SlideShare a Scribd company logo

Continuous Security Testing

R
Ray Lai

This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.

Technology
1 of 24
Download to read offline
© 2016 by RayLai, Confidential and Proprietary© 2016 by RayLai, Confidential and Proprietary Continuous Security Testing Ray Lai Dec 7, 2016 (Version 0.2)
© 2016 by RayLai, Confidential and Proprietary Synopsis This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
© 2016 by RayLai, Confidential and Proprietary The Problem How to complete security testing whenever a build is initiated Develop Security testDeploy Impact US$10,000 / bug fixed US$4M data breach (2016) Damage to brand
© 2016 by RayLai, Confidential and Proprietary Security Testing: Now and Then People • Professional/consultants Technology • Commercial tools Process • Central governance • Testing before SW release Before/Now Desired State People • Engineering community Technology • Open source tools • UI and API security testing Process • Self-serve • Continuous: at build/deploy time
© 2016 by RayLai, Confidential and Proprietary How
© 2016 by RayLai, Confidential and Proprietary What is “Continuous Security Testing”? Continuous Security Testing = New Tools?
© 2016 by RayLai, Confidential and Proprietary Continuous Security Testing: Point of View App Source Codes Objectives • Efficiency • Feedback loop for developers Security Metrics Automated Security Testing Web App Vulnerability Scanning Threat Modeling Secure Build Build PipelineInput Output Stakeholders • DevOps • Developers • Quality engineers • Security • Static code analysis • Vuln scanning • App assessment • Pen test • Risk assessment • Compliance • Operations review • Defect reports • Threat modeling Challenges:false positives/noise,long build time
© 2016 by RayLai, Confidential and Proprietary Continuous Security Testing: Paradigm Shift Testing approach • Network vs app security • Front-end vs backend; integrated test Tools • Enterprise (integrated), On- premise Execution • Testing separated from build pipeline Old New Testing approach • Testing how apps and systems are connected Tools • Cloud-based, per pay use • Single-purpose, open source Execution • DevOps: Test in build phase
© 2016 by RayLai, Confidential and Proprietary How to Deliver Securely? Exercise 1 You have just completed functional and security testing for your flagship app and platform. However, a security researcher informs you that they can reset user password via SMS, and take over a user’s account. Options 1. Extend test coverage (resources) 2. Enforce pen test before release (professionals) 3. Educate engineers (training) How would you do differently to deliver securely?
© 2016 by RayLai, Confidential and Proprietary How to Deliver Securely? Exercise 2 A security researcher reports a Cross-site Scripting (XSS) issue in your portal, with XSS examples in existing static Web pages. Your dev team argues that XSS on static Web pages is not harmful, and any fix will take them at least 1 month. Options 1. Validate if this is a fire drill (risk management, education) 2. Fix any XSS defect (resources) 3. Enforce pen test before release (professionals) How would you do differently to deliver securely?
© 2016 by RayLai, Confidential and Proprietary How to Deliver Securely? Exercise 3 Amazon AWS notifies your security team that your standalone test VM (AMI) has been compromised. While your app team argues that it is an isolated instance, AWS finds traces that it was used to access other AMI instances without permission, and also becomes a DDOS agent. Options 1. Introduce security controls and security testing for cloud apps (technology, resources) 2. Enforce pen test before release (professionals) 3. Raise awareness (education) How would you do differently to deliver securely?
© 2016 by RayLai, Confidential and Proprietary How to Deliver Securely? Recommendation (Past) Continuous Security Testing Exercise 1 (password reset) Threat modeling Test for trusted boundaries (connected security) In build pipeline, spin an app instance to test for end-to-end flow. Exercise 2 (XSS) Resolve any XSS defects Raise awareness Include UI testing for XSS in automated test suite (build process). Exercise 3 (compromised AMI) Cloud security testing – production pen test Cloud security controls In build pipeline, spin an AMI instance to test AWS security policies and controls. This is what I would do differently...
