SlideShare a Scribd company logo

Modern Web 2019 從零開始加入自動化資安測試

Secview
Secview

CI/CD 是現在企業常用的開發流程,敏捷的開發速度自然需要自動化的流程幫助我們加速驗證和部署。但為了求快速,資安測試和檢查往往在開發流程中會被捨去。 議題會大致分成兩大部分:資安測試以及 DevSecOps。 這次議題內容會講解如何在現有的 DevOps 開發文化中,加上自動化的資安測試。會介紹像是靜態測試(SAST)和動態測試(DAST),以及要套用哪些標準來提升測試的價值。並且以自身經驗,跟大家分享要導入這些資安測試時,在 CI/CD 每個階段不同的需求和做法。 同時也會簡單介紹 DevSecOps,希望能將資安融入在快速、敏捷開發的文化中,讓產品可以不斷推進,產品也可以持續保持在足夠的安全性上。

Software
1 of 43
從零開始加入⾃自動化資安測試 YSc Modern Web 2019
– AWS CTO Werner Vogels Security is EVERYONE's job
DevOps
DevSecOps
YSc • HITCON Speaker & Trainer • Balsn CTF Team Co-Founder • Bug Bounty Hunter • Security Engineer in Appier and COBINHOOD • ⽩白帽觀點 https://secview.io/ y
https://balsn.tw Balsn CTF 10/5 ~ 10/7
HardeningSecurity TestingPreparation • 商業價值 • 標準化 • 風險評估 • 威脅模型 • 測試範圍 • OWASP Testing Guide V4 • 測試⾃自動化 • ⾃自動化過濾 • 弱點分析、回報 • 資安測試優化
威脅模型 • (What)你要保護什什麼?⾦金金鑰?客⼾戶資料? • (Who)誰會攻擊?Script Kiddie? • (Where)從哪攻擊?網站?功能?⼈人? • (How)怎麼攻擊?開源⼯工具掃描?社交⼯工程? Business Impact What Where Who
OWASP Testing Guide V4 https://www.owasp.org/index.php/ OWASP_Testing_Guide_v4_Table_of_Contents
靜態資安測試 (SAST) 動態資安測試 (DAST)
標準化 • 威脅模型(Threat Modeling) • STRIDE、PASTA、... • 資安測試(Security Testing) • OWASP Testing Guide V4 • OWASP ASVS 3.0 • 弱點評估(Vulnerability Assessment) • Common Vulnerability Scoring System (CVSS) 3.0
Web Vulnerabilities ?
AWS S3 Information Leak https://github.com/nagwww/s3-leaks
SSRF to Root Access https://hackerone.com/reports/341876
• Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing
• Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing • Shodan: https://www.shodan.io/ • Censys: https://censys.io/ • Sublist3r: https://github.com/aboul3la/Sublist3r • Nmap: https://nmap.org/
• Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing • Kube Hunter: https://github.com/aquasecurity/ kube-hunter • Nginx configuration: https://github.com/yandex/ gixy • SSLScan: https://github.com/rbsec/sslscan
• Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing • SAST Tools • Python: https://github.com/PyCQA/bandit • Go: https://github.com/securego/gosec • ...
• Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing • DAST Tools • OWASP ZAP: https://github.com/zaproxy/ zaproxy/wiki/ZAP-API-Scan • Nitkto2: https://github.com/sullo/nikto • Sqlmap: https://github.com/sqlmapproject/ sqlmap • Arachni: https://github.com/Arachni/arachni • Behave: https://github.com/behave/behave
• Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing • Software Composition Analysis (SCA) • JS libraries: https://retirejs.github.io/retire.js/ • 3rd party libraries: https://snyk.io/ • Container analysis: https://github.com/coreos/ clair • Vuls: https://github.com/future-architect/vuls
⾃自動化?
DevSecOps
CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy
CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST) Security Code Review Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Software Composition Analysis (SCA)
Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA) CI CD
CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy
CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Security Architecture Design
CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design
CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST)
CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST) Security Code Review
CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST) Security Code Review Software Composition Analysis (SCA)
CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST) Security Code Review Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA)
CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST) Security Code Review Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Software Composition Analysis (SCA)
預防 ⾃自動化測試 滲透測試 漏洞洞獎勵計劃 未找到 利利⽤用
Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA) CI CD
Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA) CI CD 動態資安測試(DAST) • 輸入驗證測試 • 資訊收集、部署、認證授權測試 • 降低報告的內容和數量量 軟體組件分析(SCA) • 相依性套件 • 第三⽅方函式庫、開發框架、 Docker 映象檔、系統軟體套件 靜態資安測試(SAST) • Security linter、錯誤配置檢測 • 需要低偽陽性(False Positive) • 快速檢查
Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA) CI CD • Python: https://github.com/ PyCQA/bandit • Go: https://github.com/ securego/gosec • Nginx configuration: https:// github.com/yandex/gixy • ZAP、Nikto 2、Sqlmap、 Arachni • https://github.com/ infobyte/faraday/wiki/ Plugin-List#list • https:// defectdojo.readthedocs.io/ en/latest/integrations.html • JS libraries: https:// retirejs.github.io/retire.js/ • 3rd party libraries: https:// snyk.io/ • Container analysis 動態資安測試(DAST) 軟體組件分析(SCA)靜態資安測試(SAST)
漏洞洞管理理 • ⾃自動化過濾(Filter) • 偽陽性、重複掃到的問題(Duplicate Issues) • 嚴重性評估(Assess) • CVSS 3.0 • 報告(Report) • 嚴重性、優先順序、漏洞洞簡介、漏洞洞影響 • 建議修復⽅方法 • DefectDojo: https://github.com/DefectDojo/django-DefectDojo • Archery: https://github.com/archerysec/archerysec Filter Assess Report
HardeningSecurity TestingPreparation • 商業價值 • 標準化 • 風險評估 • 威脅模型 • 測試範圍 • OWASP Testing Guide V4 • 測試⾃自動化 • ⾃自動化過濾 • 弱點分析、回報 • 資安測試優化
由上⽽而下 由內⽽而外
⽩白帽觀點 https://secview.io
Thanks

