JM
Uploaded byJérémy Matos
PDF, PPTX316 views

Including security in devops

This document discusses including security in DevOps initiatives. It recommends integrating security tools and practices into the software development lifecycle (SDLC) to build security in from the start. This includes running automated vulnerability scanning tools like ZAP and sqlmap in CI/CD pipelines. It also recommends code reviews, security testing, environment hardening, and keeping dependencies up-to-date. The goal is to shift security left and automate security practices to continuously test and deploy more secure software.

Embed presentation

Download as PDF, PPTX
Including security in devops DevOpsCH 21/01/2016 – Jérémy MATOS
whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne implementing and deploying security products and solutions Focus on mobile since 2010 Now software security consultant at my own company http://www.securingapps.com Provide services to build security in software Mobile Web Cloud Internet Of Things https://twitter.com/securingapps
Introduction Security is often out of scope in the DevOps initiatives Historically security is in the hands of the operations Emphasis on network infrastructure Keep the bad guy out Firewall (DMZ, vlans), Reverse proxy (WAF), Intrusion Detection System (IDS), etc… Fine tuning OS/database configurations If bad guy can still enter, reduce impact Disabling features, patching, access right policies, audit logging, encryption, etc… Application security not always addressed in the SDLC
Security strategy in the organisation Chief Information Security Officer (CISO) often Has no practical experience in dev, nor control on the dev team Considers software as a black box Can only recommend to comply with generic safe coding guidelines Buys stuff for sysadmins and asks them to fill the gaps Those extra security integration steps Slow down deployment Cause bugs only in production because of stricter config Lead to issues difficult to fix by sysadmins only Business often pushes to get lowest acceptable security level: Demonstrate the organisation somehow cares about security in case things turn bad
Building security in OWASP Software Assurance Security Model REQUIREMENTS AND USE CASES ARCHITECTURE AND DESIGN CODE TESTS AND TEST RESULTS OPERATIONS / SERVICE DELIVERY Vulnerability Management Environment Hardening Operational Enablement Security Requirements Security Standards & Guidelines Secure Architecture Attack Models & Threat Assessment Penetration Testing Code Review Security Testing Architecture & Design Analysis
Penetration testing: automated tools Pen testers first rely on automated tools to have an idea where to look at Script kiddies only rely on those free tools Well, run those tools in the continuous integration loop ! e.g. ZAP : Vulnerability finder for web applications Sqlmap : SQL injection detection Get rather good coverage on basic web attacks Pentesters will be paid to find higher value issues Script kiddies will problably give up and switch to another target You won’t get hacked because of a basic mistake
Penetration testing: OWASP ZAP Java GUI tool Can be instrumented using Java, e.g. Jenkins Plugin Automatically crawls a webapp and test common vulnerabilities Scan time may vary from seconds to hours There are false positives ! Yellow (and even orange) findings are not really significant
Penetration testing: sqlmap Great python CLI tool Automatically test very complex SQL attacks Detects database type and adapt injections Expects a url with parameters Really useful to validate the findings of ZAP concerning SQL
Penetration testing: challenges Lots of findings to manage Not anymore a point in time assessment with few points to address Reports must be processed automatically 1 issue = 1 entry in bug tracking does not scale (false positives…) Issues must have a good identifier to be tracked over time Do not switch to the least effort mode Application security errors (e.g. XSS, SQLi) must be fixed in code Do not rely on a workaround in the server config Write a unit test Test application in both environments Standalone to discover as many errors as possible Hardened environment to ensure countermeasures are effective Review application & environment logs to check alerts are usable
Code review Static Appliction Security Testing (SAST): Scan source code to look for dangerous constructions Integration is generally straightforward as pure dev question Most solutions, and particularly free ones, are better at identifying quality issues than real security problems Generally poor results on dynamic languages (e.g. javascript, PHP…) Sonar feedback is still useful Same challenges than automated pentesting (DAST) Many issues to address Customizing rules is key to reduce false positive rate Security rules need to be updated regurlarly to keep up with attacks and new frameworks/libraries New rules => new issues, but on old code
Security testing If you have implemetend or integrated security features, they should be automatically tested Use case to check legitimate logic/data is indeed accepted Abuse case to confirm invalid logic/data is refused Whenever possible, consider writing unit tests If impossible, setup an integration test Examples of possible unit tests for a JWT authentication Change any field of a valid token and expect a signature error Remove signature from JSON payload and expect a signature error Move time in past or future and check behavior for Not before, Expiration time and Issued at fields A vulnerability is fixed with a unit or integration test proving it
Deployment Vulnerability management For your infrastructure: vulnerability scanner Nessus Home free, but not for commercial usage For your software: keep dependencies up to date OWASP dependency check Be careful with javascript hosted on CDN Subresource Integrity recently introduced by W3C can help Your automated tests should enable you to update 3rd party code transparently Environment hardening Great guide (in French) from ANSSI to secure GNU Linux Include those recommandations in your Docker/VM images
Conclusion Security is both a matter of dev and ops Security features are features and hence should be automatically tested Free and automated application security tools are available: why not include them in the continuous deployment pipeline ? Yet continuous integration tools are not particularly secure Continous Intrusion: Why CI tools are an attacker’s best friends Watch out your deployment Pay great attention if accessible from outside your LAN
Thank you ! Any question contact@securingapps.com

