Automating security tests for Continuous Integration

•Download as PPTX, PDF•

15 likes•10,899 views

Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests Integration depends on the level of cultural integration of security into DevOps. 3 Models of test ownership: 1. Owned by Security team - least desirable 2. Owned by DevOps, overseen by security - better 3. Owned by SecDevOps, look Ma, no silos. Overview of BDD-Security Configuring Jenkins with BDD-Security as inline tests

Software

Automating Security Tests for
Continuous Integration
Stephen de Vries
@stephendv
www.continuumsecurity.net

About Continuum Security
• Founded 2012
• Services: Security Testing, BDD-Security jump start
• Products: Securing the SDLC
– Open Source
• BDD-Security Testing Framework
• OWASP ZAP integration with JUnit
• Nessus Java client API
– Commercial
• IriusRisk Risk Management for Application Security: www.iriusrisk.com

Security Testing
• Performed after build
• Uses external testers
• Process is opaque to
dev/opts
Unit/Integration/Functiona
l Testing
• Performed during build
• Owned by dev/test
• Tests visible to the team

Design Build
Unit
Tests
Integration
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Agile
• Short iterative cycles
• Extensive automated testing
• Low/zero cost to test
• Tests can replace documentation
Security
Testing
Waterfall

Design Build
Unit
Tests
Integration
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Continuous Delivery with DevOps
• Automated delivery
into pre-prod
• Automated
acceptance tests

Design Build
Unit
Tests
Integration
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Continuous Deployment with DevOps
Security
Testing
• Etsy: 50+ deploys per day
• Amazon: 300+ per hour
• Gov.uk: 10+ deploys per day

• Everyone is responsible for
• Move testing closer to the code
• Continuous automated testing
• Tests are visible to the team
quality
quality
security
security
^

Design Build
Integration TestsUnit
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Continuous Deployment with SecDevOps: Blocking tests

Design Build Integration Tests
Unit
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Continuous Deployment with Semi-SecDevOps: Parallel tests

Who owns the security tests?
A) Security team
• Benefits of automation
• Fast feedback
• Poor collaboration
• Lack of ownership by DevOps

Who owns the security tests?
B) DevOps team with oversight by Security
• Better collaboration
• More sense of ownership of security
• Good stepping stone to…

Who owns the security tests?
C) Sec + Dev + Ops in a cross-functional
team
• Security testing is our problem
• We have the tools and skills to manage it

Automated Security Tests should:
• return either a pass or fail result
• execute quickly (similar to acceptance tests)
• test infrastructure and application tiers
• test functional security features, e.g. Login, Password Reset
• capture manual testing processes and automate them,
i.e. security regression tests
• be checked into version control along with the code
• be understandable by the whole team

BDD-Security Testing Framework
https://github.com/continuumsecurity/bdd-security
BDD-Security = JBehave +
OWASP ZAP +
Nessus +
Internal security tools +
Pre-written baseline security specifications
Selenium +

HTTP/S Proxy
Manual Application Security Testing with OWASP ZAP

HTTP/S Proxy
Manual Application Security Testing with OWASP ZAP
^
BDD-Security

Integrating with Jenkins
• Configuration
• Test run

Summary
• Security testing is just another form of software testing
• Automate as much as possible for faster feedback
• Security Tests can be treated as security requirements
• Self Verifying Requirements!
• Tests written in a BDD language foster collaboration between
sec, dev and ops
• Automated Security tests should include more than just
scanning

Other related tools
• Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn
• ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver
• Guantlet (Ruby) http://gauntlt.org/
• OWASP ZAP Jenkins plugin https://wiki.jenkins-
ci.org/display/JENKINS/Zapper+Plugin

Thank you
www.continuumsecurity.net
@stephendv

What's hot

Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security: Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities Examples of security automation, case situations minimizing risk and driving flexibility for DevOps See how SaaS provider CloudPassage integrates security into its own development and operations workflows

SecDevOps: The New Black of IT

CloudPassage

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

Nick Galbreath

How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes.

