As the industry embraces a culture of automation and continuous delivery, the rate of change is faster than ever. Security testing traditionally happens just before deploying to production: can this scale when deployments happen more frequently? This talk will discuss how the same automation tooling that enables continuous change can be leveraged to enable continuous security too.

1. Continuous Security
in Pipelines
Foo Meden

4. 2008

5. 2015

6. Breaches caused by mistakes
2017 20192016 2018
21%14% 17%9%
Source: Verizon’s Data Breach Investigation Report (DBIR) 2016, 2017, 2018 and 2019.

7. Hello Equifax 👋
Source: https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html

8. Fast → Insecure?

9. Can be fast & secure
Go read this book!

10. 2019

11. Acceleration Tooling

12. Simple security tools

13. Continuous Security?
+

14. Case study

15. ConcourseCI
● “Continuous thing-doer”
● Externalize all state
● All tasks are docker containers

16. Concept

17. In detail
We’ll now see
● Snyk
● Gitleaks
● Spotbugs

18. Supply chain risks
● What is this package doing?
● Does it have known vulnerabilities?
● Has the package been tampered with?
● Do we trust the authors?
● Is the package available?

19. Snyk
● Scanner for vulnerable dependencies
● Started with npm, now multi-lang
● And Docker images support

20. Will it pipeline?
● `snyk test` exits with error on findings
● `--severity-threshold` can limit findings
● Get sauce, run scan, profit!

21. Red fatigue

22. Challenges (Java & React)

23. Challenges (Docker)
● Snyk needs a Docker daemon to scan
● Running Docker in Docker has a number of problems...

24. FindSecBugs
● Spotbugs plugin
● Detection of bugs related to security issues
● Bytecode analysis
● Pattern-based

25. Will it pipeline?
● `-exitcode` option exits with error on findings
● Can limit findings with `-onlyAnalyze` and `-bugCategories`
● Get jar, analyze, profit!

26. Challenges
● Need bytecode out of Docker image
○ Image filesystem available in Concourse
● “Missing classes for analysis” error
○ Optional dependencies, it’s ok.
● What’s SECSPRCSRFURM ?
○ References to docs

27. Credentials leak
Source: Verizon’s DBIR 2018

28. Gitleaks
“Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in
git source code repositories.” -- official README.md

29. Will it pipeline?
● exits with error when secrets found
● Can mark commits and/or patterns as safe via config file
● Scan repo history, find secrets, rotate, profit!

30. Challenges
● “Mark as safe”?
○ whitelist commits
○ -c: safe “up to a commit”
● Must re-add all default rules to config file
● Red fatigue: no incremental approach

31. Remediation challenges
● Credentials reuse
○ Across environments
○ Across apps/services
○ Across teams
● Re-leak rotated keys
○ Low-friction secrets management

32. Not only scanning
● Prevention: pre-commit, pre-push
○ Talisman
● Detection: in-repo
○ Gitleaks
● Assurance: beyond immediate scope
○ GitGuardian

33. Conclusions
● Introducing (some) security tooling in pipelines is easy
○ Automate repetitive checks
● Be mindful of red fatigue
○ Incremental approach
● Ensure adoption of tooling
○ Share, document, showcase

34. Foo Meden
Thank you