More Related Content

PDF
dotSecurity2017
byZane Lackey
 
PPTX
How to Choose the Right Security Training for You
byCigital
 
PPTX
6 Most Common Threat Modeling Misconceptions
byCigital
 
PDF
Building Security Controls around Attack Models
bySeniorStoryteller
 
PPT
Measuring the Actual Security that Vendors Provide to Customers
byAnthony Arrott
 
PPTX
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
PPTX
Application Security Webcast
byVlad Styran
 
PPTX
Testing Principles
byRisma Rustiyan R
 
dotSecurity2017
byZane Lackey
 
How to Choose the Right Security Training for You
byCigital
 
6 Most Common Threat Modeling Misconceptions
byCigital
 
Building Security Controls around Attack Models
bySeniorStoryteller
 
Measuring the Actual Security that Vendors Provide to Customers
byAnthony Arrott
 
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
Application Security Webcast
byVlad Styran
 
Testing Principles
byRisma Rustiyan R
 

What's hot

PPT
Survey Presentation About Application Security
byNicholas Davis
 
PDF
Avoiding the security brick
byEqual Experts
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
PDF
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
byBeyondTrust
 
PPTX
Effective Vulnerability Management
byVicky Ames
 
PPT
Running Java safely
byJane Prusakova
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PDF
Implementing Vulnerability Management
byArgyle Executive Forum
 
PDF
10 Steps to Building an Effective Vulnerability Management Program
byBeyondTrust
 
PPTX
Assess all the things
byJerod Brennen
 
PDF
Analyzing the Effectivess of Web Application Firewalls
byLarry Suto
 
PDF
Get Your Board to Say "Yes" to a BSIMM Assessment
byCigital
 
PDF
OSB130 Patch Management Best Practices
byIvanti
 
PPTX
2016 virus bulletin
byAdrian Sanabria
 
PPTX
Web Application Vulnerability Management
byjpubal
 
PDF
Patch and Vulnerability Management
byMarcelo Martins
 
PPTX
Secure Software Development Lifecycle
by1&1
 
PPTX
Introduction to security testing
byNagasahas DS
 
PPTX
Automating Web Applications Security Assessments Through Scanners
bynfteodoro
 
PPTX
Secure develpment 2014
byAriel Evans
 
Survey Presentation About Application Security
byNicholas Davis
 
Avoiding the security brick
byEqual Experts
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
byBeyondTrust
 
