DevSecCon, profile picture
Uploaded byDevSecCon
PPTX, PDF98 views

DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi

This document summarizes a presentation about security testing for containerized applications. It discusses performing static analysis on code, dependencies, and Docker images using open source tools like Bandit, Brakeman, Find Security Bugs, TSLint, OWASP Dependency Track, and Clair. It also covers dynamic analysis using passive and active scanning with OWASP Zap. The presentation demonstrates running these security tests on a sample Lolcode application and integrating the tests into a CI/CD pipeline using OWASP Glue. It provides resources for learning more about security testing of containerized apps.

Embed presentation

Downloaded 14 times
Join the conversation #DevSecCon Security Testing for Containerized Apps @omerlh @SolutoEng
http://lolcode.org/
- Helping people get the most out of their technology https://www.solutotlv.com/
You Can’t Do it Alone
Letting Go Responsibly AppSec @ Soluto: ● Threat Modeling ● Empowering ● Education ● Automation
Our Quest: Securing Containerized Apps
Code Dependencies Docker Image Layers of Containerized App
What kind of security tests? ● Static ● Dynamic ● Integrated (which will be ignored) By Using ONLY FOSS tools
Static Analysis
What? ● Scanning static assets (e.g. source code) ● Language aware ● Different Tools for different layer ● Point where is the issue Code Dependencies Docker Image
Code Layer ● Scan the code for vulnerabilities ● Different tools for different languages ● Bandit – Python ● Brakeman – Ruby on Rails ● Find Security Bug - Java ● TSLint - TypeScript ● OWASP Source Code Analyzers list Code Dependencies Docker Image
Example https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
Dependencies Layer ● 3rd party code used by the app ● Usually installed by a package manager ● PyPi, Gem, NuGet, NPM ● Each dependency might include known vulnerability ● OWASP Top 10 A9 ● OWASP Dependency Track Code Dependencies Docker Image
https://snyk.io/stateofossecurity/
NPQ
Docker Image Layer ● Contains the “OS” ● 3rd party software installed ● App engine (NodeJS/.NET Core etc) ● Each one could contain known vulnerabilities ● Multiple open source solutions ● Clair, Anchore, OWASP Dependency Track Code Dependencies Docker Image
https://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf
Playing with Anchore-Engine
Dynamic Analysis
What? ● Scanning live app ● Language agnostic, protocol aware ● Only detect issues, not what cause to them ● Simple by using OWASP Zap ● Passive ● Active ● Leveraging Docker for local run Code Dependencies Docker Image
Passive Scan ● Proxy black box tests ● Scan HTTP requests/responses ● HTTP static analysis ● Looks for security issues ● Fast, not risky Code Dependencies Docker Image
Active Scan ● Discover all endpoint ● Craft malicious requests ● Test that the server can handle those request ● Slow, could cause damage Code Dependencies Docker Image
Bringing it All Together
Building our CI/CD Pipeline ❑ Break the build or it didn’t happen ❑ False positives ❑ Keep it DRY ❑ Easy
Let’s add some Glue The ”DevSecOps Tool”
Building our CI/CD Pipeline ✓ Break the build or it didn’t happen ✓ False positives ✓ Keep it DRY ✓ Easy
Image Certification Only images that passed all the tests should be used on production ● Build dependency ● Image labels ● Image signing ● Image policy
What we have @ Soluto? ● Static analysis ✓ Source code scan ❑ Dependencies scan (in progress) ❑ Image scan ● Dynamic analysis ✓ Passive ❑ Active (in progress)
Demo Time All the code is on GitHub
Testing LolCode App ● Static analysis? ✕ Nothing for source code ✕ No package manager (which is good?) ❑ Image scanning ● Dynamic analysis ✓ Passive ❑ Active
Let’s see it Live! Hope it will work … else I’ll show you slides with screenshots 
Wrapping Up
What we discussed ● Layers of Containerized Applications ● Kind of Tests & FOSS Tools ○ Static (OWASP Dependency Track) ○ Dynamic (OWASP Zap) ● Building the pipeline ○ OWASP Glue ○ Image Certification
Where Do I Start?
Our Quest: Securing Containerized Apps
Questions?
Resources • TechBeacon: Security Tests for Containarized Applications • Guide: Dynamic Security Testing with OWASP Zap • Post: Dynamic Security Testing Made Easy • Slides: Getting Started with OWASP Glue
Join the conversation #DevSecCon Thank You! @omerlh @SolutoEng