DevOps & Security: Here & Now

Checkmarx

Integrating security into Continuous Delivery

Tom Stiehm

SecDevOps - The Operationalisation of Security

Dinis Cruz

Automated Security Testing

seleniumconf

SecDevOps

Peter Lamar

s its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority: - Integrate effective threat modeling into Agile development practices - Introduce Security Automation into Continuous Integration - Integrate Security Automation into Continuous Deployment While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic: - The talk will be replete with anecdotes from personal consulting and penetration testing experiences. - I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle. - I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app. - My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools. - Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav

Abhay Bhargav

Devops security-An Insight into Secure-SDLC

Suman Sourav

Proactive Security AppSec Case Study

Andy Hoernecke

Hacker Proof web app using Functional tests

Ankita Gupta

DevSecCon London 2017: when good containers go bad by Tim Mackey

DevSecCon

In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers. Ultimately the aim is to free pentesters’ time by continuously reducing the amount of recurring (easy to find) default findings, so that pentesters can use that time to focus on the really high-hanging fruits. Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow. I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.

Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...

Christian Schneider

Dev seccon london 2016 intelliment security

DevSecCon

we45 SecDevOps Presentation - ISACA Chennai

Abhay Bhargav

Integrating Security into DevOps

CloudPassage

DevSecOps: What Why and How : Blackhat 2019

NotSoSecure Global Services

we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle. Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.

we45 - SecDevOps Concept Presentation

Abhay Bhargav

Code Quality - Security

sedukull

DevSecCon London 2017: Hands-on secure software development from design to de...

DevSecCon

What's hot (20)

SecDevOps: The New Black of IT

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012

DevOps & Security: Here & Now

Integrating security into Continuous Delivery

SecDevOps - The Operationalisation of Security

Automated Security Testing

SecDevOps

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav

Devops security-An Insight into Secure-SDLC

Proactive Security AppSec Case Study

Hacker Proof web app using Functional tests

DevSecCon London 2017: when good containers go bad by Tim Mackey

Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...

Dev seccon london 2016 intelliment security

we45 SecDevOps Presentation - ISACA Chennai

Integrating Security into DevOps

DevSecOps: What Why and How : Blackhat 2019

we45 - SecDevOps Concept Presentation

Code Quality - Security

DevSecCon London 2017: Hands-on secure software development from design to de...

Similar to Automating security tests for Continuous Integration

DevSecOps Basics with Azure Pipelines

Abdul_Mujeeb

This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.

Automating Security in Cloud Workloads with DevSecOps

Amazon Web Services

AWS serverless architecture components such as Amazon S3, Amazon SQS, Amazon SNS, CloudWatch Logs, DynamoDB, Amazon Kinesis, and Lambda can be tightly constrained in their operation. However, it may still be possible to use some of them to propagate payloads that could be used to exploit vulnerabilities in some consuming endpoints or user-generated code. This session explores techniques for enhancing the security of these services, from assessing and tightening permissions in IAM to integrating further tools and mechanisms for inline and out-of-band payload analysis that are more typically applied to traditional server-based architectures, and generalising these techniques to APIs for all AWS services.

Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017

Amazon Web Services

Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely? This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.

Implementing an Application Security Pipeline in Jenkins

Suman Sourav

Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle. We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.

Bringing Security Testing to Development: How to Enable Developers to Act as ...

Achim D. Brucker

Overcoming Security Challenges in DevOps

Alert Logic

DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程

Duran Hsieh

Devops architecture

Ojasvi Jagtap

The AWS platform offers a rich set of capabilities that can be leveraged by the customer to better control applications state, configuration, and supporting infrastructure throughout the service lifecycle – all while operating with security best practices such as audit and accountability, access control, change review and governance, and systems integrity. We will showcase and discuss design patterns for using these capabilities in synergy with fast-paced and agile application development methodologies – such as DevOps – to achieve an integrated security operations program.

