Recommended
More Related Content
What's hot
What's hot (20)
Similar to Automating OWASP Tests in your CI/CD
Similar to Automating OWASP Tests in your CI/CD (20)
Recently uploaded
Recently uploaded (20)
Automating OWASP Tests in your CI/CD
- 1. Automating OWASP tests within your CICD Process © 2016 eGlobalTech. All rights reserved. Rajiv Kadayam Tech Strategy
- 2. 2 I’VE GOT A FEVER AND THE ONLY PRESCRIPTION IS MORE SECURE SOFTWARE !!
- 3. 3 86% of websites contain at least one serious vulnerability Make vulnerability remediation process faster and easier Visibility, Accountability and Empowerment
- 4. 4 OWASP ? Make software security visible, so that individuals and organizations are able to make informed decisions https://www.owasp.org Popular Project - OWASP Top 10 security flaws
- 5. 5 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration Staging / Production Web App Penetration Testing Backlog Multiple daily/weekly iterations Web App Penetration testing is conducted very late in the process Disconnected Agile Development & OWASP Testing
- 6. 6 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration • Static Code Scan Staging / Production Web App Penetration Testing Backlog Static code scanning is helpful but not sufficient Disconnected Agile Development & OWASP Testing Less time to fix – Unhappy Teams
- 7. 7 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration Staging / Production Web App Penetration Testing Backlog Vulnerabilities leak through into production How do we fix this ? Remediation Cost = Number of FTEs x Time Managers Agile Teams Operations Cybersecurity
- 8. 8 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration Staging / Production Iterative / Agile Development Security Penetration Testing Backlog Visible and actionable details on failures and errors Build Quality Report Push to the left of the process Integrate & Automate
- 9. 9 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration • Security Penetration Testing Staging / Production Backlog Build Quality Report - Test Execution Results - Security Vulnerabilities Enables developers to remediate issues faster Dev/Test Env Espial – Integrate OWASP Testing in CI/CD Gauntlt
- 10. 10 Source Control Release Candidate Build Automated Testing • Unit • Functional • Integration • Security Penetration Testing Staging / Production Backlog Build Quality Report - Test Execution Results - Security Vulnerabilities Security By Design - True DevSecOps ! Enables automated FISMA/NIST Security Compliance Dev/Test Env Espial – Integrate OWASP Testing in CI/CD Gauntlt
- 11. 11 BodgeIt-Plus Store front app with some vulnerabilities • Cross Site Scripting • SQL injection Espial Demo – Sample App and Code
- 12. 12 - Build and Deploy to Test env - OWASP Zap runs penetration tests - Produce vulnerability report and integrate within Jenkins Espial Demo – Continuous Integration Kicks-in
- 13. 13 Espial Demo – Security Vulnerabilities Report
- 14. 14 Espial Demo – Security Vulnerabilities Report Drill Down
- 15. 15 Developer fixes the code Fixed code checked-in Continuous Integration Kicks-In Espial Demo – Remediation of SQL Injection Source Control
- 16. 16 Espial Demo – SQL Injection Vulnerability Remediated
- 17. 17 Based on 100% open source tools - Core Tools - Gauntlt - OWASP Zap - Supporting Tools - Jenkins (can adapt to Bamboo, TeamForge, etc) - Vagrant, Docker (Puppet/Cloud-Forms, Chef, or Ansible) Espial Demo – Tools and Technologies
- 18. 18 • Clear and continuous visibility of security vulnerabilities • Eliminates risk of vulnerabilities creeping in • Save time, money and resource utilization Espial – Key Features and Benefits
- 19. 19 • Implementation at federal DevOps projects • Richer integration with Jenkins2, SonarQube • Automate Issue tracking with Git, JIRA, and similar Comments / Suggestions - egtlabs@eglobaltech.com Espial – What’s Next ?
- 20. 20