Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD

159 views

Published on

At the Synopsys Security Event - Israel, Ofer Mao, Director of Solutions Management reviews how to make application security testing work in a CI/CD envirronment. For more information, please visit us at www.synopsys.com/software

Published in: Software
  • Be the first to comment

  • Be the first to like this

Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD

  1. 1. © 2017 Synopsys, Inc. 1 Making AppSec Testing Work in CI/CD! Ofer Maor, Director, Solutions Management @OferMaor linkedin.com/in/ofermaor Ofer @ synopsys.com
  2. 2. © 2017 Synopsys, Inc. 2 Speaker • Solutions Mgmt @ Synopsys • Over 20 years in cyber security • Hacker at heart • Longtime OWASPer • Pioneer of IAST • DevSecOps/DevOpsSec fan! • Avid photographer Marina Bay Gardens, Singapore, February 2018
  3. 3. © 2017 Synopsys, Inc. 3 CI/CD, DevOps, DevSecOps—WHAT?!
  4. 4. © 2017 Synopsys, Inc. 4 CD extreme • Multiple production updates per day • Multiple CI streams • A/B UAT • Parallel testing and deployment • No place for outsiders Source: Wikipedia
  5. 5. © 2017 Synopsys, Inc. 5 CI/CD AST Needs • Speed • Integration • Ease of use • Relevance (accuracy) • Actionability
  6. 6. © 2017 Synopsys, Inc. 6 The *AST landscape
  7. 7. © 2017 Synopsys, Inc. 7 SAST – Static Application Security Testing AKA: Static Code Analysis for Security • Analyzes code to identify vulnerabilities • Most prevalent AST solution today • Challenges –Potential FPs –May require tuning and configuration –Hard for use for security professionals • Offered in various flavors: –Analysis of (uncompiled) source code –Analysis of code & build –Analysis of binary code –Managed Service / Tool / IDE Plugin cond2 *a = bfree(a)*a = bfree(a) cond2 b = 10a = malloc(10) cond1
  8. 8. © 2017 Synopsys, Inc. 8 SAST – Static Application Security Testing AKA: Static Code Analysis for Security • Speed Instant to Hours (by Flavor) • Integration IDE, Build, Binary • Ease of Use Varies. Can be Complex • Relevance Can be overwhelming • Actionability Right on. Points to Line of Code
  9. 9. © 2017 Synopsys, Inc. 9 SAST Flavors • IDE “Spellchecker” Lightweight, Instant • In-IDE Incremental Pre-checkin, Minutes • Integration/Build CI, Minutes to Hours • Binary Analysis Post Build, Hours • Managed Service External, Days
  10. 10. © 2017 Synopsys, Inc. 10 DAST – Dynamic Application Security Testing AKA: Web Application Scanner (Black Box) • Sends HTTP tests to test running application • Longest used AST technology • Challenges –Accuracy of results –Not suited for dev – no code guidance –Performance (long testing times) • Offered in various delivery forms: –On Premise –Cloud –Managed Services –Included in Professional Services ??? ?? Tests ?????
  11. 11. © 2017 Synopsys, Inc. 11 • Speed Hours to Days • Integration Not Really… • Ease of Use Requires some security skills • Relevance Focus on Front end (but some FPs) • Actionability Difficult. DAST – Dynamic Application Security Testing AKA: Web Application Scanner (Black Box)
  12. 12. © 2017 Synopsys, Inc. 12 IAST – Interactive Application Security Testing AKA: Runtime Code Analysis • Runtime code analysis through instrumentation • Youngest AST technology • Challenges –Deployment of agents on tested servers –Requires integration into dev/devops environments –Coverage influences by what’s executed • Comes with various “interpretations” –Inline/Passive IAST (Based on existing traffic) –Active IAST (Including HTTP Inducer) –DAST Add-on Only –RASP Add-on Database Back End Front End HTTP/s DATA WS SQL DATA ODBC IAST
  13. 13. © 2017 Synopsys, Inc. 13 • Speed Instant to Hours (by Flavor) • Integration Test Automation • Ease of Use Easy (once deployed) • Relevance Very relevant. Actual executed LoC •Actionability Right on. Points to Line of Code IAST – Interactive Application Security Testing AKA: Runtime Code Analysis
  14. 14. © 2017 Synopsys, Inc. 14 IAST Flavors • Inline/Passive Lightweight, Instant Integrates with Existing Tests • Active Minutes (Incremental) – Hours Requires dedicated testing
  15. 15. © 2017 Synopsys, Inc. 15 SCA – Software Composition Analysis AKA: Open Source Library Scanning • Searches known open source (and closed source) components in applications • Rapidly growing testing segment • Challenges –Additional technology on top of other *AST –Very broad scope • Offered in different flavors –Binary Analysis for Supply Chain and 3rd Parties –Source Analysis for home grown security and licensing –On-premise / Cloud options
  16. 16. © 2017 Synopsys, Inc. 16 • Speed Minutes to Hours • Integration IDE, Build, Binary • Ease of Use Fairly Easy • Relevance Hard to determine actual impact • Actionability Not always straight forward SCA – Software Composition Analysis AKA: Open Source Library Scanning
  17. 17. © 2017 Synopsys, Inc. 17 The Right Mix – How to Make it Work!
  18. 18. © 2017 Synopsys, Inc. 18 Key Principles •If you can’t beat them, join them! •Automation, automation, automation •Alt-Ctrl, Shift-Left (but not just…) •Multiple technologies, multiple flavors, multiple times! •Parallel processes at parallel speeds •You’re going to have to live with some risk
  19. 19. © 2017 Synopsys, Inc. 19 Making it All Work! •Use instant/passive solutions as much as possible –In-IDE “spell-checker” static analysis –Inline IAST •Define practical policies for hard and soft gates –Hard gates: stop the process –Soft gates: put in motion a correction process •Use layers of testing at different stages
  20. 20. © 2017 Synopsys, Inc. 20 IDE “spell- checker” Incremental IDE SAST Inline IASTIn-IDE SCA Verification DAST Active IAST Full scan SAST Full scan SCA RASP/WAF
  21. 21. © 2017 Synopsys, Inc. 21 Fast vs. Slow •Rely heavily on integrated/fast technologies •Key criteria - “does not get in the way” •Define practical blocking criteria - be realistic •All the rest - in the backlog
  22. 22. © 2017 Synopsys, Inc. 22 Accept A/B testing •Gradual A/B testing is replacing test environments •Manage A/B testing exposure as part of risk management •Use it! A/B testing gives you the best test environment •Create the right “Retro” gates by risk • High: block propagation and roll back • Medium: block propagation until fix is delivered (but don’t roll back) • Low: continue propagation but with a fix following right up
  23. 23. © 2017 Synopsys, Inc. 23 Summary •Software security testing is complex, even more so in CI/CD •Unfortunately, there’s no “one ring to rule them all” •You have to build your *AST workflow and pipeline • Work closely with R&D and DevOps • Use multiple tools and multiple technologies • Work in parallel tracks at parallel speeds • Manage your risk!
  24. 24. © 2017 Synopsys, Inc. 24 Thank you! Questions? @OferMaor linkedin.com/in/ofermaor Ofer @ synopsys.com Water Mill, Napa Valley, May 2018

×