Developing a delivery pipeline means more than just adding automated deploys to the development cycle. To be successful, quality testing of all types must be incorporated throughout the process in order to be sure that problems aren’t slipping through. Those checks must include security, or else you risk quickly and efficiently developing insecure software. Fortunately, the delivery pipeline opens up opportunities to add more security testing to the delivery process.
Continuous integration builds can add static analysis tools to test for simple security errors and to check if components with known vulnerabilities are being used. Automated deploys can offer opportunities for automated application scans and scans of the entire system as it will be configured in production. I will introduce several types of open-source and free security testing tools, that can be quickly (and, if needed, quietly) added to a delivery pipeline, without waiting for or spending money on expensive security tools. That reduces the cost of the initial investment in terms of both time and money, and may eliminate some barriers to adding security testing to the process.
This session is aimed at people that are trying to build more security into their continuous delivery pipeline. I’ll walk through lessons learned building Continuous Delivery pipelines in different environments and experiences using specific open-source tools to supplement our security testing even when security wasn’t technically our responsibility.
5. 5@CoverosGene #STPCon
Information security means protecting information and
information systems from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection,
recording or destruction.
The key concepts of information security include:
• Confidentiality
• Integrity
• Availability
• + Authenticity
• + Non-Repudiation
Information Security
6. 6@CoverosGene #STPCon
Often put off until late or ignored completely
Security Testing
Fix security
issues and
delay release?
Release on time
and accept
security risks?
7. 7@CoverosGene #STPCon
“Security is not an investment that provides a return,
like a new factory or a financial instrument. It's an
expense that, hopefully, pays for itself in cost
savings. Security is about loss prevention, not
about earnings. The term just doesn't make
sense in this context.”
-- Bruce Schneier, Schneier on Security
Return on Investment
https://www.schneier.com/blog/archives/2008/09/security_roi_1.html
9. 9@CoverosGene #STPCon
1. Use tools to help detect the obvious security problems
2. Remediate
3. Search for less obvious security problems
4. Repeat
Security Testing Process
Better
security
process
Fewer
obvious
security
issues
Better
security
Time to find
less obvious
security
issues
10. 10@CoverosGene #STPCon
“If you think technology can solve
your security problems,
then you don't understand the
problems and you don't understand
the technology.”
-- Bruce Schneier, Secrets & Lies
Security Tools
11. 11@CoverosGene #STPCon
Do just enough
of each type of testing
early in the pipeline
to determine if
further testing is justified.
Incorporate Security Testing
13. 13@CoverosGene #STPCon
It is easier to protect less
mvn dependency:tree
mvn dependency:analyze
mvn com.ning.maven.plugins:
maven-dependency-versions-check-plugin
30. 30@CoverosGene #STPCon
Do just enough of each type of testing early in the
pipeline to determine if further testing is justified.
Find easy-to-fix problems as early as possible.
Less, cleaner code is safer.
Reduce your footprint and increase your quality.
Audit yourself to avoid any late surprises.
It won’t replace an official audit (at first), but it will
help build confidence.
Some testing is better no testing.
Even just watching trends of some token tests can be
valuable.
#Coveros5