Downloaded 116 times
Uploaded bySuman Sourav
Implementing an Application Security Pipeline in Jenkins
The document outlines the implementation of an application security pipeline in Jenkins, emphasizing continuous integration and various security approaches. It discusses the importance of training, process compliance, and technology in developing secure software, referencing frameworks like BSIMM and OWASP SAMM. It highlights the need for security tools, secure coding practices, and integration of feedback mechanisms in the CI/CD process.
More Related Content
![[Azure Governance] Lesson 4 : Azure Policy](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson4-azurepolicy-190519183014-thumbnail.jpg?width=640&height=640&fit=bounds)
![[ITAS.VN]CxSuite Enterprise Edition](https://cdn.slidesharecdn.com/ss_thumbnails/itascxsuiteenterpriseedition-120130231915-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
- 2. Implementation an ApplicationSecurity Pipeline in Jenkins • Introduction • Continuous Integration • Application Security Pipelines • Approaches in Jenkins • Demo
- 3. About me Software SecurityProfessional having 10+ years of experience Specialize in Secure SDLC implementation Threat Modeling/Secure Code Review/Penetration Continuous Security Testing Secure Coding Trainer, SecurityQA Testing Trainer Speaker DevSecOps Singapore & Null Singapore What next for me ? IoT Security
- 4. Continuous Integration Master Branch1 Compile TestPublish Deploy Build GitHub Jenkins Dev Deploy Open Source Libraries
- 5. Application Security Pipeline DEVELOPMENTBUILD AND DEPLOY STAGINGREQUIREMENTS External Repositories Common Components DESIGN Repository SCM Tools Security Test Automation Threat Modeling SCA Tools/IDE Plugins VS/PT/IASTComponents Monitoring PRODUCTION Monitoring
- 6. What we need? • People Training Role • Process Compliance Certifications • Technology Security tools Dev tools
- 7. Education • Traditional Training •Shorter training duration • Modular • Hands-on • Challenges • Scoring
- 8. • Rugged Software “Rugged” describes software development organizations which have a culture of rapidly evolving their ability to create available, survivable, defensible, secure, and resilient software. • BSIMM The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variation that makes each unique. • OWASP SAMM Evaluate an organization’s existing software security practices Build a balanced software security assurance program in well-defined iterations Demonstrate concrete improvements to a security assurance program Define and measure security-related activities throughout an organization Software security centric process, standards & approaches
- 9. Choose the righttools IDE Plugins SAST/ Dependencies check • CI/CD Supports • Scalability • Scan time • Incremental Report • False Positives • Custom Rules Set • Language Supports • Plugins DAST • API Calls • Scalability • Scan Policies • Plugins Security Unit test Cases IAST • Less False Positives • Monitor Traffic • Along with QA testing • Immediate Feedback • Threat Modelling Secure Coding Training
- 10. Jenkins Application SecurityPipeline • Configuration as Code • Jenkins Plugin
- 11. Plugins Github Delivery Pipeline Build Pipeline OWASPDependency-Check Plugin HP Fortify Jenkins Plugin OWASP ZAP Plugin Sonatype CLM for CI plugin
- 12.
- 13. References Jenkins Continuousintegration cookbook-Alan Mark Berg https://www.ruggedsoftware.org https://www.bsimm.com https://www.owasp.org/index.php/OWASP_SAMM_Project http://www.opensamm.org/ https://wiki.jenkins-ci.org/display/JENKINS/Delivery+Pipeline+Plugin https://wiki.jenkins-ci.org/display/JENKINS/Build+Pipeline+Plugin https://wiki.jenkins-ci.org/display/JENKINS/Zapper+Plugin
- 14.