More Related Content

PDF
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
byDevSecCon
 
PPTX
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
byDevSecCon
 
PDF
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
byDevSecCon
 
PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
byDevSecCon
 
PPTX
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
byDevSecCon
 
PDF
In graph we trust: Microservices, GraphQL and security challenges
byMohammed A. Imran
 
PDF
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
byAbdessamad TEMMAR
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
byDevSecCon
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
byDevSecCon
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
byDevSecCon
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
byDevSecCon
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
byDevSecCon
 
In graph we trust: Microservices, GraphQL and security challenges
byMohammed A. Imran
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
byAbdessamad TEMMAR
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 

What's hot

PPTX
Security Testing for Containerized Applications
bySoluto
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
PDF
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
byDevSecCon
 
PDF
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
byHui (Henry) Chen
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
PPTX
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
byDevSecCon
 
PDF
Ast in CI/CD by Ofer Maor
byDevSecCon
 
PDF
DevSecCon London 2017: Hands-on secure software development from design to de...
byDevSecCon
 
PDF
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
PDF
Security as Code: A DevSecOps Approach
byVMware Tanzu
 
PDF
A Secure DevOps Journey
bySonatype
 
PDF
Continuous Security Testing - DevSecCon
byStephen de Vries
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PDF
App sec and quality london - may 2016 - v0.5
byDinis Cruz
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PPTX
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
byDevSecCon
 
PDF
DevSecOps - The big picture
byDevSecOpsSg
 
PDF
Hacker Games & DevSecOps
bylokori
 
Security Testing for Containerized Applications
bySoluto
 
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
byDevSecCon
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
byHui (Henry) Chen
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
byDevSecCon
 
Ast in CI/CD by Ofer Maor
byDevSecCon
 
DevSecCon London 2017: Hands-on secure software development from design to de...
byDevSecCon
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
Security as Code: A DevSecOps Approach
byVMware Tanzu
 
A Secure DevOps Journey
bySonatype
 
Continuous Security Testing - DevSecCon
byStephen de Vries
 
2019 DevSecOps Reference Architectures
bySonatype
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
App sec and quality london - may 2016 - v0.5
byDinis Cruz
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
byDevSecCon
 
DevSecOps - The big picture
byDevSecOpsSg
 
Hacker Games & DevSecOps
bylokori
 

Similar to DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi

PDF
DCSF 19 Building Your Development Pipeline
byDocker, Inc.
 
PDF
Docker in Production: How RightScale Delivers Cloud Applications
byRightScale
 
PPTX
SATURN 2018 "Continuous Delivery with Containers" Extended 90 version
byDaniel Bryant
 
PPTX
O'Reilly 2016: "Continuous Delivery with Containers: The Trials and Tribulati...
byOpenCredo
 
PPTX
Continuous Delivery with Containers: The Good, the Bad, and the Ugly - Daniel...
byCodemotion
 
PPTX
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
byDaniel Bryant
 
PPTX
vJUG 2017 "Continuous Delivery with Java and Docker: The Good, the Bad, and t...
byDaniel Bryant
 
PDF
Continuous Security Testing
byRay Lai
 
PDF
[Poland] SecOps live cooking with OWASP appsec tools
byOWASP EEE
 
PDF
Pragmatic Pipeline Security
byJames Wickett
 
PPTX
ContainerSched 2017 "Continuous Delivery with Containers: The Good, the Bad, ...
byDaniel Bryant
 
PDF
Python Web Conference 2022 - Why should devs care about container security.pdf
byEric Smalling
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PPTX
Codemotion Rome 2018 "Continuous Delivery with Containers: The Good, the Bad ...
byDaniel Bryant
 
PDF
Why Should Developers Care About Container Security?
byAll Things Open
 
PDF
ATO 2022 - Why should devs care about container security.pdf
byEric Smalling
 
PDF
Container Stranger Danger - Why should devs care about container security
byEric Smalling
 
PPTX
Devoxx 2017 "Continuous Delivery with Containers: The Good, the Bad, and the ...
byDaniel Bryant
 
PDF
Why should developers care about container security?
byEric Smalling
 
PDF
Securing Your Deployment Pipeline With Docker
byContainer Solutions
 
DCSF 19 Building Your Development Pipeline
byDocker, Inc.
 