© 2016 by RayLai, Confidential and Proprietary Recommendation • Continuous security testing is a journey (various maturity levels) – Identify your low hanging fruits and priorities – Building community is an art (e.g. contents, outcome and appropriate engagement) • Be open mind about changes in execution approach – DevOps -> build pipeline for security – Gradual shift from commercial, integrated tools to open source tools • Be prepared for the next big wave – Emerging security challenges in IoT and block chain technologies
© 2016 by RayLai, Confidential and Proprietary Appendix: Best Practices
© 2016 by RayLai, Confidential and Proprietary What to Prioritize https://techcrunch.com/2015/01/22/security-for-startups-in-10-steps/ Prioritize Security culture Secure platform Your Website is front-door Secure coding Security controls Plan for failure Physical security Be open with public Email with multi-factor auth Threats
© 2016 by RayLai, Confidential and Proprietary Which Tools to Use brakerman Static Code Analysis / Vulnerability Scanners Cloud / Infrastructure Security Data SecurityConnected Systems WhatWeb Web Scanner w3af OSSEC Arachni findBugs FlawFinder PMD
© 2016 by RayLai, Confidential and Proprietary What to Test Major Security Vulnerabilities Static Code Analysis Web App Scan Pen Test OWASP Top 10 Partial Partial Partial HeartBleed-type SSL Issues No No Partial DOS, e.g. due to memory leakage Partial (Memory leakage) Partial Partial DDOS, e.g. bot attack No No Partial Cloud hosting security issues No Limited Yes NoSQL database security issues No No Partial IoT security issues No Varies Varies Blockchain security issues No No Varies
© 2016 by RayLai, Confidential and Proprietary What to Test (cont’d) OWASP Top 10 Static Code Analysis Web App Scan Pen Test A1 Injection X X X A2 Broken Auth and Session Management X X A3 Cross-site Scripting (XSS) Partial X X A4 Insecure Direct Object References Partial X A5 Security Misconfiguration X X A6 Sensitive Data Exposure Partial X A7 Missing Function Level Access Control X Partial A8 Cross-Site Request Forgery (CSRF) X X A9 Using Components with Known Vulnerabilities Partial A10 Unvalidated Redirects and Forwards Partial X
© 2016 by RayLai, Confidential and Proprietary How to Execute (Build Pipeline for Security) Web App Scan Deploy to Production Security Assessment Deploy to Production Build Pipeline Penetration Test Runtime Container Security Test Client Web App Scan BeforeNew Separate, serial events Continuous integration process to create temporary containers for security testing
© 2016 by RayLai, Confidential and Proprietary Security Build Pipeline (Example) App Container Jenkins Server App Container Docker Swarm App Container Security Scanner (Docker) Shared Data Container / Data Volume AppsData Pre-requisites • Apps deployed in docker containers • App data (synthetic or scrubbed production data) in shared data containers • Parallelize testing tasks in Jenkins Jenkins Setup • Create docker swarm (apps and data) • Launch docker swarm • Create security test client (security scanner) • Launch security test client • Post test results in shared data container or data volume • Shut down all docker containers Gauntlt, ClamAV, Brakerman, OWASP ZAP
© 2016 by RayLai, Confidential and Proprietary What to Look For: Web App Security Testing Session Management • HTTPOnly and SECURE flags (cookies) UI and App • XSS, CSRF Data • Injection vulnerabilities Traditional Approach What’s New API • API token robustness; playback and Man-in-the- middle attacks Data theft • Data privacy issues (in transit or at rest) NoSQL database • Access control issues
© 2016 by RayLai, Confidential and Proprietary What to Look For: Platform and Cloud Platform Infrastructure • Network security, e.g. port scan, mis-configuration • Default passwords and settings Identity management • SSO; access control Compliance • Security certification, e.g. PCI Traditional Approach What’s New Platform Stack • Timely patches • Core security, e.g. Heartbleed bug • DDOS Data security • Storage security, e.g. S3 Compliance • Public cloud (e.g. AWS) security policies and controls
© 2016 by RayLai, Confidential and Proprietary How to Measure Success Defect Density Threat Model Custom Risk Scores OWASP Top 10 WhiteHat WSI Security Index Cenzic HARM Scores HP Fortify Scores Internal Metrics Financial management app has a defect density of 15.23 (5M LOC) 25 attack vectors Biz risks: 5.2 Tech risks: 7.9 Tech risks reflect # of total vulnerabilities from scanning/testing Industry Example: For benchmarking
© 2016 by RayLai, Confidential and Proprietary How Do I Get Trained Traditional Channels What’s New Security Certification • CEH, CISSP, etc. Conferences • RSA, OWASP AppSec, BlackHat, DEFCON, etc. Product training • E.g. Fortify Online Resources for the Impatient • Youtube • Udemy, Coursera, etc. Community • Meetups or user groups, e.g. OWASP