Effective Vulnerability Management
byVicky Ames
 
Running Java safely
byJane Prusakova
 
The Journey to DevSecOps
bySeniorStoryteller
 
Implementing Vulnerability Management
byArgyle Executive Forum
 
10 Steps to Building an Effective Vulnerability Management Program
byBeyondTrust
 
Assess all the things
byJerod Brennen
 
Analyzing the Effectivess of Web Application Firewalls
byLarry Suto
 
Get Your Board to Say "Yes" to a BSIMM Assessment
byCigital
 
OSB130 Patch Management Best Practices
byIvanti
 
2016 virus bulletin
byAdrian Sanabria
 
Web Application Vulnerability Management
byjpubal
 
Patch and Vulnerability Management
byMarcelo Martins
 
Secure Software Development Lifecycle
by1&1
 
Introduction to security testing
byNagasahas DS
 
Automating Web Applications Security Assessments Through Scanners
bynfteodoro
 
Secure develpment 2014
byAriel Evans
 

Similar to Including security in devops

PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PDF
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
PPTX
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
byDrew Malone
 
PDF
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
PDF
Web Security... Level Up
byIzzet Mustafaiev
 
PDF
ProdSec: A Technical Approach
byJeremy Brown
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
PDF
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PPT
Software Security Engineering
byMarco Morana
 
ODP
Making security-agile matt-tesauro
byMatt Tesauro
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
PDF
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
byapidays
 
PDF
App sec and quality london - may 2016 - v0.5
byDinis Cruz
 
PPTX
Integrating security into the application development process
byJerod Brennen
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PDF
Agile Secure Development
byBosnia Agile
 
PPTX
Web security – everything we know is wrong cloud version
byEoin Keary
 
PPTX
Securing the continuous integration
byIrene Michlin
 
AppSec in an Agile World
byDavid Lindner
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
byDrew Malone
 
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
Web Security... Level Up
byIzzet Mustafaiev
 
ProdSec: A Technical Approach
byJeremy Brown
 
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
The Future of Software Security Assurance
byRafal Los
 
Software Security Engineering
byMarco Morana
 
Making security-agile matt-tesauro
byMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
byapidays
 