Docker in Production: How RightScale Delivers Cloud Applications
byRightScale
 
SATURN 2018 "Continuous Delivery with Containers" Extended 90 version
byDaniel Bryant
 
O'Reilly 2016: "Continuous Delivery with Containers: The Trials and Tribulati...
byOpenCredo
 
Continuous Delivery with Containers: The Good, the Bad, and the Ugly - Daniel...
byCodemotion
 
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
byDaniel Bryant
 
vJUG 2017 "Continuous Delivery with Java and Docker: The Good, the Bad, and t...
byDaniel Bryant
 
Continuous Security Testing
byRay Lai
 
[Poland] SecOps live cooking with OWASP appsec tools
byOWASP EEE
 
Pragmatic Pipeline Security
byJames Wickett
 
ContainerSched 2017 "Continuous Delivery with Containers: The Good, the Bad, ...
byDaniel Bryant
 
Python Web Conference 2022 - Why should devs care about container security.pdf
byEric Smalling
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
Codemotion Rome 2018 "Continuous Delivery with Containers: The Good, the Bad ...
byDaniel Bryant
 
Why Should Developers Care About Container Security?
byAll Things Open
 
ATO 2022 - Why should devs care about container security.pdf
byEric Smalling
 
Container Stranger Danger - Why should devs care about container security
byEric Smalling
 
Devoxx 2017 "Continuous Delivery with Containers: The Good, the Bad, and the ...
byDaniel Bryant
 
Why should developers care about container security?
byEric Smalling
 
Securing Your Deployment Pipeline With Docker
byContainer Solutions
 

More from DevSecCon

PDF
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
byDevSecCon
 
PDF
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
PDF
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
byDevSecCon
 
PDF
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
PPTX
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
byDevSecCon
 
PPTX
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
byDevSecCon
 
PPTX
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
byDevSecCon
 
PPTX
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
byDevSecCon
 
PPTX
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
byDevSecCon
 
PDF
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
byDevSecCon
 
PDF
DevSecCon Singapore 2019: Preventative Security for Kubernetes
byDevSecCon
 
PPTX
DevSecCon London 2018: Is your supply chain your achille's heel
byDevSecCon
 
PPTX
DevSecCon London 2018: Get rid of these TLS certificates
byDevSecCon
 
PDF
DevSecCon London 2018: Open DevSecOps
byDevSecCon
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
byDevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
byDevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
byDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
byDevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
byDevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
byDevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
byDevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
byDevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
byDevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
byDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
byDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
byDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
byDevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
byDevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
byDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
byDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
byDevSecCon
 
DevSecCon London 2018: Open DevSecOps
byDevSecCon
 

Recently uploaded

PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
Workflow and decision Automation with Flowable
bychakib ch
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 

DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi

Editor's Notes

  • #2 My name is Omer, leading AppSec efforts at Soluto for the past 3 years Thank the organizers Who here is doing AppSec for her living? I’m also a coder, coding for the last 10 years Who here is willing to help me with code review?
  • #3 Who here is confidence enough in her review and think I can put this code in production? Lolcode is an esotirc languge, but I’m using it to explain a real pain we are facing at Soluto.
  • #4 How we help with technology
  • #5 This is a map of all the technologies we’re using, this is really wide stack. To me, reading a code in Go, elixir or F# is challenge like Lolcode – this is a code in a languge I am not familiar with, and it will take me some time to be able to read it. And this is a problem I’m facing as AppSec person, and I know from other company that our situation is not unique. Developers try to choose the best tool for the job, not what we the security teem know. And this is a challenge. We can try to increase the AppSec team but this is not scale, and not simple We can try to block the devs, and choose for them what to use – but we don’t have the right context for that
  • #6 We just need to let it go, we need to accept this situation and try to think how we can empower developers and let them choose whatever technology they want, without introducing new risks. And this is a great challenge I am facing, and I’m sure I’m not the only one. The question is how.
  • #10 Emphasis this is the plan we started with, and it’s WIP
  • #13 https://www.owasp.org/index.php/Source_Code_Analysis_Tools
  • #14 A real example of timing attack due to insecure equals Something easy to miss, but easy to spot using static analysis We had real issue at Soluto that caught by using TSLint 
  • #16 Show how many packages available Say something about the rise
  • #21 Specify that not use it for now
  • #28 Openapi/swagger