Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Implementing an Application Security Pipeline in Jenkins

1,877 views

Published on

Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?

This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.

Published in: Software

Implementing an Application Security Pipeline in Jenkins

  1. 1. Implementation an Application Security Pipeline in Jenkins • Introduction • Continuous Integration • Application Security Pipelines • Approaches in Jenkins • Demo
  2. 2. About me Software Security Professional having 10+ years of experience Specialize in Secure SDLC implementation Threat Modeling/Secure Code Review/Penetration Continuous Security Testing Secure Coding Trainer, SecurityQA Testing Trainer  Speaker DevSecOps Singapore & Null Singapore What next for me ? IoT Security
  3. 3. Continuous Integration Master Branch1 Compile Test Publish Deploy Build GitHub Jenkins Dev Deploy Open Source Libraries
  4. 4. Application Security Pipeline DEVELOPMENT BUILD AND DEPLOY STAGINGREQUIREMENTS External Repositories Common Components DESIGN Repository SCM Tools Security Test Automation Threat Modeling SCA Tools/IDE Plugins VS/PT/IASTComponents Monitoring PRODUCTION Monitoring
  5. 5. What we need ? • People  Training  Role • Process  Compliance  Certifications • Technology  Security tools  Dev tools
  6. 6. Education • Traditional Training • Shorter training duration • Modular • Hands-on • Challenges • Scoring
  7. 7. • Rugged Software  “Rugged” describes software development organizations which have a culture of rapidly evolving their ability to create available, survivable, defensible, secure, and resilient software. • BSIMM  The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variation that makes each unique. • OWASP SAMM  Evaluate an organization’s existing software security practices  Build a balanced software security assurance program in well-defined iterations  Demonstrate concrete improvements to a security assurance program  Define and measure security-related activities throughout an organization Software security centric process, standards & approaches
  8. 8. Choose the right tools IDE Plugins SAST/ Dependencies check • CI/CD Supports • Scalability • Scan time • Incremental Report • False Positives • Custom Rules Set • Language Supports • Plugins DAST • API Calls • Scalability • Scan Policies • Plugins Security Unit test Cases IAST • Less False Positives • Monitor Traffic • Along with QA testing • Immediate Feedback • Threat Modelling Secure Coding Training
  9. 9. Jenkins Application Security Pipeline • Configuration as Code • Jenkins Plugin
  10. 10. Plugins Github Delivery Pipeline Build Pipeline OWASP Dependency-Check Plugin HP Fortify Jenkins Plugin OWASP ZAP Plugin Sonatype CLM for CI plugin
  11. 11. Feedback loop 0 5 10
  12. 12. References  Jenkins Continuous integration cookbook-Alan Mark Berg  https://www.ruggedsoftware.org  https://www.bsimm.com  https://www.owasp.org/index.php/OWASP_SAMM_Project  http://www.opensamm.org/  https://wiki.jenkins-ci.org/display/JENKINS/Delivery+Pipeline+Plugin  https://wiki.jenkins-ci.org/display/JENKINS/Build+Pipeline+Plugin  https://wiki.jenkins-ci.org/display/JENKINS/Zapper+Plugin
  13. 13. http://www.sumansourav.com Thank you 

×