Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tools to create a secure pipeline

1,055 views

Published on

What are the families of tools used to secure your application? How are those placed in the SLDC process? What tools are available in the Java ecosystem? We will try to answer these questions through some basic explanation and few live workshops!

Please note that this was a workshop and those are only the guiding slides: for detailed information about the session please visit https://bbossola.wordpress..

Published in: Software
  • Be the first to comment

  • Be the first to like this

Tools to create a secure pipeline

  1. 1. Tools to create a secure build pipeline Bruno Bossola
  2. 2. @bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino
  3. 3. @bbossola Agenda ● Why do we need a security pipeline? ● Security tools: SAST, DAST, RASP, IAST ● Workshops: a closer look to the tools ● Q&A
  4. 4. @bbossola Why should we build a security pipeline?
  5. 5. @bbossola Fixing problems early ● a security problem is a bug ● the late we fix a bug, the more costly it is ● the cost of a bug found in production is 30 times more expensive! ● Recalling cars anyone? Minimizing Code Defects to Improve Software Quality and Lower Development Costs. IBM, 2008
  6. 6. @bbossola Isn't this just an insurance policy? ● Well, in a sense. What about... yup, sometimes is more expensive than 30 times!
  7. 7. @bbossola If cars were built like applications... “Cars would have no airbags, mirrors, seat belts, doors, roll-bars, side-impact bars, or locks, because no-one had asked for them. But they would all have at least six cup holders.” The OWASP foundation - “Integration into the SDLC”
  8. 8. @bbossola If cars were built like applications... “Many safety features originally included might be removed before the car was completed, because they might adversely impact performance.” The OWASP foundation - “Integration into the SDLC”
  9. 9. @bbossola If cars were built like applications... “A MOT inspection would consist of counting the wheels and making recommendations on wheel quantity.” The OWASP foundation - “Integration into the SDLC”
  10. 10. @bbossola The SDLC process Requirements Design Coding Testing Evaluation LIVE Planning
  11. 11. @bbossola Security tools
  12. 12. @bbossola The families of security tools Requirements Design Coding Testing Evaluation LIVE Planning SAST IAST DAST RASP Security, please!
  13. 13. @bbossola SAST tools ● Static Application Security Testing ● Tools that statically analyse the code base to find security flaws ● Either source code or compiled code ● Three families: – Static Code Analysis – Static Dependency Analysis (or Static Component Analysis) – Sensitive Information Scanners
  14. 14. @bbossola SAST sub-families ● Static Code Analysis – Analysis of the sources or the binaries
  15. 15. @bbossola SAST sub-families ● Static Code Analysis – Analysis of the sources or the binaries ● Static Dependency Analysis (or Static Component Analysis) – 20% of the code is your code – 80% of code comes from external libraries ● better check it, yeah? WARNING!!! SHAMELESS PLUG HERE!
  16. 16. @bbossola SAST sub-families ● Static Code Analysis – Analysis of the sources or the binaries ● Static Dependency Analysis (or Static Component Analysis) – 20% of the code is your code – 80% of code comes from external libraries ● Sensitive Information Scanners – Any AWS key committed in your repo? – What about the commit comments?
  17. 17. @bbossola DAST tools ● Dynamic Application Security Testing ● Testing an application in an operating state – uses fault injection techniques – automated black box testing ● Interacts with exposed interfaces – HTML – APIs – Other specific protocols
  18. 18. @bbossola RASP tools ● Run-time Application Self-Protection ● an agent is embedded into the application – usually “melted” through code instrumentation ● it analyses the application behaviour ● a RASP can: – shutdown a user session – stop executing the application – deploy code fixes at runtime – provide detailed reports and runtime monitoring
  19. 19. @bbossola IAST tools ● Interactive Application Security Testing ● As RASP they embed an agent in the application ● However they are not used in production ● It's a testing tool, not a security tool
  20. 20. @bbossola Anything else? ● WAF – Web Application Firewalls – a perimeter control solution – basicallly a reverse proxy – applies a set of rules to an HTTP conversation – cover common attacks such as cross-site scripting (XSS) and SQL injection
  21. 21. @bbossola Commercial options
  22. 22. @bbossola Workshop time! ● Get your computer ● Make sure your internet connection works :)
  23. 23. @bbossola A closer look to SAST tools ● Static Code Analysis – PMD – Spotbugs – Errorprone
  24. 24. @bbossola A closer look to SAST tools ● Static Dependency Analysis (or Static Component Analysis) – dependency-check – meterian WARNING!!! SHAMELESS PLUG HERE!
  25. 25. @bbossola A closer look to SAST tools ● Sensitive Information Scanners – gitleaks – trufflehog ● Mentioned: – git-secrets – gitrob
  26. 26. @bbossola A closer look to a RASP tool ● An opensource RASP tool – OpenRASP
  27. 27. @bbossola Q&A

×