Uploaded byrkadayam
PDF, PPTX6,862 views

Automating OWASP Tests in your CI/CD

This document discusses automating OWASP security tests within a continuous integration/continuous delivery (CICD) pipeline to find and fix vulnerabilities earlier. It recommends using open source tools like Gauntlt and OWASP Zap to run security scans on each build and integrate the results into the CICD process to give developers visibility into issues to address. An example using these tools and a sample vulnerable app called BodgeIt-Plus is demonstrated.

Embed presentation

Download as PDF, PPTX
Automating OWASP tests within your CICD Process © 2016 eGlobalTech. All rights reserved. Rajiv Kadayam Tech Strategy
2 I’VE GOT A FEVER AND THE ONLY PRESCRIPTION IS MORE SECURE SOFTWARE !!
3 86% of websites contain at least one serious vulnerability Make vulnerability remediation process faster and easier Visibility, Accountability and Empowerment
4 OWASP ? Make software security visible, so that individuals and organizations are able to make informed decisions https://www.owasp.org Popular Project - OWASP Top 10 security flaws
5 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration Staging / Production Web App Penetration Testing Backlog Multiple daily/weekly iterations Web App Penetration testing is conducted very late in the process Disconnected Agile Development & OWASP Testing
6 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration • Static Code Scan Staging / Production Web App Penetration Testing Backlog Static code scanning is helpful but not sufficient Disconnected Agile Development & OWASP Testing Less time to fix – Unhappy Teams
7 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration Staging / Production Web App Penetration Testing Backlog Vulnerabilities leak through into production How do we fix this ? Remediation Cost = Number of FTEs x Time Managers Agile Teams Operations Cybersecurity
8 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration Staging / Production Iterative / Agile Development Security Penetration Testing Backlog Visible and actionable details on failures and errors Build Quality Report Push to the left of the process Integrate & Automate
9 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration • Security Penetration Testing Staging / Production Backlog Build Quality Report - Test Execution Results - Security Vulnerabilities Enables developers to remediate issues faster Dev/Test Env Espial – Integrate OWASP Testing in CI/CD Gauntlt
10 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration • Security Penetration Testing Staging / Production Backlog Build Quality Report - Test Execution Results - Security Vulnerabilities  Security By Design - True DevSecOps !  Enables automated FISMA/NIST Security Compliance Dev/Test Env Espial – Integrate OWASP Testing in CI/CD Gauntlt
11 BodgeIt-Plus Store front app with some vulnerabilities • Cross Site Scripting • SQL injection Espial Demo – Sample App and Code
12 - Build and Deploy to Test env - OWASP Zap runs penetration tests - Produce vulnerability report and integrate within Jenkins Espial Demo – Continuous Integration Kicks-in
13 Espial Demo – Security Vulnerabilities Report
14 Espial Demo – Security Vulnerabilities Report Drill Down
15  Developer fixes the code  Fixed code checked-in  Continuous Integration Kicks-In Espial Demo – Remediation of SQL Injection Source Control
16 Espial Demo – SQL Injection Vulnerability Remediated
17 Based on 100% open source tools - Core Tools - Gauntlt - OWASP Zap - Supporting Tools - Jenkins (can adapt to Bamboo, TeamForge, etc) - Vagrant, Docker (Puppet/Cloud-Forms, Chef, or Ansible) Espial Demo – Tools and Technologies
18 • Clear and continuous visibility of security vulnerabilities • Eliminates risk of vulnerabilities creeping in • Save time, money and resource utilization Espial – Key Features and Benefits
19 • Implementation at federal DevOps projects • Richer integration with Jenkins2, SonarQube • Automate Issue tracking with Git, JIRA, and similar Comments / Suggestions - egtlabs@eglobaltech.com Espial – What’s Next ?
20

More Related Content

PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
PPTX
Simplify Dev with Complicated Security Tools
byKevin Fealey
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
PDF
SecDevOps Risk Workflow - v0.6
byDinis Cruz
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PPTX
DevSecOps - It can change your life (cycle)
byQualitest
 
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
Simplify Dev with Complicated Security Tools
byKevin Fealey
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
SecDevOps Risk Workflow - v0.6
byDinis Cruz
 
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
SecDevOps: The New Black of IT
byCloudPassage
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
DevSecOps - It can change your life (cycle)
byQualitest
 

