The document outlines a maturity model for security testing in software development, emphasizing the importance of integrating security into the continuous integration and delivery processes. It highlights various levels of security testing, from no testing to full continuous delivery, and recommends using open-source tools to enhance security practices. The findings suggest that earlier security testing leads to better remediation outcomes and that leveraging cloud computing can provide significant opportunities for effective security testing.

1. 1© Copyright 2013 Coveros, Inc. All rights reserved.
Gene Gotimer, Senior Architect
gene.gotimer@coveros.com

2. 2© Copyright 2013 Coveros, Inc. All rights reserved.
 Coveros helps organizations accelerate the delivery of
business value through secure, reliable software
About Coveros

3. 3© Copyright 2013 Coveros, Inc. All rights reserved.
Security Testing
 Late in the cycle
 Issues are not remediated
 Needs ROI: lower cost, better results, or both

4. 4© Copyright 2013 Coveros, Inc. All rights reserved.
Security Testing
 Consider open-source and free tools
 Opportunities in Continuous Delivery and Cloud
Identify low effort opportunities using free
and open-source tools

5. 5© Copyright 2013 Coveros, Inc. All rights reserved.
Continuous Integration
 Merge work frequently
 Code commits to source control
 Unit tests run automatically
 No long integration cycle at the end
 Fix code when we find problems
 Build-Test-Commit cycle = rapid feedback

6. 6© Copyright 2013 Coveros, Inc. All rights reserved.
Continuous Delivery
 Every build potentially releasable
 Release is a business decision
 Extrapolation of Continuous Integration
– Deploys
– Functional tests
– Load and performance tests
– Security tests
 Build-Test-Commit-Deploy-Test-Release cycle

7. 7© Copyright 2013 Coveros, Inc. All rights reserved.
Cloud Computing
 Can’t wait for long procurement
 Public or Private clouds
 Works well with Continuous Delivery
– Easy to deploy
– New environments whenever

8. 8© Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
 Level 0: No Security Testing
 Level 1: Unit Testing and Static Analysis
 Level 2: Automated Deploys and Functional Testing
 Level 3: Automated Configuration Management
 Level 4: Cloud Deployments
 Level 5: Continuous Delivery

9. 9© Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
 Level 0: No Security Testing
 Level 1: Unit Testing and Static Analysis
 Level 2: Automated Deploys and Functional Testing
 Level 3: Automated Configuration Management
 Level 4: Cloud Deployments
 Level 5: Continuous Delivery

10. 10© Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
 Level 0: No Security Testing
 Level 1: Unit Testing and Static Analysis
 Level 2: Automated Deploys and Functional Testing
 Level 3: Automated Configuration Management
 Level 4: Cloud Deployments
 Level 5: Continuous Delivery

11. 11© Copyright 2013 Coveros, Inc. All rights reserved.
Level 1: Unit Testing and Static Analysis
 Unit Tests:
– Confidence to make changes
– Error handling
– General logic errors
– Bounds checking
– Edge conditions

12. 12© Copyright 2013 Coveros, Inc. All rights reserved.
Level 1: Unit Testing and Static Analysis
 Static Analysis:
– Common errors
– Unused variables
– SQL injection
– Cross-Site Scripting (XSS)
– Hard-coded passwords

13. 13© Copyright 2013 Coveros, Inc. All rights reserved.
Level 1: Unit Testing and Static Analysis
 Unit testing:
 JUnit for Java
 NUnit for .Net
 PyUnit for Python
 PHPUnit for PHP
 Static Analysis:
 Sonar for many languages
 PMD for Java
 FindBugs for Java
 PHPMD for PHP
 FxCop for .Net
 PyChecker for Python
 pylint for Python

14. 14© Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
 Level 0: No Security Testing
 Level 1: Unit Testing and Static Analysis
 Level 2: Automated Deploys and Functional Testing
 Level 3: Automated Configuration Management
 Level 4: Cloud Deployments
 Level 5: Continuous Delivery

15. 15© Copyright 2013 Coveros, Inc. All rights reserved.
Level 2: Automated Deploys and Functional Testing
 Automated Deploys:
– Frequent security scans
– Rapid feedback
– Web application scanners:
 w3af
 wapiti
 Skipfish
– Start basic, add tuning