Recommended

DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project brief
Dinis Cruz
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 

Recommended

DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project brief
Dinis Cruz
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
Dinis Cruz
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
Stephen de Vries
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)
Guy Podjarny
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
TechWell
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
Dinis Cruz
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
Yusuf Hadiwinata Sutandar
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 

More Related Content

What's hot

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
Dinis Cruz
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
Stephen de Vries
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
Colin Domoney
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)
Guy Podjarny
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
TechWell
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
Dinis Cruz
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
Yusuf Hadiwinata Sutandar
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 

What's hot (20)

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 

Similar to Continuous Security Testing

Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
Amazon Web Services
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
Denim Group
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Operations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from HappeningOperations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from Happening
Amazon Web Services
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
devObjective
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
ColdFusionConference
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
Antonio Parata
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
Sanjeev Sharma
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
Keeping Developers and Auditors Happy in the Cloud
Keeping Developers and Auditors Happy in the Cloud Keeping Developers and Auditors Happy in the Cloud
Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 

Similar to Continuous Security Testing (20)

Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...Running a High-Efficiency, High-Visibility Application Security Program with...
Running a High-Efficiency, High-Visibility Application Security Program with...
 
Project Presentation
Project Presentation Project Presentation
Project Presentation
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Operations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from HappeningOperations: Production Readiness Review – How to stop bad things from Happening
Operations: Production Readiness Review – How to stop bad things from Happening
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Keeping Developers and Auditors Happy in the Cloud
Keeping Developers and Auditors Happy in the Cloud Keeping Developers and Auditors Happy in the Cloud
Keeping Developers and Auditors Happy in the Cloud
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 