What's hot

PPTX
we45 SecDevOps Presentation - ISACA Chennai
byAbhay Bhargav
 
PDF
we45 - SecDevOps Concept Presentation
byAbhay Bhargav
 
ODP
Making security-agile matt-tesauro
byMatt Tesauro
 
PPTX
SecDevOps 2.0 - Managing Your Robot Army
byconjur_inc
 
PPTX
Building an AppSec Pipeline: Keeping your program, and your life, sane
byweaveraaaron
 
PDF
A Secure DevOps Journey
byVeracode
 
PDF
Taking AppSec to 11 - BSides Austin 2016
byMatt Tesauro
 
PDF
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
PPTX
2018 07-24 network security at the speed of dev ops - webinar
byAlgoSec
 
ODP
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
byMatt Tesauro
 
PDF
Embracing the Rise of SecDevOps
byTom Cappetta
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
PPTX
DevOps AppSec Pipeline Velcocity NY 2015
byAaron Weaver
 
ODP
Lessons from DevOps: Taking DevOps practices into your AppSec Life
byMatt Tesauro
 
PDF
Your Framework for Success: introduction to JavaScript Testing at Scale
bySauce Labs
 
PDF
Barriers to Container Security and How to Overcome Them
byWhiteSource
 
PPTX
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
bySuman Sourav
 
PDF
Ast in CI/CD by Ofer Maor
byDevSecCon
 
PDF
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
byPerforce
 
we45 SecDevOps Presentation - ISACA Chennai
byAbhay Bhargav
 
we45 - SecDevOps Concept Presentation
byAbhay Bhargav
 
Making security-agile matt-tesauro
byMatt Tesauro
 
SecDevOps 2.0 - Managing Your Robot Army
byconjur_inc
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
byweaveraaaron
 
A Secure DevOps Journey
byVeracode
 
Taking AppSec to 11 - BSides Austin 2016
byMatt Tesauro
 
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
2018 07-24 network security at the speed of dev ops - webinar
byAlgoSec
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
byMatt Tesauro
 
Embracing the Rise of SecDevOps
byTom Cappetta
 
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
DevOps AppSec Pipeline Velcocity NY 2015
byAaron Weaver
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
byMatt Tesauro
 
Your Framework for Success: introduction to JavaScript Testing at Scale
bySauce Labs
 
Barriers to Container Security and How to Overcome Them
byWhiteSource
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
bySuman Sourav
 
Ast in CI/CD by Ofer Maor
byDevSecCon
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
byPerforce
 

Similar to Automating OWASP Tests in your CI/CD

PDF
[Poland] SecOps live cooking with OWASP appsec tools
byOWASP EEE
 
PDF
Create code confidence for better application security
byRogue Wave Software
 
PPTX
Cybersecurity overview - Open source compliance seminar
byRogue Wave Software
 
PPTX
How to achieve security, reliability, and productivity in less time
byRogue Wave Software
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
PPTX
Continuous security: Bringing agility to the secure development lifecycle
byRogue Wave Software
 
PPTX
Perforce on Tour 2015 - Grab Testing By the Horns and Move
byPerforce
 
PPTX
The road towards better automotive cybersecurity
byRogue Wave Software
 
PDF
Including security in devops
byJérémy Matos
 
PPTX
Introduction to security testing raj
byRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
PDF
How Perceptual Analysis Helps Bug Hunters
byBishop Fox
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PPTX
Bringing CD to the DoD
byGene Gotimer
 
PDF
Web Security... Level Up
byIzzet Mustafaiev
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
PDF
Web hackingtools 2015
byColdFusionConference
 
PDF
Web hackingtools 2015
bydevObjective
 
PPTX
Shifting the conversation from active interception to proactive neutralization
byRogue Wave Software
 
PDF
Web-Exploit-Hunting-and-Bug-Bounty-Virtual-Internship.pdf
bygarvitcs2023
 
PPTX
Securing the continuous integration
byIrene Michlin
 
[Poland] SecOps live cooking with OWASP appsec tools
byOWASP EEE
 
Create code confidence for better application security
byRogue Wave Software
 
Cybersecurity overview - Open source compliance seminar
byRogue Wave Software
 
How to achieve security, reliability, and productivity in less time
byRogue Wave Software
 
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
Continuous security: Bringing agility to the secure development lifecycle
byRogue Wave Software
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
byPerforce
 
The road towards better automotive cybersecurity
byRogue Wave Software
 
Including security in devops
byJérémy Matos
 
Introduction to security testing raj
byRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
How Perceptual Analysis Helps Bug Hunters
byBishop Fox
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Bringing CD to the DoD
byGene Gotimer
 
Web Security... Level Up
byIzzet Mustafaiev
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
Web hackingtools 2015
byColdFusionConference
 