App sec and quality london - may 2016 - v0.5
byDinis Cruz
 
Integrating security into the application development process
byJerod Brennen
 
Application Security - Your Success Depends on it
byWSO2
 
Agile Secure Development
byBosnia Agile
 
Web security – everything we know is wrong cloud version
byEoin Keary
 
Securing the continuous integration
byIrene Michlin
 

Recently uploaded

PDF
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 

Including security in devops

  • 1.
    Including security indevops DevOpsCH 21/01/2016 – Jérémy MATOS
  • 2.
    whois securingapps Developer background Spentlast 10 years working between Geneva and Lausanne implementing and deploying security products and solutions Focus on mobile since 2010 Now software security consultant at my own company http://www.securingapps.com Provide services to build security in software Mobile Web Cloud Internet Of Things https://twitter.com/securingapps
  • 3.
    Introduction Security is oftenout of scope in the DevOps initiatives Historically security is in the hands of the operations Emphasis on network infrastructure Keep the bad guy out Firewall (DMZ, vlans), Reverse proxy (WAF), Intrusion Detection System (IDS), etc… Fine tuning OS/database configurations If bad guy can still enter, reduce impact Disabling features, patching, access right policies, audit logging, encryption, etc… Application security not always addressed in the SDLC
  • 4.
    Security strategy inthe organisation Chief Information Security Officer (CISO) often Has no practical experience in dev, nor control on the dev team Considers software as a black box Can only recommend to comply with generic safe coding guidelines Buys stuff for sysadmins and asks them to fill the gaps Those extra security integration steps Slow down deployment Cause bugs only in production because of stricter config Lead to issues difficult to fix by sysadmins only Business often pushes to get lowest acceptable security level: Demonstrate the organisation somehow cares about security in case things turn bad
  • 5.
    Building security in OWASPSoftware Assurance Security Model REQUIREMENTS AND USE CASES ARCHITECTURE AND DESIGN CODE TESTS AND TEST RESULTS OPERATIONS / SERVICE DELIVERY Vulnerability Management Environment Hardening Operational Enablement Security Requirements Security Standards & Guidelines Secure Architecture Attack Models & Threat Assessment Penetration Testing Code Review Security Testing Architecture & Design Analysis
  • 6.
    Penetration testing: automatedtools Pen testers first rely on automated tools to have an idea where to look at Script kiddies only rely on those free tools Well, run those tools in the continuous integration loop ! e.g. ZAP : Vulnerability finder for web applications Sqlmap : SQL injection detection Get rather good coverage on basic web attacks Pentesters will be paid to find higher value issues Script kiddies will problably give up and switch to another target You won’t get hacked because of a basic mistake
  • 7.
    Penetration testing: OWASPZAP Java GUI tool Can be instrumented using Java, e.g. Jenkins Plugin Automatically crawls a webapp and test common vulnerabilities Scan time may vary from seconds to hours There are false positives ! Yellow (and even orange) findings are not really significant
  • 8.
    Penetration testing: sqlmap Greatpython CLI tool Automatically test very complex SQL attacks Detects database type and adapt injections Expects a url with parameters Really useful to validate the findings of ZAP concerning SQL
  • 9.
    Penetration testing: challenges Lotsof findings to manage Not anymore a point in time assessment with few points to address Reports must be processed automatically 1 issue = 1 entry in bug tracking does not scale (false positives…) Issues must have a good identifier to be tracked over time Do not switch to the least effort mode Application security errors (e.g. XSS, SQLi) must be fixed in code Do not rely on a workaround in the server config Write a unit test Test application in both environments Standalone to discover as many errors as possible Hardened environment to ensure countermeasures are effective Review application & environment logs to check alerts are usable
  • 10.
    Code review Static ApplictionSecurity Testing (SAST): Scan source code to look for dangerous constructions Integration is generally straightforward as pure dev question Most solutions, and particularly free ones, are better at identifying quality issues than real security problems Generally poor results on dynamic languages (e.g. javascript, PHP…) Sonar feedback is still useful Same challenges than automated pentesting (DAST) Many issues to address Customizing rules is key to reduce false positive rate Security rules need to be updated regurlarly to keep up with attacks and new frameworks/libraries New rules => new issues, but on old code
  • 11.
    Security testing If youhave implemetend or integrated security features, they should be automatically tested Use case to check legitimate logic/data is indeed accepted Abuse case to confirm invalid logic/data is refused Whenever possible, consider writing unit tests If impossible, setup an integration test Examples of possible unit tests for a JWT authentication Change any field of a valid token and expect a signature error Remove signature from JSON payload and expect a signature error Move time in past or future and check behavior for Not before, Expiration time and Issued at fields A vulnerability is fixed with a unit or integration test proving it
  • 12.
    Deployment Vulnerability management For yourinfrastructure: vulnerability scanner Nessus Home free, but not for commercial usage For your software: keep dependencies up to date OWASP dependency check Be careful with javascript hosted on CDN Subresource Integrity recently introduced by W3C can help Your automated tests should enable you to update 3rd party code transparently Environment hardening Great guide (in French) from ANSSI to secure GNU Linux Include those recommandations in your Docker/VM images
  • 13.
    Conclusion Security is botha matter of dev and ops Security features are features and hence should be automatically tested Free and automated application security tools are available: why not include them in the continuous deployment pipeline ? Yet continuous integration tools are not particularly secure Continous Intrusion: Why CI tools are an attacker’s best friends Watch out your deployment Pay great attention if accessible from outside your LAN
  • 14.
    Thank you ! Anyquestion contact@securingapps.com