Recommended

HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試Secview
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 

Recommended

HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試Secview
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.Vitaly Balashov
 
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...Wouter Bloeyaert
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}opsSteven Carlson
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly4ndersonLin
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)Madhavan Marimuthu
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelinesVandana Verma
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfullyManuel Pistner
 
DevSecOps with Confidence
DevSecOps with ConfidenceDevSecOps with Confidence
DevSecOps with ConfidenceVMware Tanzu
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 

More Related Content

What's hot

Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.Vitaly Balashov
 
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...Wouter Bloeyaert
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly4ndersonLin
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...SBA Research
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelinesVandana Verma
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfullyManuel Pistner
 

What's hot (20)

Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.
 
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
DevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and UglyDevSecOps, The Good, Bad, and Ugly
DevSecOps, The Good, Bad, and Ugly
 
Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...Tools & techniques, building a dev secops culture at mozilla sba live a...
Tools & techniques, building a dev secops culture at mozilla sba live a...
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
 
Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfully
 

Similar to Modern Web 2019 從零開始加入自動化資安測試

DevSecOps with Confidence
DevSecOps with ConfidenceDevSecOps with Confidence
DevSecOps with ConfidenceVMware Tanzu
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringMichael Man
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsSven Schleier
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationAbhay Bhargav
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...FINOS
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntBuilding a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntAshley Roach
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 

Similar to Modern Web 2019 從零開始加入自動化資安測試 (20)

DevSecOps with Confidence
DevSecOps with ConfidenceDevSecOps with Confidence
DevSecOps with Confidence
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Building a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger HuntBuilding a REST API Microservice for the DevNet API Scavenger Hunt
Building a REST API Microservice for the DevNet API Scavenger Hunt
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 

Recently uploaded

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 

Recently uploaded (20)