Securing Systems at Cloud Scale with DevSecOps

Amazon Web Services

Putting it All Together: Securing Systems at Cloud Scale

Amazon Web Services

Continuous Delivery With Selenium Grid And Docker

Barbara Gonzalez

DevOps

Jeremiah Tillman

In this presentation we explain the CD mindset of the MyHeritage QA and how we use Watir, Appium, Ruby, Cumcumber and other supporting technologies to allow end to end testing. These are the link mentioned in the presentation: Continuous Deployment Applied at MyHeritage - http://www.slideshare.net/RanLevy/continuous-deployment-applied-at-myheritage Appium - http://appium.io/ Ruby - https://www.ruby-lang.org/en/ Watir - http://watirwebdriver.com/ page-object - https://github.com/cheezy/page-object Selenium Grid - https://github.com/SeleniumHQ/selenium/wiki/Grid2 Selenium-Grid-Extras - https://github.com/groupon/Selenium-Grid-Extras Jenkins - https://jenkins-ci.org/

MyHeritage - QA Automations in a Continuous Deployment environment

MatanGoren

Alexey Sintsov- SDLC - try me to implement

DefconRussia

Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products. During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.

Digital Product Security

SoftServe

If your organization is undergoing a DevOps transformation, you’re probably thinking about where security fits in. All too often, we tack on security testing at the end of the delivery process, which means significant problems go undetected until development is complete. As we adopt DevOps principles and practices, we enable a natural solution to this problem: ensure that security experts are involved throughout the delivery process. In this webinar, DevOps.com and Puppet defined a reference implementation of DevOps from the ground up, by illustrating how the software delivery process evolves at a hypothetical startup. Once we've laid a technical foundation for DevOps, we discussed the implications for security. We also discussed: Benefits for and challenges to security during a DevOps transformation How to craft a DevOps-ready security practice Refinements of a standard DevOps workflow to address security needs

Security Implications for a DevOps Transformation

Deborah Schalm

Security Implications for a DevOps Transformation

DevOps.com

Strengthen and Scale Security for a dollar or less

Mohammed A. Imran

CI/CD on AWS

Bhargav Amin

Application Security from the Inside Out

Ulisses Albuquerque

Similar to Automating security tests for Continuous Integration (20)

DevSecOps Basics with Azure Pipelines

Automating Security in Cloud Workloads with DevSecOps

Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017

Implementing an Application Security Pipeline in Jenkins

Bringing Security Testing to Development: How to Enable Developers to Act as ...

Overcoming Security Challenges in DevOps

DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程

Devops architecture

Securing Systems at Cloud Scale with DevSecOps

Putting it All Together: Securing Systems at Cloud Scale

Continuous Delivery With Selenium Grid And Docker

DevOps

MyHeritage - QA Automations in a Continuous Deployment environment

Alexey Sintsov- SDLC - try me to implement

Digital Product Security

Security Implications for a DevOps Transformation

Strengthen and Scale Security for a dollar or less

CI/CD on AWS

Application Security from the Inside Out

Recently uploaded

WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...

WSO2

Azure Native Qumulo scales elastically for common High Performance Compute (HPC) workloads based on application requirements for: Financial Services, Automotive, Genomics / Life Sciences, Media and Entertainment, Energy, Oil and Gas, and more. Performance can be increased (and elastically decreased) much higher than the examples shown here. These slides offer a glimpse into ANQ's HPC capabilities, although at a smaller scale. We invite YOU to do your own testing (with a free ANQ trial) and work with us to test your HPC workloads in Azure.

AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf

ryanfarris8

WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...

WSO2

Modeling languages are generally applied for developing systems and software – both internally, with domain-specific languages, and with standardized languages targeting a general purpose and a wide audience. Way too often these languages are weakly created and defined leading to poor quality: Language definitions tend to contain errors and inconsistencies; notations do not recognize the communication and problem-solving needs of humans; standardization organizations push exchange formats that do not fully work and offer certificates that do not measure mastery of the language. We describe common problems in language development and point them out with examples from known cases. To overcome these problems, we suggest several solutions to improve language development, including using modeling languages specifically designed to define modeling languages, continuous testing and prototyping, and keeping language users in the loop.

What Goes Wrong with Language Definitions and How to Improve the Situation

Juha-Pekka Tolvanen

WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!