16. 16© Copyright 2013 Coveros, Inc. All rights reserved.
Level 2: Automated Deploys and Functional Testing
 Functional Testing:
– Access control
– Data protection
– Web Application testing:
 Selenium

17. 17© Copyright 2013 Coveros, Inc. All rights reserved.
Level 2: Automated Deploys and Functional Testing
 Proxies:
– Better coverage
– XSS and Cross-Site Request Forgery (XSRF)
– URLs for logs to augment spidering
– Data leakage
– Web application proxies:
 OWASP Zed Attack Proxy (ZAP) Project
 OWASP WebScarab
 Ratproxy

18. 18© Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
 Level 0: No Security Testing
 Level 1: Unit Testing and Static Analysis
 Level 2: Automated Deploys and Functional Testing
 Level 3: Automated Configuration Management
 Level 4: Cloud Deployments
 Level 5: Continuous Delivery

19. 19© Copyright 2013 Coveros, Inc. All rights reserved.
Level 3: Automated Configuration Management
 Deployment/Configuration:
 Puppet
 Chef
 Provisioning:
 Cobbler
 Kickstart
 Windows Deployment Services
 Completely new systems or build on templates
 Repeatable configuration management

20. 20© Copyright 2013 Coveros, Inc. All rights reserved.
Level 3: Automated Configuration Management
 Complete system scans
 OpenVAS
 Nmap
 Nikto2

21. 21© Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
 Level 0: No Security Testing
 Level 1: Unit Testing and Static Analysis
 Level 2: Automated Deploys and Functional Testing
 Level 3: Automated Configuration Management
 Level 4: Cloud Deployments
 Level 5: Continuous Delivery

22. 22© Copyright 2013 Coveros, Inc. All rights reserved.
Level 4: Cloud Deployments
 On-demand environments
– Long running scans in parallel
– Production-sized machines, even temporarily
– Failover and high-availability
 Multiple client systems in parallel
– Race conditions
– Multi-user interactions

23. 23© Copyright 2013 Coveros, Inc. All rights reserved.
Level 4: Cloud Deployments
 Web performance testing frameworks:
 Apache Jmeter: Java-based UI
• HTTP, HTTPS, SOAP, JDBC, LDAP, JMS, SMTP,
POP, IMAP
 ab, ApacheBench: command-line
 The Grinder: Jython and Clojure
 Gatling: Scala

24. 24© Copyright 2013 Coveros, Inc. All rights reserved.
Maturity Model for Security Testing
 Level 0: No Security Testing
 Level 1: Unit Testing and Static Analysis
 Level 2: Automated Deploys and Functional Testing
 Level 3: Automated Configuration Management
 Level 4: Cloud Deployments
 Level 5: Continuous Delivery

25. 25© Copyright 2013 Coveros, Inc. All rights reserved.
Level 5: Continuous Delivery
 Release ready for production
 Continuous deployment
 High levels of automation
 Dashboards
– Custom development

26. 26© Copyright 2013 Coveros, Inc. All rights reserved.
Personal Experience
 Agile development grew into Continuous Delivery
 Automated deploys with Puppet
 Selenium functional tests
 JMeter performance tests

27. 27© Copyright 2013 Coveros, Inc. All rights reserved.
Personal Experience
 Security testing lagged
 Excuses:
– The “official” tool is expensive.
– It would take a lot of time to acquire and then to
configure it.
– We don’t have time.
– It isn’t our responsibility.
– The security team wouldn’t accept our scans anyway.
 Open-source tools
 Focus on security, not compliance
 Limited time

28. 28© Copyright 2013 Coveros, Inc. All rights reserved.
Personal Experience
 Web application scans with w3af
 Vulnerability assessments with OpenVAS
 Security standards checks with Openscap
 Initial implementation ~ a day each
 No more freebies

29. 29© Copyright 2013 Coveros, Inc. All rights reserved.
Conclusion
 Earlier security testing
– Less likely to skip
– More likely to remediate
 Open-source tools
 Other testing as foundation
 Gradually add more security tests
 Continuous Delivery and Cloud Computing give security
testing opportunities

30. 30© Copyright 2013 Coveros, Inc. All rights reserved.
Questions?
Gene Gotimer
Email: gene.gotimer@coveros.com
Twitter: @CoverosGene