SlideShare a Scribd company logo
1 of 24
Download to read offline
© 2017 Synopsys, Inc. 1
Making AppSec Testing Work in CI/CD!
Ofer Maor, Director, Solutions Management
@OferMaor
linkedin.com/in/ofermaor
Ofer @ synopsys.com
© 2017 Synopsys, Inc. 2
Speaker
• Solutions Mgmt @ Synopsys
• Over 20 years in cyber security
• Hacker at heart
• Longtime OWASPer
• Pioneer of IAST
• DevSecOps/DevOpsSec fan!
• Avid photographer
Marina Bay Gardens, Singapore, February 2018
© 2017 Synopsys, Inc. 3
CI/CD, DevOps, DevSecOps—WHAT?!
© 2017 Synopsys, Inc. 4
CD extreme
• Multiple production updates per day
• Multiple CI streams
• A/B UAT
• Parallel testing and deployment
• No place for outsiders
Source: Wikipedia
© 2017 Synopsys, Inc. 5
CI/CD AST Needs
• Speed
• Integration
• Ease of use
• Relevance (accuracy)
• Actionability
© 2017 Synopsys, Inc. 6
The *AST landscape
© 2017 Synopsys, Inc. 7
SAST – Static Application Security Testing
AKA: Static Code Analysis for Security
• Analyzes code to identify vulnerabilities
• Most prevalent AST solution today
• Challenges
–Potential FPs
–May require tuning and configuration
–Hard for use for security professionals
• Offered in various flavors:
–Analysis of (uncompiled) source code
–Analysis of code & build
–Analysis of binary code
–Managed Service / Tool / IDE Plugin
cond2
*a = bfree(a)*a = bfree(a)
cond2
b = 10a = malloc(10)
cond1
© 2017 Synopsys, Inc. 8
SAST – Static Application Security Testing
AKA: Static Code Analysis for Security
• Speed Instant to Hours (by Flavor)
• Integration IDE, Build, Binary
• Ease of Use Varies. Can be Complex
• Relevance Can be overwhelming
• Actionability Right on. Points to Line of Code
© 2017 Synopsys, Inc. 9
SAST Flavors
• IDE “Spellchecker” Lightweight, Instant
• In-IDE Incremental Pre-checkin, Minutes
• Integration/Build CI, Minutes to Hours
• Binary Analysis Post Build, Hours
• Managed Service External, Days
© 2017 Synopsys, Inc. 10
DAST – Dynamic Application Security Testing
AKA: Web Application Scanner (Black Box)
• Sends HTTP tests to test running application
• Longest used AST technology
• Challenges
–Accuracy of results
–Not suited for dev – no code guidance
–Performance (long testing times)
• Offered in various delivery forms:
–On Premise
–Cloud
–Managed Services
–Included in Professional Services
???
??
Tests
?????
© 2017 Synopsys, Inc. 11
• Speed Hours to Days
• Integration Not Really…
• Ease of Use Requires some security skills
• Relevance Focus on Front end (but some FPs)
• Actionability Difficult.
DAST – Dynamic Application Security Testing
AKA: Web Application Scanner (Black Box)
© 2017 Synopsys, Inc. 12
IAST – Interactive Application Security Testing
AKA: Runtime Code Analysis
• Runtime code analysis through instrumentation
• Youngest AST technology
• Challenges
–Deployment of agents on tested servers
–Requires integration into dev/devops environments
–Coverage influences by what’s executed
• Comes with various “interpretations”
–Inline/Passive IAST (Based on existing traffic)
–Active IAST (Including HTTP Inducer)
–DAST Add-on Only
–RASP Add-on
Database
Back End
Front End
HTTP/s
DATA WS
SQL
DATA
ODBC
IAST
© 2017 Synopsys, Inc. 13
• Speed Instant to Hours (by Flavor)
• Integration Test Automation
• Ease of Use Easy (once deployed)
• Relevance Very relevant. Actual executed LoC
•Actionability Right on. Points to Line of Code
IAST – Interactive Application Security Testing
AKA: Runtime Code Analysis
© 2017 Synopsys, Inc. 14
IAST Flavors
• Inline/Passive Lightweight, Instant
Integrates with Existing Tests
• Active Minutes (Incremental) – Hours
Requires dedicated testing
© 2017 Synopsys, Inc. 15
SCA – Software Composition Analysis
AKA: Open Source Library Scanning
• Searches known open source (and closed
source) components in applications
• Rapidly growing testing segment
• Challenges
–Additional technology on top of other *AST
–Very broad scope
• Offered in different flavors
–Binary Analysis for Supply Chain and 3rd Parties
–Source Analysis for home grown security and
licensing
–On-premise / Cloud options
© 2017 Synopsys, Inc. 16
• Speed Minutes to Hours
• Integration IDE, Build, Binary
• Ease of Use Fairly Easy
• Relevance Hard to determine actual impact
• Actionability Not always straight forward
SCA – Software Composition Analysis
AKA: Open Source Library Scanning
© 2017 Synopsys, Inc. 17
The Right Mix – How to Make it Work!
© 2017 Synopsys, Inc. 18
Key Principles
•If you can’t beat them, join them!
•Automation, automation, automation
•Alt-Ctrl, Shift-Left (but not just…)
•Multiple technologies, multiple flavors, multiple times!
•Parallel processes at parallel speeds
•You’re going to have to live with some risk
© 2017 Synopsys, Inc. 19
Making it All Work!
•Use instant/passive solutions as much as possible
–In-IDE “spell-checker” static analysis
–Inline IAST
•Define practical policies for hard and soft gates
–Hard gates: stop the process
–Soft gates: put in motion a correction process
•Use layers of testing at different stages
© 2017 Synopsys, Inc. 20
IDE “spell-
checker”
Incremental
IDE SAST
Inline
IASTIn-IDE
SCA
Verification
DAST
Active
IAST
Full scan
SAST
Full scan
SCA
RASP/WAF
© 2017 Synopsys, Inc. 21
Fast vs. Slow
•Rely heavily on integrated/fast technologies
•Key criteria - “does not get in the way”
•Define practical blocking criteria - be realistic
•All the rest - in the backlog
© 2017 Synopsys, Inc. 22
Accept A/B testing
•Gradual A/B testing is replacing test environments
•Manage A/B testing exposure as part of risk management
•Use it! A/B testing gives you the best test environment
•Create the right “Retro” gates by risk
• High: block propagation and roll back
• Medium: block propagation until fix is delivered (but don’t roll back)
• Low: continue propagation but with a fix following right up
© 2017 Synopsys, Inc. 23
Summary
•Software security testing is complex, even more so in CI/CD
•Unfortunately, there’s no “one ring to rule them all”
•You have to build your *AST workflow and pipeline
• Work closely with R&D and DevOps
• Use multiple tools and multiple technologies
• Work in parallel tracks at parallel speeds
• Manage your risk!
© 2017 Synopsys, Inc. 24
Thank you!
Questions?
@OferMaor
linkedin.com/in/ofermaor
Ofer @ synopsys.com
Water Mill, Napa Valley, May 2018