Continuous Security Testing

  • 1. © 2016 by RayLai, Confidential and Proprietary© 2016 by RayLai, Confidential and Proprietary Continuous Security Testing Ray Lai Dec 7, 2016 (Version 0.2)
  • 2. © 2016 by RayLai, Confidential and Proprietary Synopsis This session addresses the technology challenges of continuous security testing to “deliver securely,” and discusses best practices and tooling based on first hand experience in both enterprise and startup environment.
  • 3. © 2016 by RayLai, Confidential and Proprietary The Problem How to complete security testing whenever a build is initiated Develop Security testDeploy Impact US$10,000 / bug fixed US$4M data breach (2016) Damage to brand
  • 4. © 2016 by RayLai, Confidential and Proprietary Security Testing: Now and Then People • Professional/consultants Technology • Commercial tools Process • Central governance • Testing before SW release Before/Now Desired State People • Engineering community Technology • Open source tools • UI and API security testing Process • Self-serve • Continuous: at build/deploy time
  • 5. © 2016 by RayLai, Confidential and Proprietary How
  • 6. © 2016 by RayLai, Confidential and Proprietary What is “Continuous Security Testing”? Continuous Security Testing = New Tools?
  • 7. © 2016 by RayLai, Confidential and Proprietary Continuous Security Testing: Point of View App Source Codes Objectives • Efficiency • Feedback loop for developers Security Metrics Automated Security Testing Web App Vulnerability Scanning Threat Modeling Secure Build Build PipelineInput Output Stakeholders • DevOps • Developers • Quality engineers • Security • Static code analysis • Vuln scanning • App assessment • Pen test • Risk assessment • Compliance • Operations review • Defect reports • Threat modeling Challenges:false positives/noise,long build time
  • 8. © 2016 by RayLai, Confidential and Proprietary Continuous Security Testing: Paradigm Shift Testing approach • Network vs app security • Front-end vs backend; integrated test Tools • Enterprise (integrated), On- premise Execution • Testing separated from build pipeline Old New Testing approach • Testing how apps and systems are connected Tools • Cloud-based, per pay use • Single-purpose, open source Execution • DevOps: Test in build phase
  • 9. © 2016 by RayLai, Confidential and Proprietary How to Deliver Securely? Exercise 1 You have just completed functional and security testing for your flagship app and platform. However, a security researcher informs you that they can reset user password via SMS, and take over a user’s account. Options 1. Extend test coverage (resources) 2. Enforce pen test before release (professionals) 3. Educate engineers (training) How would you do differently to deliver securely?
  • 10. © 2016 by RayLai, Confidential and Proprietary How to Deliver Securely? Exercise 2 A security researcher reports a Cross-site Scripting (XSS) issue in your portal, with XSS examples in existing static Web pages. Your dev team argues that XSS on static Web pages is not harmful, and any fix will take them at least 1 month. Options 1. Validate if this is a fire drill (risk management, education) 2. Fix any XSS defect (resources) 3. Enforce pen test before release (professionals) How would you do differently to deliver securely?
  • 11. © 2016 by RayLai, Confidential and Proprietary How to Deliver Securely? Exercise 3 Amazon AWS notifies your security team that your standalone test VM (AMI) has been compromised. While your app team argues that it is an isolated instance, AWS finds traces that it was used to access other AMI instances without permission, and also becomes a DDOS agent. Options 1. Introduce security controls and security testing for cloud apps (technology, resources) 2. Enforce pen test before release (professionals) 3. Raise awareness (education) How would you do differently to deliver securely?
  • 12. © 2016 by RayLai, Confidential and Proprietary How to Deliver Securely? Recommendation (Past) Continuous Security Testing Exercise 1 (password reset) Threat modeling Test for trusted boundaries (connected security) In build pipeline, spin an app instance to test for end-to-end flow. Exercise 2 (XSS) Resolve any XSS defects Raise awareness Include UI testing for XSS in automated test suite (build process). Exercise 3 (compromised AMI) Cloud security testing – production pen test Cloud security controls In build pipeline, spin an AMI instance to test AWS security policies and controls. This is what I would do differently...
