Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Continuous Security Testing 
In a DevOps World
About Me 
• Stephen de Vries 
– CTO ContinuumSecurity 
– 60% Security consultant 40% Developer 
– Author: BDD-Security pro...
About Me 
DevOps is a means 
Continuous Delivery / Continuous Deployment is the end 
• Don’t wait for a release before dep...
Plan/Code/Build/Test 
Continuous Delivery 
Continuous Integration 
Agile 
Int. Test QA Testing 
Continuous Deployment 
Dep...
DevOps is a tool to operate a continuous 
delivery pipeline
The DevOps challenge to security 
• Our project requirements are visible to dev and ops 
• Our build, test and deploy proc...
Traditional Security approach 
• Dead documents 
• Reliance on manual processes 
• Tools don’t fit the 
deployment pipelin...
What can security learn from DevOps? 
• Security Testing is quality testing 
• Continuous monitoring (See OWASP AppSensor)...
Security Testing > Security Scanning 
• Scanners don’t test functional security 
• Tests have an expected outcome 
• Compr...
@Test 
public void change_session_ID_after_login() { 
First attempt: 
driver.get("http://localhost:9110/ropeytasks/user/lo...
BDD-Security Testing Framework 
https://github.com/continuumsecurity/bdd-security 
• Tests written in JBehave 
• Automated...
BDD-Security example
BDD-Security Testing Framework 
• Must be able to automate manual security testing 
• Selenium + OWASP ZAP API 
• Tests mu...
Demo 
• Ropey Tasks 
• Initial configuration 
• BDD wrappers around scanning tools 
• BDD tests of functional app security...
Integration with Jenkins
Limitations 
• Email: Not implemented yet 
• Needed for self-reg 
• Account Lockout 
• Access control not Anti-CSRF aware ...
Traditional Security approach
• Self verifying requirements 
• Automated testing 
• Testing inserted into CD pipeline
Resources: 
• https://github.com/continuumsecurity 
• OWASP ZAP Pure Java client API 
• Resty-Burp RESTful API into Burp S...
Questions? 
@stephendv
Continuous Security Testing  with Devops - OWASP EU 2014
Continuous Security Testing  with Devops - OWASP EU 2014
Upcoming SlideShare
Loading in …5
×

Continuous Security Testing with Devops - OWASP EU 2014

10,550 views

Published on

Integrating security into devops approach using BDD-Security in a CI environment.

Published in: Internet
  • ♣♣ 10 Easy Ways to Improve Your Performance in Bed... ▲▲▲ http://ishbv.com/rockhardx/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hai, Thanks for sharing information. Hope this blog https://mindmajix.com/security-devops-tools may also helpful for you, Please go through it.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Continuous Security Testing with Devops - OWASP EU 2014

  1. 1. Continuous Security Testing In a DevOps World
  2. 2. About Me • Stephen de Vries – CTO ContinuumSecurity – 60% Security consultant 40% Developer – Author: BDD-Security project
  3. 3. About Me DevOps is a means Continuous Delivery / Continuous Deployment is the end • Don’t wait for a release before deploy • Deploy individual features • Get business value to production as fast as possible
  4. 4. Plan/Code/Build/Test Continuous Delivery Continuous Integration Agile Int. Test QA Testing Continuous Deployment Deploy DevOps
  5. 5. DevOps is a tool to operate a continuous delivery pipeline
  6. 6. The DevOps challenge to security • Our project requirements are visible to dev and ops • Our build, test and deploy process is entirely automated • Developers can deploy to prod directly • We deploy to prod multiple times per day • Amazon: deploy every 11.6 seconds • Etsy: deploys 25+ times/day • Gov.uk: deploys 30 times/day How can we do this securely?
  7. 7. Traditional Security approach • Dead documents • Reliance on manual processes • Tools don’t fit the deployment pipeline • Tool results don’t translate to business requirements
  8. 8. What can security learn from DevOps? • Security Testing is quality testing • Continuous monitoring (See OWASP AppSensor) • Automated all the things
  9. 9. Security Testing > Security Scanning • Scanners don’t test functional security • Tests have an expected outcome • Comprehensive tests ARE the requirements • Tests are code: stored by SCM
  10. 10. @Test public void change_session_ID_after_login() { First attempt: driver.get("http://localhost:9110/ropeytasks/user/login"); Cookie preLoginSessionId = getSessionId("JESSSIONID"); login("bob", "password"); Cookie afterLoginSessionId = getSessionId("JESSSIONID"); assertThat(afterLoginSessionId.getValue(), not(preLoginSessionId.getValue())); } public void login(String u, String p) { driver.findElement(By.id("username")).clear(); driver.findElement(By.id("username")).sendKeys(u); driver.findElement(By.id("password")).clear(); driver.findElement(By.id("password")).sendKeys(p); driver.findElement(By.name("_action_login")).click(); } • Navigation logic is embedded in the test • Selenium does not expose HTTP • Excludes non-developers
  11. 11. BDD-Security Testing Framework https://github.com/continuumsecurity/bdd-security • Tests written in JBehave • Automated Functional Security Testing • Non-functional security testing • Wraps security tools in tests: • OWASP ZAP • Nessus • Port scanner (built in)
  12. 12. BDD-Security example
  13. 13. BDD-Security Testing Framework • Must be able to automate manual security testing • Selenium + OWASP ZAP API • Tests must be understandable by all stakeholders • Behaviour Driven Development (BDD) with JBehave • Must fit into dev workflow and continuous integration pipelines • Runs in IDE, cmd line • Runs in Jenkins • Test results in JUnit wrapper +HTML in Jenkins • The logic of the security tests should be independent from navigation code • Provide a baseline of ready-to-use security tests
  14. 14. Demo • Ropey Tasks • Initial configuration • BDD wrappers around scanning tools • BDD tests of functional app security • Automated access control tests
  15. 15. Integration with Jenkins
  16. 16. Limitations • Email: Not implemented yet • Needed for self-reg • Account Lockout • Access control not Anti-CSRF aware • Test Maintenance • Use error checking wherever possible • When extending try to find generic solution • E.g.: ISomeBehaviour
  17. 17. Traditional Security approach
  18. 18. • Self verifying requirements • Automated testing • Testing inserted into CD pipeline
  19. 19. Resources: • https://github.com/continuumsecurity • OWASP ZAP Pure Java client API • Resty-Burp RESTful API into Burp Suite • Nessus Java Client • SSLTest Java SSL analyser • Related projects: • Gauntlt BDD wrapper for sec tools: https://github.com/gauntlt/gauntlt (Ruby) • Mittn Burp Integration: https://github.com/F-Secure/mittn (Python)
  20. 20. Questions? @stephendv

×