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 

Modern Web 2019 從零開始加入自動化資安測試

  • 2. – AWS CTO Werner Vogels Security is EVERYONE's job
  • 5. YSc • HITCON Speaker & Trainer • Balsn CTF Team Co-Founder • Bug Bounty Hunter • Security Engineer in Appier and COBINHOOD • ⽩白帽觀點 https://secview.io/ y
  • 7. HardeningSecurity TestingPreparation • 商業價值 • 標準化 • 風險評估 • 威脅模型 • 測試範圍 • OWASP Testing Guide V4 • 測試⾃自動化 • ⾃自動化過濾 • 弱點分析、回報 • 資安測試優化
  • 8. 威脅模型 • (What)你要保護什什麼?⾦金金鑰?客⼾戶資料? • (Who)誰會攻擊?Script Kiddie? • (Where)從哪攻擊?網站?功能?⼈人? • (How)怎麼攻擊?開源⼯工具掃描?社交⼯工程? Business Impact What Where Who
  • 11. 標準化 • 威脅模型(Threat Modeling) • STRIDE、PASTA、... • 資安測試(Security Testing) • OWASP Testing Guide V4 • OWASP ASVS 3.0 • 弱點評估(Vulnerability Assessment) • Common Vulnerability Scoring System (CVSS) 3.0
  • 14. SSRF to Root Access https://hackerone.com/reports/341876
  • 15.
  • 16. • Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing
  • 17. • Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing • Shodan: https://www.shodan.io/ • Censys: https://censys.io/ • Sublist3r: https://github.com/aboul3la/Sublist3r • Nmap: https://nmap.org/
  • 18. • Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing • Kube Hunter: https://github.com/aquasecurity/ kube-hunter • Nginx configuration: https://github.com/yandex/ gixy • SSLScan: https://github.com/rbsec/sslscan
  • 19. • Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing • SAST Tools • Python: https://github.com/PyCQA/bandit • Go: https://github.com/securego/gosec • ...
  • 20. • Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing • DAST Tools • OWASP ZAP: https://github.com/zaproxy/ zaproxy/wiki/ZAP-API-Scan • Nitkto2: https://github.com/sullo/nikto • Sqlmap: https://github.com/sqlmapproject/ sqlmap • Arachni: https://github.com/Arachni/arachni • Behave: https://github.com/behave/behave
  • 21. • Information Gathering • Configuration and Deploy Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing • Session Management Testing • Data Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client Side Testing • Software Composition Analysis (SCA) • JS libraries: https://retirejs.github.io/retire.js/ • 3rd party libraries: https://snyk.io/ • Container analysis: https://github.com/coreos/ clair • Vuls: https://github.com/future-architect/vuls
  • 24. CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy
  • 25. CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST) Security Code Review Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Software Composition Analysis (SCA)
  • 26. Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA) CI CD
  • 27. CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy
  • 28. CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Security Architecture Design
  • 29. CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design
  • 30. CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST)
  • 31. CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST) Security Code Review
  • 32. CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST) Security Code Review Software Composition Analysis (SCA)
  • 33. CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST) Security Code Review Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA)
  • 34. CI CD Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Runtime Application Self- Protection (RASP) Security Architecture Design Static Application Security Testing (SAST) Security Code Review Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Software Composition Analysis (SCA)
  • 36. Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA) CI CD
  • 37. Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA) CI CD 動態資安測試(DAST) • 輸入驗證測試 • 資訊收集、部署、認證授權測試 • 降低報告的內容和數量量 軟體組件分析(SCA) • 相依性套件 • 第三⽅方函式庫、開發框架、 Docker 映象檔、系統軟體套件 靜態資安測試(SAST) • Security linter、錯誤配置檢測 • 需要低偽陽性(False Positive) • 快速檢查
  • 38. Design Code Commit CI Tests Code Review Release Prod Deploy Tests Stage Deploy Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA) CI CD • Python: https://github.com/ PyCQA/bandit • Go: https://github.com/ securego/gosec • Nginx configuration: https:// github.com/yandex/gixy • ZAP、Nikto 2、Sqlmap、 Arachni • https://github.com/ infobyte/faraday/wiki/ Plugin-List#list • https:// defectdojo.readthedocs.io/ en/latest/integrations.html • JS libraries: https:// retirejs.github.io/retire.js/ • 3rd party libraries: https:// snyk.io/ • Container analysis 動態資安測試(DAST) 軟體組件分析(SCA)靜態資安測試(SAST)
  • 39. 漏洞洞管理理 • ⾃自動化過濾(Filter) • 偽陽性、重複掃到的問題(Duplicate Issues) • 嚴重性評估(Assess) • CVSS 3.0 • 報告(Report) • 嚴重性、優先順序、漏洞洞簡介、漏洞洞影響 • 建議修復⽅方法 • DefectDojo: https://github.com/DefectDojo/django-DefectDojo • Archery: https://github.com/archerysec/archerysec Filter Assess Report
  • 40. HardeningSecurity TestingPreparation • 商業價值 • 標準化 • 風險評估 • 威脅模型 • 測試範圍 • OWASP Testing Guide V4 • 測試⾃自動化 • ⾃自動化過濾 • 弱點分析、回報 • 資安測試優化