More Related Content

What's hot

DevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowDevSecOps Everything You Need To Know
DevSecOps Everything You Need To Know
Centextech
 

What's hot (19)

Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
 
Application Security in a DevOps World
Application Security in a DevOps WorldApplication Security in a DevOps World
Application Security in a DevOps World
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight:Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
 
DevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowDevSecOps Everything You Need To Know
DevSecOps Everything You Need To Know
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 

Similar to Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD

A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
Gene Gotimer
 

Similar to Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD (20)

Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds -  Performing JavaScript Static AnalysisBSides Leeds -  Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-BerlinDevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 
SAPUI5/OpenUI5 - Continuous Integration
SAPUI5/OpenUI5 - Continuous IntegrationSAPUI5/OpenUI5 - Continuous Integration
SAPUI5/OpenUI5 - Continuous Integration
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptx
 
New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...
New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...
New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
 
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
 

More from Synopsys Software Integrity Group

More from Synopsys Software Integrity Group (20)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
 

Recently uploaded

Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Marc Lester
 

Recently uploaded (20)

Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...
Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...
Sinoville Clinic ](+27832195400*)[🏥Abortion Pill Prices Sinoville ● Women's A...
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
What is a Recruitment Management Software?
What is a Recruitment Management Software?What is a Recruitment Management Software?
What is a Recruitment Management Software?
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 

Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD

  • 1. © 2017 Synopsys, Inc. 1 Making AppSec Testing Work in CI/CD! Ofer Maor, Director, Solutions Management @OferMaor linkedin.com/in/ofermaor Ofer @ synopsys.com
  • 2. © 2017 Synopsys, Inc. 2 Speaker • Solutions Mgmt @ Synopsys • Over 20 years in cyber security • Hacker at heart • Longtime OWASPer • Pioneer of IAST • DevSecOps/DevOpsSec fan! • Avid photographer Marina Bay Gardens, Singapore, February 2018
  • 3. © 2017 Synopsys, Inc. 3 CI/CD, DevOps, DevSecOps—WHAT?!
  • 4. © 2017 Synopsys, Inc. 4 CD extreme • Multiple production updates per day • Multiple CI streams • A/B UAT • Parallel testing and deployment • No place for outsiders Source: Wikipedia
  • 5. © 2017 Synopsys, Inc. 5 CI/CD AST Needs • Speed • Integration • Ease of use • Relevance (accuracy) • Actionability
  • 6. © 2017 Synopsys, Inc. 6 The *AST landscape
  • 7. © 2017 Synopsys, Inc. 7 SAST – Static Application Security Testing AKA: Static Code Analysis for Security • Analyzes code to identify vulnerabilities • Most prevalent AST solution today • Challenges –Potential FPs –May require tuning and configuration –Hard for use for security professionals • Offered in various flavors: –Analysis of (uncompiled) source code –Analysis of code & build –Analysis of binary code –Managed Service / Tool / IDE Plugin cond2 *a = bfree(a)*a = bfree(a) cond2 b = 10a = malloc(10) cond1
  • 8. © 2017 Synopsys, Inc. 8 SAST – Static Application Security Testing AKA: Static Code Analysis for Security • Speed Instant to Hours (by Flavor) • Integration IDE, Build, Binary • Ease of Use Varies. Can be Complex • Relevance Can be overwhelming • Actionability Right on. Points to Line of Code
  • 9. © 2017 Synopsys, Inc. 9 SAST Flavors • IDE “Spellchecker” Lightweight, Instant • In-IDE Incremental Pre-checkin, Minutes • Integration/Build CI, Minutes to Hours • Binary Analysis Post Build, Hours • Managed Service External, Days
  • 10. © 2017 Synopsys, Inc. 10 DAST – Dynamic Application Security Testing AKA: Web Application Scanner (Black Box) • Sends HTTP tests to test running application • Longest used AST technology • Challenges –Accuracy of results –Not suited for dev – no code guidance –Performance (long testing times) • Offered in various delivery forms: –On Premise –Cloud –Managed Services –Included in Professional Services ??? ?? Tests ?????
  • 11. © 2017 Synopsys, Inc. 11 • Speed Hours to Days • Integration Not Really… • Ease of Use Requires some security skills • Relevance Focus on Front end (but some FPs) • Actionability Difficult. DAST – Dynamic Application Security Testing AKA: Web Application Scanner (Black Box)
  • 12. © 2017 Synopsys, Inc. 12 IAST – Interactive Application Security Testing AKA: Runtime Code Analysis • Runtime code analysis through instrumentation • Youngest AST technology • Challenges –Deployment of agents on tested servers –Requires integration into dev/devops environments –Coverage influences by what’s executed • Comes with various “interpretations” –Inline/Passive IAST (Based on existing traffic) –Active IAST (Including HTTP Inducer) –DAST Add-on Only –RASP Add-on Database Back End Front End HTTP/s DATA WS SQL DATA ODBC IAST
  • 13. © 2017 Synopsys, Inc. 13 • Speed Instant to Hours (by Flavor) • Integration Test Automation • Ease of Use Easy (once deployed) • Relevance Very relevant. Actual executed LoC •Actionability Right on. Points to Line of Code IAST – Interactive Application Security Testing AKA: Runtime Code Analysis
  • 14. © 2017 Synopsys, Inc. 14 IAST Flavors • Inline/Passive Lightweight, Instant Integrates with Existing Tests • Active Minutes (Incremental) – Hours Requires dedicated testing
  • 15. © 2017 Synopsys, Inc. 15 SCA – Software Composition Analysis AKA: Open Source Library Scanning • Searches known open source (and closed source) components in applications • Rapidly growing testing segment • Challenges –Additional technology on top of other *AST –Very broad scope • Offered in different flavors –Binary Analysis for Supply Chain and 3rd Parties –Source Analysis for home grown security and licensing –On-premise / Cloud options
  • 16. © 2017 Synopsys, Inc. 16 • Speed Minutes to Hours • Integration IDE, Build, Binary • Ease of Use Fairly Easy • Relevance Hard to determine actual impact • Actionability Not always straight forward SCA – Software Composition Analysis AKA: Open Source Library Scanning
  • 17. © 2017 Synopsys, Inc. 17 The Right Mix – How to Make it Work!
  • 18. © 2017 Synopsys, Inc. 18 Key Principles •If you can’t beat them, join them! •Automation, automation, automation •Alt-Ctrl, Shift-Left (but not just…) •Multiple technologies, multiple flavors, multiple times! •Parallel processes at parallel speeds •You’re going to have to live with some risk
  • 19. © 2017 Synopsys, Inc. 19 Making it All Work! •Use instant/passive solutions as much as possible –In-IDE “spell-checker” static analysis –Inline IAST •Define practical policies for hard and soft gates –Hard gates: stop the process –Soft gates: put in motion a correction process •Use layers of testing at different stages
  • 20. © 2017 Synopsys, Inc. 20 IDE “spell- checker” Incremental IDE SAST Inline IASTIn-IDE SCA Verification DAST Active IAST Full scan SAST Full scan SCA RASP/WAF
  • 21. © 2017 Synopsys, Inc. 21 Fast vs. Slow •Rely heavily on integrated/fast technologies •Key criteria - “does not get in the way” •Define practical blocking criteria - be realistic •All the rest - in the backlog
  • 22. © 2017 Synopsys, Inc. 22 Accept A/B testing •Gradual A/B testing is replacing test environments •Manage A/B testing exposure as part of risk management •Use it! A/B testing gives you the best test environment •Create the right “Retro” gates by risk • High: block propagation and roll back • Medium: block propagation until fix is delivered (but don’t roll back) • Low: continue propagation but with a fix following right up
  • 23. © 2017 Synopsys, Inc. 23 Summary •Software security testing is complex, even more so in CI/CD •Unfortunately, there’s no “one ring to rule them all” •You have to build your *AST workflow and pipeline • Work closely with R&D and DevOps • Use multiple tools and multiple technologies • Work in parallel tracks at parallel speeds • Manage your risk!
  • 24. © 2017 Synopsys, Inc. 24 Thank you! Questions? @OferMaor linkedin.com/in/ofermaor Ofer @ synopsys.com Water Mill, Napa Valley, May 2018