  • 13. © 2016 by RayLai, Confidential and Proprietary Recommendation • Continuous security testing is a journey (various maturity levels) – Identify your low hanging fruits and priorities – Building community is an art (e.g. contents, outcome and appropriate engagement) • Be open mind about changes in execution approach – DevOps -> build pipeline for security – Gradual shift from commercial, integrated tools to open source tools • Be prepared for the next big wave – Emerging security challenges in IoT and block chain technologies
  • 14. © 2016 by RayLai, Confidential and Proprietary Appendix: Best Practices
  • 15. © 2016 by RayLai, Confidential and Proprietary What to Prioritize https://techcrunch.com/2015/01/22/security-for-startups-in-10-steps/ Prioritize Security culture Secure platform Your Website is front-door Secure coding Security controls Plan for failure Physical security Be open with public Email with multi-factor auth Threats
  • 16. © 2016 by RayLai, Confidential and Proprietary Which Tools to Use brakerman Static Code Analysis / Vulnerability Scanners Cloud / Infrastructure Security Data SecurityConnected Systems WhatWeb Web Scanner w3af OSSEC Arachni findBugs FlawFinder PMD
  • 17. © 2016 by RayLai, Confidential and Proprietary What to Test Major Security Vulnerabilities Static Code Analysis Web App Scan Pen Test OWASP Top 10 Partial Partial Partial HeartBleed-type SSL Issues No No Partial DOS, e.g. due to memory leakage Partial (Memory leakage) Partial Partial DDOS, e.g. bot attack No No Partial Cloud hosting security issues No Limited Yes NoSQL database security issues No No Partial IoT security issues No Varies Varies Blockchain security issues No No Varies
  • 18. © 2016 by RayLai, Confidential and Proprietary What to Test (cont’d) OWASP Top 10 Static Code Analysis Web App Scan Pen Test A1 Injection X X X A2 Broken Auth and Session Management X X A3 Cross-site Scripting (XSS) Partial X X A4 Insecure Direct Object References Partial X A5 Security Misconfiguration X X A6 Sensitive Data Exposure Partial X A7 Missing Function Level Access Control X Partial A8 Cross-Site Request Forgery (CSRF) X X A9 Using Components with Known Vulnerabilities Partial A10 Unvalidated Redirects and Forwards Partial X
  • 19. © 2016 by RayLai, Confidential and Proprietary How to Execute (Build Pipeline for Security) Web App Scan Deploy to Production Security Assessment Deploy to Production Build Pipeline Penetration Test Runtime Container Security Test Client Web App Scan BeforeNew Separate, serial events Continuous integration process to create temporary containers for security testing
  • 20. © 2016 by RayLai, Confidential and Proprietary Security Build Pipeline (Example) App Container Jenkins Server App Container Docker Swarm App Container Security Scanner (Docker) Shared Data Container / Data Volume AppsData Pre-requisites • Apps deployed in docker containers • App data (synthetic or scrubbed production data) in shared data containers • Parallelize testing tasks in Jenkins Jenkins Setup • Create docker swarm (apps and data) • Launch docker swarm • Create security test client (security scanner) • Launch security test client • Post test results in shared data container or data volume • Shut down all docker containers Gauntlt, ClamAV, Brakerman, OWASP ZAP
  • 21. © 2016 by RayLai, Confidential and Proprietary What to Look For: Web App Security Testing Session Management • HTTPOnly and SECURE flags (cookies) UI and App • XSS, CSRF Data • Injection vulnerabilities Traditional Approach What’s New API • API token robustness; playback and Man-in-the- middle attacks Data theft • Data privacy issues (in transit or at rest) NoSQL database • Access control issues
  • 22. © 2016 by RayLai, Confidential and Proprietary What to Look For: Platform and Cloud Platform Infrastructure • Network security, e.g. port scan, mis-configuration • Default passwords and settings Identity management • SSO; access control Compliance • Security certification, e.g. PCI Traditional Approach What’s New Platform Stack • Timely patches • Core security, e.g. Heartbleed bug • DDOS Data security • Storage security, e.g. S3 Compliance • Public cloud (e.g. AWS) security policies and controls
  • 23. © 2016 by RayLai, Confidential and Proprietary How to Measure Success Defect Density Threat Model Custom Risk Scores OWASP Top 10 WhiteHat WSI Security Index Cenzic HARM Scores HP Fortify Scores Internal Metrics Financial management app has a defect density of 15.23 (5M LOC) 25 attack vectors Biz risks: 5.2 Tech risks: 7.9 Tech risks reflect # of total vulnerabilities from scanning/testing Industry Example: For benchmarking
  • 24. © 2016 by RayLai, Confidential and Proprietary How Do I Get Trained Traditional Channels What’s New Security Certification • CEH, CISSP, etc. Conferences • RSA, OWASP AppSec, BlackHat, DEFCON, etc. Product training • E.g. Fortify Online Resources for the Impatient • Youtube • Udemy, Coursera, etc. Community • Meetups or user groups, e.g. OWASP