The document discusses the integration of security practices within DevOps, emphasizing the need for continuous security testing in agile development environments. It highlights the limitations of traditional penetration testing and promotes automated security measures using tools like OWASP ZAP within CI/CD pipelines. The session covers various strategies for implementing automated security testing, including the use of custom scripts and active scanning techniques to enhance application security.

1. Merging Security and DevOps - A
Tactical and Practical View
Abhay Bhargav - CTO, we45

2. abhaybhargav abhaybhargavwe45
Yours Truly
• Co-author of Secure Java For Web Application
Development
• Author of PCI Compliance: A Definitive Guide
• Speaker at OWASP Conferences worldwide
• Avid Pythonista and AppSec Automation
Junkie
• Specialization in Web Application Security and
Security Testing
• Lead Trainer - DevSecOps Workshop

3. abhaybhargav abhaybhargavwe45
Today's Session
• Setting the Context for AppSec and DevOps
• Approaches to Automating OWASP ZAP for DevOps Goodness
• Conclusions

4. A Gentle Introduction to DevOps
• What is DevOps?
• Where does Security fit in?

5. What is DevOps?
• Key Objective - Harmonize IT Operations by
working with Developers and Ops
seamlessly
• Rely on processes and automation to
achieve higher throughput - Continuous
Delivery

6. Without DevOps
Requirements Design Develop Test Deploy

7. With DevOps (hopefully…)
Requirements Design Develop Test Deploy

8. Continuous Delivery Pipeline
Developer Orchestration engine
Coding -
Modify and commit
Git:
Checkout for build
Jenkins:
Continuous
Integration
Docker:
Publish to
repo
success
Docker:
Deploy to
QA
Selenium:
Run tests
QA
success
Docker:
Deploy to
Prod

9. But….
Requirements Design Develop Test Deploy

10. Let’s do a security test
just before we go live….
The line that has ruined
Application Security for all of us.

11. In Short….

12. abhaybhargav abhaybhargavwe45
Why?
• Penetration Testing - Annual/Bi-annual/Quarterly
- Does not quite catch up with Application changes
• Manual Penetration Testing does not scale
• You never seem to fix security issues
• Vulnerability Scanners only find 30% of the actual
security issues with your application
• Static Code Analysis finds only 40% of the actual
vulnerabilities in your application

13. abhaybhargav abhaybhargavwe45
In Short….

14. abhaybhargav abhaybhargavwe45
We need to
continuously
test for security?

15. abhaybhargav abhaybhargavwe45

16. abhaybhargav abhaybhargavwe45
The Need of the Hour….
To Find and Fix
Security Bugs early
and often
Security to
integrate with your
Agile Development
Security to seamlessly
work with your
Continuous Delivery
Pipeline

17. abhaybhargav abhaybhargavwe45
CI/CD Pipeline
Trigger ARA
Trigger manual code review
Email notifications
Configuration review
Trigger threat modelling
Run SAST tools
Automatic security testing
Gather metrics
Break the build
Compile and build code
SCA
Risk based security testing
Gather metrics
Break the build
Comprehensive SAST
Pre-commit checks
Commit-time checks
Build-time checks

18. abhaybhargav abhaybhargavwe45
CI/CD Pipeline
DAST/AST
Malicious code detection
Gather metrics
Break the build
Broader SAST
Pre-deployment checks
Post-deployment checks
Test-time checks
Commit-time checks
Continuous management
Provisioning runtime environment
Security scanning
Vulnerability scanning
Bug bounty program
Threat intelligence

19. abhaybhargav abhaybhargavwe45
Security in DevOps
Plan
Code
Build
Test
Release
Deploy
Operate
Monitor
Threat
modeling
SAST
Security - Composition
DAST
IAST
Security in
IaC
Security monitoring
& attack detection

20. Our Approach Today
• A View of DAST in the Pipeline
• Tool of Choice: OWASP ZAP
• with:
• Jenkins
• Customized Python Scripts
• ElasticSearch/Redis
• Objective: Explore Automated DAST Testing
Approaches with OWASP ZAP and its Python
API

21. Why OWASP ZAP?
• Free and Open Source Web Application
Vulnerability Scanner
• Feature-Rich, well supported, with several
contributors
• Community Support - Plugins, Add-ons, etc.
• Documentation - Better than most scanners
out there
• Great API and Scriptable Scanner

22. Security in DevOps
Plan
Code
Build
Test
Release
Deploy
Operate
Monitor
Threat
modeling
SAST
Security - Composition
DAST
IAST
Security in
IaC
Security monitoring
& attack detection

23. Introduction to the OWASP ZAP API
• OWASP ZAP - Automation
• Concept Overview
• Useful Concepts and API

24. Concept Overview - OWASP ZAP
• Context
• Session
• Active Scan
• Passive Scan
• Scan Policy
• Alert

25. Running Authenticated Scans in OWASP ZAP
• Approaches:
• Selenium-driven Scan Process
• Leveraging canned ZAP Sessions
• Zest Scripting

26. Selenium-Authenticated Scan
Run Selenium and ZAP in Headless Mode
Leverage Functional Scripts
Beats Spidering the app! :)

27. ZAP Session-Authenticated Scan
Programmatically invoked with ZAP API
Maintains state with Sessions/Tokens, etc

28. ZestScript Authenticated Scan
Programmatically invoked with ZAP API
Easily Customizable

29. DEMO: Authenticated ZAP Scan
Demo Gods! Please let this work!!

30. ZAP in the Continuous Delivery Pipeline

31. abhaybhargav abhaybhargav
Cool!
Solves the problem right??

32. abhaybhargav abhaybhargav

33. abhaybhargav abhaybhargav
What about??
AUTHORIZATION FLAWS
BUSINESS LOGIC FLAWS
COMPLEX INJECTION FLAWS
AUTHENTICATION FLAWS
DOM-BASED FLAWS

34. abhaybhargav abhaybhargav
Custom Scripting Framework
• Great Results from:
• External Pentests
• Bug Bounties
• Internal Pentests and Reviews
• Created as Custom Scripts
• Loaded and run as part of the pipeline

35. OWASP ZAP - Scripting Framework
• Python (Jython)
• Ruby
• Oracle Nashorn ECMAScript
• Zest Scripts

36. OWASP ZAP - Scripting Framework
• Active Rules => Scripts invoked during Active Scan
• Authentication Scripts => Scripts invoked to facilitate
authentication for a Context
• Fuzzer Processors => Scripts invoked after Fuzzers are run
with ZAP
• HTTPSender => Scripts invoked against every request/
response received by ZAP
• Proxy => Runs inline and acts on all requests and responses
• Targeted Rules => Invoked on specific urls or on manual
start only
• Standalone => Invoked manually
• Passive Rules => Passive Scanning Rules

37. DEMO: Custom ZAP Script
Demo Gods! Please let this work!!