WSO2

WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...

WSO2

Evolving Data Governance for the Real-time Streaming and AI Era

confluent

Driving Innovation: Scania's API Revolution with WSO2

WSO2

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...

WSO2

ADR, or Architecture Decision Record, is a valuable tool in software development for several reasons. It provides a centralized location for documenting and tracking architectural decisions, aiding both current and future team members. ADRs enhance communication among team members by documenting the rationale behind architectural decisions, especially beneficial during onboarding of new team members or when revisiting decisions. They serve as a knowledge base, enabling teams to learn from past decisions and refine their decision-making process. Additionally, ADRs contribute to transparency by helping stakeholders understand the reasons behind specific architectural choices. As with any other tool or process, introducing them into an organization can face several obstacles, and overcoming these challenges is crucial for successful implementation. In this talk I go through some common problems and our way of solving them.

Architecture decision records - How not to get lost in the past

Papp Krisztián

WSO2CON 2024 Slides - Open Source to SaaS

WSO2

WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications

WSO2

WSO2Con2024 - Low-Code Integration Tooling

WSO2

WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...

WSO2

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in Tembisa ● Abortion Pills For Sale in Tembisa ● Tembisa 🏥🚑!! Abortion Clinic Near Me Cost, Price, Women's Clinic Near Me, Abortion Clinic Near, Abortion Doctors Near me, Abortion Services Near Me, Abortion Pills Over The Counter, Abortion Pill Doctors' Offices, Abortion Clinics, Abortion Places Near Me, Cheap Abortion Places Near Me, Medical Abortion & Surgical Abortion, approved cyctotec pills and womb cleaning pills too plus all the instructions needed This Discrete women’s Termination Clinic offers same day services that are safe and pain free, we use approved pills and we clean the womb so that no side effects are present. Our main goal is that of preventing unintended pregnancies and unwanted births every day to enable more women to have children by choice, not chance. We offer Terminations by Pill and The Morning After Pill.” Our Private VIP Abortion Service offers the ultimate in privacy, efficiency and discretion. we do safe and same day termination and we do also womb cleaning as well its done from 1 week up to 28 weeks. We do delivery of our services world wide SAFE ABORTION CLINICS/PILLS ON SALE WE DO DELIVERY OF PILLS ALSO Abortion clinic at very low costs, 100% Guaranteed and it’s safe, pain free and a same day service. It Is A 45 Minutes Procedure, we use tested abortion pills and we do womb cleaning as well. Alternatively the medical abortion pill and womb cleansing !!!

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...

Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...

WSO2

WSO2CON 2024 - Does Open Source Still Matter?

WSO2

WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation

WSO2

WSO2CON 2024 - Building a Digital Government in Uganda

WSO2

WSO2Con204 - Hard Rock Presentation - Keynote

WSO2

Recently uploaded (20)

WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...

AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf

WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...

What Goes Wrong with Language Definitions and How to Improve the Situation

WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!

WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...

Evolving Data Governance for the Real-time Streaming and AI Era

Driving Innovation: Scania's API Revolution with WSO2

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...

Architecture decision records - How not to get lost in the past

WSO2CON 2024 Slides - Open Source to SaaS

WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications

WSO2Con2024 - Low-Code Integration Tooling

WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...

WSO2CON 2024 - Does Open Source Still Matter?

WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation

WSO2CON 2024 - Building a Digital Government in Uganda

WSO2Con204 - Hard Rock Presentation - Keynote

Automating security tests for Continuous Integration

1. Automating Security Tests for Continuous Integration Stephen de Vries @stephendv www.continuumsecurity.net

2. About Continuum Security • Founded 2012 • Services: Security Testing, BDD-Security jump start • Products: Securing the SDLC – Open Source • BDD-Security Testing Framework • OWASP ZAP integration with JUnit • Nessus Java client API – Commercial • IriusRisk Risk Management for Application Security: www.iriusrisk.com

3. Security Testing • Performed after build • Uses external testers • Process is opaque to dev/opts Unit/Integration/Functiona l Testing • Performed during build • Owned by dev/test • Tests visible to the team

4. Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Agile • Short iterative cycles • Extensive automated testing • Low/zero cost to test • Tests can replace documentation Security Testing Waterfall

5. Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Delivery with DevOps • Automated delivery into pre-prod • Automated acceptance tests

6. Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Deployment with DevOps Security Testing • Etsy: 50+ deploys per day • Amazon: 300+ per hour • Gov.uk: 10+ deploys per day

7. • Everyone is responsible for • Move testing closer to the code • Continuous automated testing • Tests are visible to the team quality quality security security ^

8. Design Build Integration TestsUnit Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Deployment with SecDevOps: Blocking tests

9. Design Build Integration Tests Unit Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Deployment with Semi-SecDevOps: Parallel tests

10. Who owns the security tests? A) Security team • Benefits of automation • Fast feedback • Poor collaboration • Lack of ownership by DevOps

11. Who owns the security tests? B) DevOps team with oversight by Security • Better collaboration • More sense of ownership of security • Good stepping stone to…

12. Who owns the security tests? C) Sec + Dev + Ops in a cross-functional team • Security testing is our problem • We have the tools and skills to manage it

13. Automated Security Tests should: • return either a pass or fail result • execute quickly (similar to acceptance tests) • test infrastructure and application tiers • test functional security features, e.g. Login, Password Reset • capture manual testing processes and automate them, i.e. security regression tests • be checked into version control along with the code • be understandable by the whole team

14. BDD-Security Testing Framework https://github.com/continuumsecurity/bdd-security BDD-Security = JBehave + OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications Selenium +

15. Infrastructure Security Testing

16.

17.

18. Application Security Testing

19. HTTP/S Proxy Manual Application Security Testing with OWASP ZAP

20. HTTP/S Proxy Manual Application Security Testing with OWASP ZAP ^ BDD-Security

21.

22.

23. Functional Security Tests

24. Integrating with Jenkins • Configuration • Test run

25. Summary • Security testing is just another form of software testing • Automate as much as possible for faster feedback • Security Tests can be treated as security requirements • Self Verifying Requirements! • Tests written in a BDD language foster collaboration between sec, dev and ops • Automated Security tests should include more than just scanning

26. Other related tools • Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn • ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver • Guantlet (Ruby) http://gauntlt.org/ • OWASP ZAP Jenkins plugin https://wiki.jenkins- ci.org/display/JENKINS/Zapper+Plugin

27. Thank you www.continuumsecurity.net @stephendv

Editor's Notes

Story: There is a gap between sec testing and every other type of software testing Sec is still stuck in waterfall model History of testing and sec testing Benefits of agile, fast feedback, low cost tests = run them more often TDD and BDD: Tests as communication mechanism DevOps is Agile for the rest of the organisation Don’t need to look far to find answers to integrating security into dev: quality Sec testing is subset Security testing > automated scanning Security testing > Penetration Testing BDD-Sec intro: objectives. Default set of security tests + allows building more specific tests
There is a considerable gap between how we use security testing and how we use almost every other type of software test.
The first great leap forward for software testing was Agile But even though we had this benefit of fast feedback, it was constrained to the dev environment.
…there’s a manual step before deploying into production.
All security testing, automated scans and manual penetration testing.
And looking at how testing has evolved over time two things stand out: we’re doing more automation, and we’re doing that automated testing closer to the code. Our unit and integration tests are a key part to making continuous delivery possible. And I claim that that we can and should take the same approach with security testing: automated as much as possible, so that we can run them continuously and get feedback as quick as possible. Not to replace manual security testing, but to complement it.
The primary control is the automated security tests, the secondary control is the manual tests.
Automated tests can run in parallel, but at same pace as integration tests.
The first activity that springs to mind when talking about automated security testing is probably scanning.
BDD Behaviour Driven Development
False positives
From
From
From

Automating security tests for Continuous Integration

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Automating security tests for Continuous Integration

Similar to Automating security tests for Continuous Integration (20)

Recently uploaded

Recently uploaded (20)

Automating security tests for Continuous Integration

Editor's Notes