Web hackingtools 2015
bydevObjective
 
Shifting the conversation from active interception to proactive neutralization
byRogue Wave Software
 
Web-Exploit-Hunting-and-Bug-Bounty-Virtual-Internship.pdf
bygarvitcs2023
 
Securing the continuous integration
byIrene Michlin
 

Recently uploaded

PDF
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PPTX
Topic: Introduction to Storage Elements Flip-Flops.pptx
byhn486916
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
Topic: Introduction to Storage Elements Flip-Flops.pptx
byhn486916
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 

Automating OWASP Tests in your CI/CD

  • 1.
    Automating OWASP testswithin your CICD Process © 2016 eGlobalTech. All rights reserved. Rajiv Kadayam Tech Strategy
  • 2.
    2 I’VE GOT AFEVER AND THE ONLY PRESCRIPTION IS MORE SECURE SOFTWARE !!
  • 3.
    3 86% of websitescontain at least one serious vulnerability Make vulnerability remediation process faster and easier Visibility, Accountability and Empowerment
  • 4.
    4 OWASP ? Make softwaresecurity visible, so that individuals and organizations are able to make informed decisions https://www.owasp.org Popular Project - OWASP Top 10 security flaws
  • 5.
    5 Source Control Release Candidate Build Automated Testing • Unit •Functional • Integration Staging / Production Web App Penetration Testing Backlog Multiple daily/weekly iterations Web App Penetration testing is conducted very late in the process Disconnected Agile Development & OWASP Testing
  • 6.
    6 Source Control Release Candidate Build Automated Testing • Unit •Functional • Integration • Static Code Scan Staging / Production Web App Penetration Testing Backlog Static code scanning is helpful but not sufficient Disconnected Agile Development & OWASP Testing Less time to fix – Unhappy Teams
  • 7.
    7 Source Control Release Candidate Build Automated Testing • Unit •Functional • Integration Staging / Production Web App Penetration Testing Backlog Vulnerabilities leak through into production How do we fix this ? Remediation Cost = Number of FTEs x Time Managers Agile Teams Operations Cybersecurity
  • 8.
    8 Source Control Release Candidate Build Automated Testing • Unit •Functional • Integration Staging / Production Iterative / Agile Development Security Penetration Testing Backlog Visible and actionable details on failures and errors Build Quality Report Push to the left of the process Integrate & Automate
  • 9.
    9 Source Control Release Candidate Build Automated Testing • Unit •Functional • Integration • Security Penetration Testing Staging / Production Backlog Build Quality Report - Test Execution Results - Security Vulnerabilities Enables developers to remediate issues faster Dev/Test Env Espial – Integrate OWASP Testing in CI/CD Gauntlt
  • 10.
    10 Source Control Release Candidate Build Automated Testing • Unit •Functional • Integration • Security Penetration Testing Staging / Production Backlog Build Quality Report - Test Execution Results - Security Vulnerabilities  Security By Design - True DevSecOps !  Enables automated FISMA/NIST Security Compliance Dev/Test Env Espial – Integrate OWASP Testing in CI/CD Gauntlt
  • 11.
    11 BodgeIt-Plus Store front appwith some vulnerabilities • Cross Site Scripting • SQL injection Espial Demo – Sample App and Code
  • 12.
    12 - Build andDeploy to Test env - OWASP Zap runs penetration tests - Produce vulnerability report and integrate within Jenkins Espial Demo – Continuous Integration Kicks-in
  • 13.
    13 Espial Demo –Security Vulnerabilities Report
  • 14.
    14 Espial Demo –Security Vulnerabilities Report Drill Down
  • 15.
    15  Developer fixesthe code  Fixed code checked-in  Continuous Integration Kicks-In Espial Demo – Remediation of SQL Injection Source Control
  • 16.
    16 Espial Demo –SQL Injection Vulnerability Remediated
  • 17.
    17 Based on 100%open source tools - Core Tools - Gauntlt - OWASP Zap - Supporting Tools - Jenkins (can adapt to Bamboo, TeamForge, etc) - Vagrant, Docker (Puppet/Cloud-Forms, Chef, or Ansible) Espial Demo – Tools and Technologies
  • 18.
    18 • Clear andcontinuous visibility of security vulnerabilities • Eliminates risk of vulnerabilities creeping in • Save time, money and resource utilization Espial – Key Features and Benefits
  • 19.
    19 • Implementation atfederal DevOps projects • Richer integration with Jenkins2, SonarQube • Automate Issue tracking with Git, JIRA, and similar Comments / Suggestions - egtlabs@eglobaltech.com Espial – What’s Next ?
  • 20.