be treated as security requirements • Self Verifying Requirements! • Tests written in a BDD language foster collaboration between sec, dev and ops • Automated Security tests should include more than just scanning
  22. 22. Other related tools • Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn • ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver • Guantlet (Ruby) http://gauntlt.org/ • OWASP ZAP Jenkins plugin https://wiki.jenkins- ci.org/display/JENKINS/Zapper+Plugin
  23. 23. Thank you www.continuumsecurity.net @stephendv

×